berbew | 008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
Size

163KB
MD5

e5b48aefaaa37cc4ddde5a81ef2a5ee0
SHA1

082a6e6e81c8c7ac93e3940d63fe6d678069092b
SHA256

008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59
SHA512

4fca3b4113af6a8efac7273d620767a83ecc707e5a2792ed477014a8d40dc229e310e16427e0055f653f306694edbaff8b28078d1afd45cb185afd28592b017a
SSDEEP

1536:PloajZNWMH3LfrSLrFm45qsTQLlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:D7WMH3TIY49ELltOrWKDBr+yJb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kffpcilf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdbkbpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdnffpif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kffpcilf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjjdjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnffpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgjman32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfccmini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofnbk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgoohk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgnflmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapjjdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgmbbkij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmdbkbpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbajci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledpjdid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lanmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljolodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgnflmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjdiigbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Looahi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kofnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpdoffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Looahi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lanmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpegka32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjfbikh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knhoig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpqaanqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Legmpdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgmbbkij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knhoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfccmini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojhmjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legmpdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgoohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jekaeb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjman32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjjfbikh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpqaanqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledpjdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnaihhgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjdiigbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljolodf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnaihhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbajci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojhmjag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpegka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmpdoffo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 28 IoCs

pid	Process
2328	Jnaihhgf.exe
1624	Jekaeb32.exe
2808	Jgjman32.exe
2828	Jjjfbikh.exe
1748	Jgnflmia.exe
2604	Knhoig32.exe
2248	Kmkodd32.exe
2000	Kfccmini.exe
1316	Kffpcilf.exe
2040	Kakdpb32.exe
3032	Kjdiigbm.exe
2932	Kpqaanqd.exe
2388	Kmdbkbpn.exe
868	Kofnbk32.exe
2432	Kbajci32.exe
2152	Lljolodf.exe
2064	Lojhmjag.exe
2484	Ledpjdid.exe
264	Lmpdoffo.exe
1260	Legmpdga.exe
2032	Looahi32.exe
2080	Lanmde32.exe
1780	Mapjjdjb.exe
788	Mdnffpif.exe
1564	Mgmbbkij.exe
2860	Mpegka32.exe
2972	Mgoohk32.exe
2616	Mllhpb32.exe

Loads dropped DLL 56 IoCs

pid	Process
2532	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
2532	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
2328	Jnaihhgf.exe
2328	Jnaihhgf.exe
1624	Jekaeb32.exe
1624	Jekaeb32.exe
2808	Jgjman32.exe
2808	Jgjman32.exe
2828	Jjjfbikh.exe
2828	Jjjfbikh.exe
1748	Jgnflmia.exe
1748	Jgnflmia.exe
2604	Knhoig32.exe
2604	Knhoig32.exe
2248	Kmkodd32.exe
2248	Kmkodd32.exe
2000	Kfccmini.exe
2000	Kfccmini.exe
1316	Kffpcilf.exe
1316	Kffpcilf.exe
2040	Kakdpb32.exe
2040	Kakdpb32.exe
3032	Kjdiigbm.exe
3032	Kjdiigbm.exe
2932	Kpqaanqd.exe
2932	Kpqaanqd.exe
2388	Kmdbkbpn.exe
2388	Kmdbkbpn.exe
868	Kofnbk32.exe
868	Kofnbk32.exe
2432	Kbajci32.exe
2432	Kbajci32.exe
2152	Lljolodf.exe
2152	Lljolodf.exe
2064	Lojhmjag.exe
2064	Lojhmjag.exe
2484	Ledpjdid.exe
2484	Ledpjdid.exe
264	Lmpdoffo.exe
264	Lmpdoffo.exe
1260	Legmpdga.exe
1260	Legmpdga.exe
2032	Looahi32.exe
2032	Looahi32.exe
2080	Lanmde32.exe
2080	Lanmde32.exe
1780	Mapjjdjb.exe
1780	Mapjjdjb.exe
788	Mdnffpif.exe
788	Mdnffpif.exe
1564	Mgmbbkij.exe
1564	Mgmbbkij.exe
2860	Mpegka32.exe
2860	Mpegka32.exe
2972	Mgoohk32.exe
2972	Mgoohk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Knhoig32.exe	Jgnflmia.exe
File created	C:\Windows\SysWOW64\Mpfogm32.dll	Kpqaanqd.exe
File created	C:\Windows\SysWOW64\Gpejff32.dll	Kmdbkbpn.exe
File created	C:\Windows\SysWOW64\Lihkjgpf.dll	Jgjman32.exe
File created	C:\Windows\SysWOW64\Lebbii32.dll	Kakdpb32.exe
File created	C:\Windows\SysWOW64\Cmgpnn32.dll	Kbajci32.exe
File created	C:\Windows\SysWOW64\Idmkjp32.dll	Lljolodf.exe
File created	C:\Windows\SysWOW64\Legmpdga.exe	Lmpdoffo.exe
File created	C:\Windows\SysWOW64\Mpegka32.exe	Mgmbbkij.exe
File opened for modification	C:\Windows\SysWOW64\Mpegka32.exe	Mgmbbkij.exe
File created	C:\Windows\SysWOW64\Mllhpb32.exe	Mgoohk32.exe
File created	C:\Windows\SysWOW64\Kffpcilf.exe	Kfccmini.exe
File opened for modification	C:\Windows\SysWOW64\Kmdbkbpn.exe	Kpqaanqd.exe
File opened for modification	C:\Windows\SysWOW64\Kofnbk32.exe	Kmdbkbpn.exe
File opened for modification	C:\Windows\SysWOW64\Kbajci32.exe	Kofnbk32.exe
File opened for modification	C:\Windows\SysWOW64\Lanmde32.exe	Looahi32.exe
File created	C:\Windows\SysWOW64\Hfnknmgo.dll	Mgmbbkij.exe
File opened for modification	C:\Windows\SysWOW64\Kffpcilf.exe	Kfccmini.exe
File created	C:\Windows\SysWOW64\Kjdiigbm.exe	Kakdpb32.exe
File opened for modification	C:\Windows\SysWOW64\Lmpdoffo.exe	Ledpjdid.exe
File opened for modification	C:\Windows\SysWOW64\Legmpdga.exe	Lmpdoffo.exe
File created	C:\Windows\SysWOW64\Oodcogfd.dll	Lmpdoffo.exe
File created	C:\Windows\SysWOW64\Looahi32.exe	Legmpdga.exe
File created	C:\Windows\SysWOW64\Lanmde32.exe	Looahi32.exe
File created	C:\Windows\SysWOW64\Mapjjdjb.exe	Lanmde32.exe
File opened for modification	C:\Windows\SysWOW64\Mgoohk32.exe	Mpegka32.exe
File created	C:\Windows\SysWOW64\Kfccmini.exe	Kmkodd32.exe
File opened for modification	C:\Windows\SysWOW64\Kjdiigbm.exe	Kakdpb32.exe
File opened for modification	C:\Windows\SysWOW64\Looahi32.exe	Legmpdga.exe
File created	C:\Windows\SysWOW64\Hfcncl32.dll	Lanmde32.exe
File created	C:\Windows\SysWOW64\Mgoohk32.exe	Mpegka32.exe
File opened for modification	C:\Windows\SysWOW64\Mllhpb32.exe	Mgoohk32.exe
File created	C:\Windows\SysWOW64\Hjegbfin.dll	Jekaeb32.exe
File created	C:\Windows\SysWOW64\Jjjfbikh.exe	Jgjman32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkodd32.exe	Knhoig32.exe
File opened for modification	C:\Windows\SysWOW64\Knhoig32.exe	Jgnflmia.exe
File created	C:\Windows\SysWOW64\Ljaplc32.dll	Mapjjdjb.exe
File created	C:\Windows\SysWOW64\Hialpf32.dll	Mdnffpif.exe
File created	C:\Windows\SysWOW64\Kmkodd32.exe	Knhoig32.exe
File created	C:\Windows\SysWOW64\Ledpjdid.exe	Lojhmjag.exe
File created	C:\Windows\SysWOW64\Kkadkelj.dll	Ledpjdid.exe
File created	C:\Windows\SysWOW64\Mdnffpif.exe	Mapjjdjb.exe
File created	C:\Windows\SysWOW64\Jekaeb32.exe	Jnaihhgf.exe
File created	C:\Windows\SysWOW64\Kmdbkbpn.exe	Kpqaanqd.exe
File opened for modification	C:\Windows\SysWOW64\Lljolodf.exe	Kbajci32.exe
File opened for modification	C:\Windows\SysWOW64\Mdnffpif.exe	Mapjjdjb.exe
File created	C:\Windows\SysWOW64\Jgjman32.exe	Jekaeb32.exe
File created	C:\Windows\SysWOW64\Jgnflmia.exe	Jjjfbikh.exe
File opened for modification	C:\Windows\SysWOW64\Kfccmini.exe	Kmkodd32.exe
File created	C:\Windows\SysWOW64\Eagenl32.dll	Kmkodd32.exe
File created	C:\Windows\SysWOW64\Kofnbk32.exe	Kmdbkbpn.exe
File created	C:\Windows\SysWOW64\Kbajci32.exe	Kofnbk32.exe
File opened for modification	C:\Windows\SysWOW64\Mapjjdjb.exe	Lanmde32.exe
File opened for modification	C:\Windows\SysWOW64\Mgmbbkij.exe	Mdnffpif.exe
File created	C:\Windows\SysWOW64\Lmifml32.dll	Jjjfbikh.exe
File created	C:\Windows\SysWOW64\Klkegf32.dll	Jgnflmia.exe
File created	C:\Windows\SysWOW64\Mfglbp32.dll	Knhoig32.exe
File opened for modification	C:\Windows\SysWOW64\Kakdpb32.exe	Kffpcilf.exe
File created	C:\Windows\SysWOW64\Ajnncp32.dll	Kffpcilf.exe
File created	C:\Windows\SysWOW64\Kpqaanqd.exe	Kjdiigbm.exe
File opened for modification	C:\Windows\SysWOW64\Jnaihhgf.exe	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
File created	C:\Windows\SysWOW64\Fcnmploa.dll	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
File opened for modification	C:\Windows\SysWOW64\Jekaeb32.exe	Jnaihhgf.exe
File created	C:\Windows\SysWOW64\Gkemcm32.dll	Jnaihhgf.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfccmini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofnbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjjdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knhoig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lanmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjdiigbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgoohk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnaihhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojhmjag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kffpcilf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjfbikh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljolodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjman32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkodd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakdpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpqaanqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledpjdid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Legmpdga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Looahi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnffpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgmbbkij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdbkbpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpdoffo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpegka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgnflmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbajci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jekaeb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgpnn32.dll"	Kbajci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledpjdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnede32.dll"	Looahi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgnflmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knhoig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfccmini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpqaanqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmkjp32.dll"	Lljolodf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lojhmjag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfljg32.dll"	Mpegka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebbii32.dll"	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kofnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmpdoffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lanmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mapjjdjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdnffpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgjman32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjfbikh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgnflmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfglbp32.dll"	Knhoig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbajci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Looahi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgmbbkij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgoohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfogm32.dll"	Kpqaanqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lljolodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Legmpdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpegka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbqmd32.dll"	Mgoohk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnaihhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfccmini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjdiigbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kofnbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljolodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaiefep.dll"	Legmpdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kffpcilf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jekaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihkjgpf.dll"	Jgjman32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjjfbikh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagenl32.dll"	Kmkodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmdbkbpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkadkelj.dll"	Ledpjdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnmploa.dll"	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkemcm32.dll"	Jnaihhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfcncl32.dll"	Lanmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdnffpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmifml32.dll"	Jjjfbikh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnncp32.dll"	Kffpcilf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjdiigbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Legmpdga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lanmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mapjjdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnaihhgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jekaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hialpf32.dll"	Mdnffpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledpjdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmpdoffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Looahi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2328	2532	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe	29
PID 2532 wrote to memory of 2328	2532	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe	29
PID 2532 wrote to memory of 2328	2532	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe	29
PID 2532 wrote to memory of 2328	2532	008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe	29
PID 2328 wrote to memory of 1624	2328	Jnaihhgf.exe	30
PID 2328 wrote to memory of 1624	2328	Jnaihhgf.exe	30
PID 2328 wrote to memory of 1624	2328	Jnaihhgf.exe	30
PID 2328 wrote to memory of 1624	2328	Jnaihhgf.exe	30
PID 1624 wrote to memory of 2808	1624	Jekaeb32.exe	31
PID 1624 wrote to memory of 2808	1624	Jekaeb32.exe	31
PID 1624 wrote to memory of 2808	1624	Jekaeb32.exe	31
PID 1624 wrote to memory of 2808	1624	Jekaeb32.exe	31
PID 2808 wrote to memory of 2828	2808	Jgjman32.exe	32
PID 2808 wrote to memory of 2828	2808	Jgjman32.exe	32
PID 2808 wrote to memory of 2828	2808	Jgjman32.exe	32
PID 2808 wrote to memory of 2828	2808	Jgjman32.exe	32
PID 2828 wrote to memory of 1748	2828	Jjjfbikh.exe	33
PID 2828 wrote to memory of 1748	2828	Jjjfbikh.exe	33
PID 2828 wrote to memory of 1748	2828	Jjjfbikh.exe	33
PID 2828 wrote to memory of 1748	2828	Jjjfbikh.exe	33
PID 1748 wrote to memory of 2604	1748	Jgnflmia.exe	34
PID 1748 wrote to memory of 2604	1748	Jgnflmia.exe	34
PID 1748 wrote to memory of 2604	1748	Jgnflmia.exe	34
PID 1748 wrote to memory of 2604	1748	Jgnflmia.exe	34
PID 2604 wrote to memory of 2248	2604	Knhoig32.exe	35
PID 2604 wrote to memory of 2248	2604	Knhoig32.exe	35
PID 2604 wrote to memory of 2248	2604	Knhoig32.exe	35
PID 2604 wrote to memory of 2248	2604	Knhoig32.exe	35
PID 2248 wrote to memory of 2000	2248	Kmkodd32.exe	36
PID 2248 wrote to memory of 2000	2248	Kmkodd32.exe	36
PID 2248 wrote to memory of 2000	2248	Kmkodd32.exe	36
PID 2248 wrote to memory of 2000	2248	Kmkodd32.exe	36
PID 2000 wrote to memory of 1316	2000	Kfccmini.exe	37
PID 2000 wrote to memory of 1316	2000	Kfccmini.exe	37
PID 2000 wrote to memory of 1316	2000	Kfccmini.exe	37
PID 2000 wrote to memory of 1316	2000	Kfccmini.exe	37
PID 1316 wrote to memory of 2040	1316	Kffpcilf.exe	38
PID 1316 wrote to memory of 2040	1316	Kffpcilf.exe	38
PID 1316 wrote to memory of 2040	1316	Kffpcilf.exe	38
PID 1316 wrote to memory of 2040	1316	Kffpcilf.exe	38
PID 2040 wrote to memory of 3032	2040	Kakdpb32.exe	39
PID 2040 wrote to memory of 3032	2040	Kakdpb32.exe	39
PID 2040 wrote to memory of 3032	2040	Kakdpb32.exe	39
PID 2040 wrote to memory of 3032	2040	Kakdpb32.exe	39
PID 3032 wrote to memory of 2932	3032	Kjdiigbm.exe	40
PID 3032 wrote to memory of 2932	3032	Kjdiigbm.exe	40
PID 3032 wrote to memory of 2932	3032	Kjdiigbm.exe	40
PID 3032 wrote to memory of 2932	3032	Kjdiigbm.exe	40
PID 2932 wrote to memory of 2388	2932	Kpqaanqd.exe	41
PID 2932 wrote to memory of 2388	2932	Kpqaanqd.exe	41
PID 2932 wrote to memory of 2388	2932	Kpqaanqd.exe	41
PID 2932 wrote to memory of 2388	2932	Kpqaanqd.exe	41
PID 2388 wrote to memory of 868	2388	Kmdbkbpn.exe	42
PID 2388 wrote to memory of 868	2388	Kmdbkbpn.exe	42
PID 2388 wrote to memory of 868	2388	Kmdbkbpn.exe	42
PID 2388 wrote to memory of 868	2388	Kmdbkbpn.exe	42
PID 868 wrote to memory of 2432	868	Kofnbk32.exe	43
PID 868 wrote to memory of 2432	868	Kofnbk32.exe	43
PID 868 wrote to memory of 2432	868	Kofnbk32.exe	43
PID 868 wrote to memory of 2432	868	Kofnbk32.exe	43
PID 2432 wrote to memory of 2152	2432	Kbajci32.exe	44
PID 2432 wrote to memory of 2152	2432	Kbajci32.exe	44
PID 2432 wrote to memory of 2152	2432	Kbajci32.exe	44
PID 2432 wrote to memory of 2152	2432	Kbajci32.exe	44

C:\Users\Admin\AppData\Local\Temp\008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe
"C:\Users\Admin\AppData\Local\Temp\008825f291d0f4625a705ffc4f110849148adab12f01689e70a79a1fe1c6ad59N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\Jnaihhgf.exe
  C:\Windows\system32\Jnaihhgf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\Jekaeb32.exe
    C:\Windows\system32\Jekaeb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\Jgjman32.exe
      C:\Windows\system32\Jgjman32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Jjjfbikh.exe
        
        C:\Windows\system32\Jjjfbikh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\Jgnflmia.exe
        
        C:\Windows\system32\Jgnflmia.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Knhoig32.exe
        
        C:\Windows\system32\Knhoig32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Kmkodd32.exe
        
        C:\Windows\system32\Kmkodd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Kfccmini.exe
        
        C:\Windows\system32\Kfccmini.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Kffpcilf.exe
        
        C:\Windows\system32\Kffpcilf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Kakdpb32.exe
        
        C:\Windows\system32\Kakdpb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Kjdiigbm.exe
        
        C:\Windows\system32\Kjdiigbm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Kpqaanqd.exe
        
        C:\Windows\system32\Kpqaanqd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Kmdbkbpn.exe
        
        C:\Windows\system32\Kmdbkbpn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Kofnbk32.exe
        
        C:\Windows\system32\Kofnbk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Kbajci32.exe
        
        C:\Windows\system32\Kbajci32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Lljolodf.exe
        
        C:\Windows\system32\Lljolodf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Lojhmjag.exe
        
        C:\Windows\system32\Lojhmjag.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Ledpjdid.exe
        
        C:\Windows\system32\Ledpjdid.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Lmpdoffo.exe
        
        C:\Windows\system32\Lmpdoffo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Legmpdga.exe
        
        C:\Windows\system32\Legmpdga.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Looahi32.exe
        
        C:\Windows\system32\Looahi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Lanmde32.exe
        
        C:\Windows\system32\Lanmde32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Mapjjdjb.exe
        
        C:\Windows\system32\Mapjjdjb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Mdnffpif.exe
        
        C:\Windows\system32\Mdnffpif.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Mgmbbkij.exe
        
        C:\Windows\system32\Mgmbbkij.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Mpegka32.exe
        
        C:\Windows\system32\Mpegka32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Mgoohk32.exe
        
        C:\Windows\system32\Mgoohk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Mllhpb32.exe
        
        C:\Windows\system32\Mllhpb32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jnaihhgf.exe

Filesize
163KB

MD5
1def4a33e1d82baef95cf9f0e9764da3

SHA1
ec8f1f63c6ed33b62a17c29d5608620efe6db7e8

SHA256
b0c13e8d8c6c69dc7b4f243b3f4062657809d990ec70c7ff2d1fbe46a46b1646

SHA512
a992836e9f95e22647002c9f2fd69b4e1599ca2abc67a00ef6b1c2b98fade09d0191edf6e77ab493d1057415055dc93ecb46a3c6abcaa6a2726bb17912c7296a

Download Submit
C:\Windows\SysWOW64\Kfccmini.exe

Filesize
163KB

MD5
b32a8330febf9502d69358dc9c6e312c

SHA1
4f5ae8e994818bae27e915a32cb4ca006ac5c95d

SHA256
d235fda0eaed0da0de258ae907dc59bd0e85522bbba65daece29c1e4de027384

SHA512
93dda09abc88af364f0787bdb357bac5ec760968385b1d32430113d336e63ac7e2cb0fc997b916684c99d6f7d4388a548c8dc5ca47ee434c03d530f16c25b60b

Download Submit
C:\Windows\SysWOW64\Kpqaanqd.exe

Filesize
163KB

MD5
833c1cf797d04faa5e71fde4bc02e893

SHA1
a612d0c24a94a940285ba68b4ad512bcda408f1c

SHA256
e62a8243f0038171a8d8063cded5a4dda4c815dd17796063c4d1e53fd6b90740

SHA512
3b8f95aec0a8d6a98e481a0418047db953ecd2c910acdba21c0ee42b6295f4536ef0c72c556602fdbe9b8d0edc51285809a161d5e57ce2cd43e0aa1eeced9b69

Download Submit
C:\Windows\SysWOW64\Lanmde32.exe

Filesize
163KB

MD5
3129349d0ffb39c901d47f5c678ed109

SHA1
f7e2b3f92a683fc5b03ea3a4ad7fbeb0abdd797f

SHA256
4a06447afa3bba52ac5d38db67287de8733929372d9da7c17b9c3f054b2ae2c7

SHA512
d3eb65bd786f872bde581d756dfc4fd4035e2494afa0476fddac87326e4ae5a0770317effb7fa58551ec51ca544a3fba1f5557f60134161d06149b894030f0f4

Download Submit
C:\Windows\SysWOW64\Ledpjdid.exe

Filesize
163KB

MD5
d95c184c4c8493c854221090d3119fe2

SHA1
63fddedf1188d35d16e8295514aa42998142b0ea

SHA256
5d243aec1e82b0d5a8922dbbdfdc634f6a9e0e700c0195c023255b06b1eb7dba

SHA512
5486e3223ca4f327375239b330fef0146409dece05a96bd20bbd42f668f9f18c6309ed6e1b454e7190abf3dc6e8e512761888ce9feed7aaf3718728f3f755f5d

Download Submit
C:\Windows\SysWOW64\Legmpdga.exe

Filesize
163KB

MD5
7173f94044f61e52473a1a46b3c5b44d

SHA1
112928c8122c073294dc33e7b78b4cb8537d8b4b

SHA256
001e272229d5c392fd09962dd2d13f28223eaa47ccf04ab2d786c69fa2631323

SHA512
f64d60e156f835d0076a3d224c064af81c76e3f7fe76f801eee87599f04d6adff726cb7888ffd63f0335c91b121ee06c58d151b9c8d53a021f16b06a5d5a4e81

Download Submit
C:\Windows\SysWOW64\Lljolodf.exe

Filesize
163KB

MD5
0b2b25ca3ff3b7e69bf736d71ff301bc

SHA1
7eae1af133ca1a8b3e57730c5b273ab7c6c598d2

SHA256
cec9c15a92f5e3e33d72ba901c1ce53bbd4c9675d682732818185ef6c529306d

SHA512
0af50d535c57deef6cdb3bca739b53a8684687ff785da86db4a8c282498a7182095d458e6db771907504ac22c449e7b37b2ee4be3719886a109a63f651d31a5f

Download Submit
C:\Windows\SysWOW64\Lmpdoffo.exe

Filesize
163KB

MD5
c567728caa6bc05e28e96a66a2b6d40f

SHA1
1c6c20c49fd9ab183fd0983871034f08b82846e2

SHA256
60c5b551b3ee1e2bebbb65c2232cd81769a182e0ec235fe64a182ec66bf505c7

SHA512
48eb62b50b83421ea0a896f0089f7391c6a88facff906328cadc36971f46110951b6f68e26dc6188dbcf1fd763687a10ef629f92afd97c225d285b538e597eec

Download Submit
C:\Windows\SysWOW64\Lojhmjag.exe

Filesize
163KB

MD5
4a7c34be856bb6e356f72e0abc52aaba

SHA1
f5b59778a09896eb99a961963f7108341d3b719e

SHA256
bef0de5e3b2a976cbbdad17579ee7860e43db0d083b199bfd5ef7166827412e2

SHA512
ebe9ccb36a113c76c2b0763bb569412a5615f773e3a21972b11c5c4ba2c266af28b59c7fc638d55d6a784dd5c4fe99c6a13cd28c921bf5d6b54252b01cb6a1c7

Download Submit
C:\Windows\SysWOW64\Looahi32.exe

Filesize
163KB

MD5
e53c9ad208248030e0699ad6b178d60c

SHA1
1f1f806c31a170490fb7835b79bc7ebcc96cc941

SHA256
d95477221bcabad00bf2290430e2cd9848937f4e008b3c30e28f11c7bc39979c

SHA512
a672f5abc0e89c2e8495a8bc3f9cf3ba94238dbc1e4b4aa913e4e876ff474fb77cda5d0852724629156f21e6b87ab6468862adb692a88a7fda2af5a41eec3a3d

Download Submit
C:\Windows\SysWOW64\Mapjjdjb.exe

Filesize
163KB

MD5
fb745bb5864ab273d753364690914c61

SHA1
e060e23fedda9f6db16cf8176092fdd3df76a8ca

SHA256
0c184125eb37b11231ecd6f33d9ef182dcb2dc7c02a90e7b1268ae9d690f531c

SHA512
7bb26b2f66c0ff7dfbc168b04e59736fc3581a384aa18195dbc760b3d93ff99707165beaabab43914c743b041b3d78737e9b5404808539212df903f9728c6a61

Download Submit
C:\Windows\SysWOW64\Mdnffpif.exe

Filesize
163KB

MD5
375c9ff96d06ce172be52df99b228eb2

SHA1
f0c1aed35780ca2ec4f4d02bd130932fafc6fa86

SHA256
4b60abdcc90fda6e995aebef0d39c9124e80a2472be8ee38f50339b677af845a

SHA512
3696a3c797416d2bd1c76934116dee976d0f7a1eb364ae2ad8dc1ea00e2e9c8342ff004231e327860357032ef99e5b0fa47c81226ae529eb9e26098346b4e859

Download Submit
C:\Windows\SysWOW64\Mgmbbkij.exe

Filesize
163KB

MD5
d4cca7de694ff7a714a76db11c202389

SHA1
61b449e87770a62be414c5197573f4a0bdf3db6f

SHA256
4335b63e31dea45398aa0021fb60d73ea49b65dd45a406c1f6d660b36750dd60

SHA512
7464acc3104dde16d6bacc504d5646029cd7e0563654e499f39fec922df7835859fa2d8e5bb7c88262377a72c690d7494af85e7c008a157ed457dc58e89223cb

Download Submit
C:\Windows\SysWOW64\Mgoohk32.exe

Filesize
163KB

MD5
3f4fcc76f69261f082121bdb760bf2a5

SHA1
00c3c1224d169524e4c6d09c33a15f993e62a3de

SHA256
6092091819322c64d2ad6cf957dacf4ae6b55ce2a1786d70f0ca37aaa41248b8

SHA512
42db25c98b14977cde64917df3c2bd1ee28d173d114a36d277ea2291dea23e088da8d6f1646e2e0d540470ddb13f8d1976c2139a98ee9ff468c0ebc2d9d3888e

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
163KB

MD5
91dbb4960667197b4a533f20156227d0

SHA1
493d371b6c44200425dcd91f2d5428516d58e7e4

SHA256
a1289a70b24a2ff32893c01d65d52c32faa784637e79c16d2a4e78ee2ca696d4

SHA512
57b94c9b5441f93f563c7d0e0fde98979e1ac944cf9afe5d1719a860738ec3e67a5eef614def2787f1482f1f7de67fb2e846607c79d6449a349ace0f9c25eab0

Download Submit
C:\Windows\SysWOW64\Mpegka32.exe

Filesize
163KB

MD5
7acc26f4fc2ddf4307a6e533c68550a4

SHA1
9934c0035e6c48e5eb3edab6b58d5a63b457cdcb

SHA256
31b63889182dd2a36d53ae178cc1adc8d81abc77c724acd308bfcf12ef9fc602

SHA512
06c9a87d04547b7d634316422908b4e6eac43b20a08656a398a9b192b90869e0b224fc3a19bff49aa73d4c929a252c6db232173aa02645a0ecc0120ac9754c0d

Download Submit
\Windows\SysWOW64\Jekaeb32.exe

Filesize
163KB

MD5
c54d8bc9e75771a0abeca7c632551bc0

SHA1
aa76f368c648b41c81e6d4bb067dc91caffcb6c2

SHA256
dcd5cf48f5a9e03fa9af789c07a14f5c6a6f1f09e792ea9ee91ae2c053fc0b3f

SHA512
786b1a6ed05a9fb51294f5275d72f7edb99bee3e494c95153d6d23fc670be0f6e79cea487dc521239d9aa295ef4809f79e1f9e7a734a738f6fb4bb8e2295ba87

Download Submit
\Windows\SysWOW64\Jgjman32.exe

Filesize
163KB

MD5
02afc9c123a3bcba56f4c081cb0ec73f

SHA1
ce75dfd96991c75be53a2aeaacb2dcc835cc5131

SHA256
2d0c70c6efc417e7e764cc36d279285ec6d7e297e9989b9074f85fd08a9a4669

SHA512
55edfe9786caf5e82e593f11ea08ee410e21a9ea07d9ba5a8a9684b6e24bbee8d655e0e0d87505c83bfe69c82e98862ccadf5f4c797f1294c7d9424d7319efea

Download Submit
\Windows\SysWOW64\Jgnflmia.exe

Filesize
163KB

MD5
69201b356de09ef359738d671c7a021c

SHA1
e171df49bc20ce8c4b2f634873a16b1c1c359618

SHA256
8d75a36eae94744ddb06281bbf827e5313cf569914107a26cd100dadb6b0c6bf

SHA512
ff1acc214c58b9c224e0ce05968ca910036434a2aba93329a40fd24ecd8de2330528d2873220eebd7725e66e53d79a0c7e05fa96365c4a9d687fc5d82e641bc8

Download Submit
\Windows\SysWOW64\Jjjfbikh.exe

Filesize
163KB

MD5
d7893ac3d9e77fdc82f698889142b51f

SHA1
6cc4e50e5a7639694848c0f71a46e175b0573687

SHA256
09ebacddfb5f6739cdfb2a7644495c80d34ee3485732aecc678d73bfca0c1597

SHA512
b49e25b6d6d78ed4da5c9d23d5b7a7e55150c0d42a0a6f9bb00c04f398883ed4b2207238a2ded3a2e3f2d5eee91f48399d23c586a4017ce07af8b4d5ccdd80a0

Download Submit
\Windows\SysWOW64\Kakdpb32.exe

Filesize
163KB

MD5
73d551123f2997161fe36e189f489887

SHA1
7d5d4e5b63a6fbb43315bcf2f9d1a59832d0c236

SHA256
52d6bf14f100a2c8ad9cf9e25aafaf6f3ec6256d89db6241cce058caec5636de

SHA512
41c32c7c04e6db3db3c3f7f2f3df94f744f5028a133d448471c50e614cd8d15a60414bff627db02f906c4125232162357fc0bc0545cb9e72a69280a379a1e088

Download Submit
\Windows\SysWOW64\Kbajci32.exe

Filesize
163KB

MD5
94223c913f815998094bd7c60125daca

SHA1
471843e641cdeafe25374cfeec0dda376936e1b1

SHA256
55c961c2313c11f9e24eb232526b8541520103bf204f42e821df453a4d437616

SHA512
74b2dc4e3e4d8a9750e238388805f4b40714b581c55d99d121f19ec8fa444ab8957a5cd9259dd2b700fd055a3252ecd84e7acc8e797ef42efd4b1ade663b64f5

Download Submit
\Windows\SysWOW64\Kffpcilf.exe

Filesize
163KB

MD5
c1d5344459c5d2d9a3de44f411d9a568

SHA1
35c752c3cab20d92cf658226dc01e807b4421ab4

SHA256
c2470c9220f445f2f72da4b5956da4d1e508c4f81e657e7b280eba8f58b63e8b

SHA512
12ffd0a2a61123edbca845d79972b51d3d2a1fa3ca314b017ce3403dc6b24643cafbe4994f17c33aca9b1096e6b024127904554c97421e51e7a589d6cdef7925

Download Submit
\Windows\SysWOW64\Kjdiigbm.exe

Filesize
163KB

MD5
13e9d1443228aed6683e5887ea959d54

SHA1
6ec76c2338cb8a425d1b3bcdb306571319962ae7

SHA256
bb90d4ccb58e76b45833a6d6bdb236a22e5da83bb9e87cd44a47db7b82822949

SHA512
bc1481157bb53c7b6aa519c84307cb9acb8cfd7294d8fa041fc7a25ceb46c6ab3fc2e7f32cd8f334d8bb1fd84a599a33d6cbf7182ad07cb95fee10baf1f803da

Download Submit
\Windows\SysWOW64\Kmdbkbpn.exe

Filesize
163KB

MD5
7e7af6579d7ca8e063268638ae14090d

SHA1
649f24a393820aba38c86104be092d00154d4663

SHA256
f56f313f196989764e8b849db7865e48b63400b6282a33f302964b3ccd1b937f

SHA512
fb2b9781cdb8d3f1585ceaecfb0629acece157ea1a313fdc5f6a10bc601e9c2930d23642fe97348d8a1d11f915afbe01470c77909d1071c34832bc5bfd7ff68d

Download Submit
\Windows\SysWOW64\Kmkodd32.exe

Filesize
163KB

MD5
5612832bee314b051e19e4d2ab14f309

SHA1
d421b7456a5842359a90aca8632cd6f72f8fa123

SHA256
9d7a53b6b7968398152dc6a2f7c9073f0b88da11e6017757074d7162cf6e8bdb

SHA512
d669912b7e708232499f67b4396269d8a23e8736bf9513ef40019a48904350f7f270ce4d8a0bcbd4d1519f31a6a0812b60b4ad9b8da03f10fa3bf8248be6dd9a

Download Submit
\Windows\SysWOW64\Knhoig32.exe

Filesize
163KB

MD5
93b74495b6c88e4c779b7440bafda6b6

SHA1
9764ca1ed089ca0a6ccff76843b9e88c987a068a

SHA256
023a20eef5f6410d5f56bc3f856eef7750816f1461556c2b7dd31727e36e0215

SHA512
b62f6dd1cfb83bf9095cbff001955426bf04196e4b56b0a8244d7e9ad489917e248361d3eaea46a563a6e7e24da6ecccbdae41d87a6bab676ebd39e09867e4fd

Download Submit
\Windows\SysWOW64\Kofnbk32.exe

Filesize
163KB

MD5
49ca58be938e47188fa159c4d3b149df

SHA1
28cffd6cc3cfd9a20cceb3517ef4d4547b56a247

SHA256
35af401c2780215d57c397d5e73166083082922157a8b63248acea4606d8ea87

SHA512
6283c0229d8b5cc5fcbba7b59927ec42d8639f0b4ac7b161c7e96ad334d882e476291761c33e008a60f95f5cc0c18bf01e7e43ce764a4d87c88b62c67dff16b6

Download Submit
memory/264-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/264-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/264-258-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/264-257-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/788-303-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/788-357-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/788-313-0x0000000000280000-0x00000000002D3000-memory.dmp

Filesize
332KB

Download
memory/788-312-0x0000000000280000-0x00000000002D3000-memory.dmp

Filesize
332KB

Download
memory/788-355-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/868-199-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/868-375-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/868-381-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/868-198-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/868-186-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1260-259-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1260-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1260-269-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1260-265-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1316-390-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1316-124-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1564-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1564-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1564-327-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/1624-34-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1624-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1624-26-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1748-78-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1748-392-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1748-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1780-296-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1780-301-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1780-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1780-302-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1780-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2000-114-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2000-386-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2000-384-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2000-106-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2032-362-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2032-280-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2032-276-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2032-274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2040-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2040-141-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2040-146-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2040-393-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2040-388-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2064-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2064-236-0x0000000000280000-0x00000000002D3000-memory.dmp

Filesize
332KB

Download
memory/2064-237-0x0000000000280000-0x00000000002D3000-memory.dmp

Filesize
332KB

Download
memory/2064-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-287-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2080-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-291-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2152-373-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2152-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2152-228-0x0000000002010000-0x0000000002063000-memory.dmp

Filesize
332KB

Download
memory/2152-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2152-222-0x0000000002010000-0x0000000002063000-memory.dmp

Filesize
332KB

Download
memory/2248-104-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2248-387-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-402-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-400-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2388-380-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-213-0x00000000002B0000-0x0000000000303000-memory.dmp

Filesize
332KB

Download
memory/2432-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-206-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2484-368-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2484-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2484-246-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2484-247-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2532-23-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2532-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2532-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2604-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2604-91-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2604-391-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2808-49-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2808-399-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-60-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2828-397-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2828-394-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2860-333-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2860-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2860-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2860-334-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2932-379-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2932-168-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2932-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2932-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2972-344-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2972-349-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2972-345-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2972-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2972-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-382-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads