berbew | f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
Size

96KB
MD5

ead045c20bb631a6fee0f8f483e1740a
SHA1

410c2554bef8e6a093cd71233a24c45b28771dac
SHA256

f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e
SHA512

54b4496cd5b53aef5821b3a1514414836f376910c8d810b65ea255a519db588cc0c2f4484ff405c938ed1c0d5f271790a7bbcb90fd650e286230e69acbaa0a0b
SSDEEP

3072:c2aoK46h0HN/udV53Cb8eJ21axR5OmOCMyELiAHONdK:c2lV9tCW21axRYmObBuC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khldkllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khldkllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkmjoec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khjgel32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 16 IoCs

pid	Process
2784	Jabponba.exe
2792	Jbclgf32.exe
2840	Jmipdo32.exe
2544	Jmkmjoec.exe
2244	Jnmiag32.exe
1468	Jnofgg32.exe
2944	Kidjdpie.exe
2896	Kjeglh32.exe
1620	Khjgel32.exe
1372	Kablnadm.exe
2304	Khldkllj.exe
2204	Kdbepm32.exe
2976	Kmkihbho.exe
1652	Libjncnc.exe
928	Lplbjm32.exe
1528	Lbjofi32.exe

Loads dropped DLL 36 IoCs

pid	Process
2144	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
2144	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
2784	Jabponba.exe
2784	Jabponba.exe
2792	Jbclgf32.exe
2792	Jbclgf32.exe
2840	Jmipdo32.exe
2840	Jmipdo32.exe
2544	Jmkmjoec.exe
2544	Jmkmjoec.exe
2244	Jnmiag32.exe
2244	Jnmiag32.exe
1468	Jnofgg32.exe
1468	Jnofgg32.exe
2944	Kidjdpie.exe
2944	Kidjdpie.exe
2896	Kjeglh32.exe
2896	Kjeglh32.exe
1620	Khjgel32.exe
1620	Khjgel32.exe
1372	Kablnadm.exe
1372	Kablnadm.exe
2304	Khldkllj.exe
2304	Khldkllj.exe
2204	Kdbepm32.exe
2204	Kdbepm32.exe
2976	Kmkihbho.exe
2976	Kmkihbho.exe
1652	Libjncnc.exe
1652	Libjncnc.exe
928	Lplbjm32.exe
928	Lplbjm32.exe
1804	WerFault.exe
1804	WerFault.exe
1804	WerFault.exe
1804	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Khldkllj.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Khldkllj.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Kidjdpie.exe
File opened for modification	C:\Windows\SysWOW64\Jnmiag32.exe	Jmkmjoec.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Libjncnc.exe
File created	C:\Windows\SysWOW64\Pknbhi32.dll	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Oiahkhpo.dll	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
File created	C:\Windows\SysWOW64\Jmkmjoec.exe	Jmipdo32.exe
File opened for modification	C:\Windows\SysWOW64\Jnofgg32.exe	Jnmiag32.exe
File opened for modification	C:\Windows\SysWOW64\Kidjdpie.exe	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Jabponba.exe	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
File opened for modification	C:\Windows\SysWOW64\Jmipdo32.exe	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Hapbpm32.dll	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Knfddo32.dll	Jmkmjoec.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Jbclgf32.exe	Jabponba.exe
File created	C:\Windows\SysWOW64\Jnmiag32.exe	Jmkmjoec.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Kjeglh32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Jbclgf32.exe	Jabponba.exe
File opened for modification	C:\Windows\SysWOW64\Jmkmjoec.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Aiomcb32.dll	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Khldkllj.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Jmipdo32.exe	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Jnofgg32.exe	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Kjeglh32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Eghoka32.dll	Kablnadm.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Khldkllj.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Ccmkid32.dll	Jabponba.exe
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Kidjdpie.exe	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Jabponba.exe	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1804	1528	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbclgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khldkllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmkmjoec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jabponba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khldkllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmkid32.dll"	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll"	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khldkllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll"	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll"	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2784	2144	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe	30
PID 2144 wrote to memory of 2784	2144	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe	30
PID 2144 wrote to memory of 2784	2144	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe	30
PID 2144 wrote to memory of 2784	2144	f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe	30
PID 2784 wrote to memory of 2792	2784	Jabponba.exe	31
PID 2784 wrote to memory of 2792	2784	Jabponba.exe	31
PID 2784 wrote to memory of 2792	2784	Jabponba.exe	31
PID 2784 wrote to memory of 2792	2784	Jabponba.exe	31
PID 2792 wrote to memory of 2840	2792	Jbclgf32.exe	32
PID 2792 wrote to memory of 2840	2792	Jbclgf32.exe	32
PID 2792 wrote to memory of 2840	2792	Jbclgf32.exe	32
PID 2792 wrote to memory of 2840	2792	Jbclgf32.exe	32
PID 2840 wrote to memory of 2544	2840	Jmipdo32.exe	33
PID 2840 wrote to memory of 2544	2840	Jmipdo32.exe	33
PID 2840 wrote to memory of 2544	2840	Jmipdo32.exe	33
PID 2840 wrote to memory of 2544	2840	Jmipdo32.exe	33
PID 2544 wrote to memory of 2244	2544	Jmkmjoec.exe	34
PID 2544 wrote to memory of 2244	2544	Jmkmjoec.exe	34
PID 2544 wrote to memory of 2244	2544	Jmkmjoec.exe	34
PID 2544 wrote to memory of 2244	2544	Jmkmjoec.exe	34
PID 2244 wrote to memory of 1468	2244	Jnmiag32.exe	35
PID 2244 wrote to memory of 1468	2244	Jnmiag32.exe	35
PID 2244 wrote to memory of 1468	2244	Jnmiag32.exe	35
PID 2244 wrote to memory of 1468	2244	Jnmiag32.exe	35
PID 1468 wrote to memory of 2944	1468	Jnofgg32.exe	36
PID 1468 wrote to memory of 2944	1468	Jnofgg32.exe	36
PID 1468 wrote to memory of 2944	1468	Jnofgg32.exe	36
PID 1468 wrote to memory of 2944	1468	Jnofgg32.exe	36
PID 2944 wrote to memory of 2896	2944	Kidjdpie.exe	37
PID 2944 wrote to memory of 2896	2944	Kidjdpie.exe	37
PID 2944 wrote to memory of 2896	2944	Kidjdpie.exe	37
PID 2944 wrote to memory of 2896	2944	Kidjdpie.exe	37
PID 2896 wrote to memory of 1620	2896	Kjeglh32.exe	38
PID 2896 wrote to memory of 1620	2896	Kjeglh32.exe	38
PID 2896 wrote to memory of 1620	2896	Kjeglh32.exe	38
PID 2896 wrote to memory of 1620	2896	Kjeglh32.exe	38
PID 1620 wrote to memory of 1372	1620	Khjgel32.exe	39
PID 1620 wrote to memory of 1372	1620	Khjgel32.exe	39
PID 1620 wrote to memory of 1372	1620	Khjgel32.exe	39
PID 1620 wrote to memory of 1372	1620	Khjgel32.exe	39
PID 1372 wrote to memory of 2304	1372	Kablnadm.exe	40
PID 1372 wrote to memory of 2304	1372	Kablnadm.exe	40
PID 1372 wrote to memory of 2304	1372	Kablnadm.exe	40
PID 1372 wrote to memory of 2304	1372	Kablnadm.exe	40
PID 2304 wrote to memory of 2204	2304	Khldkllj.exe	41
PID 2304 wrote to memory of 2204	2304	Khldkllj.exe	41
PID 2304 wrote to memory of 2204	2304	Khldkllj.exe	41
PID 2304 wrote to memory of 2204	2304	Khldkllj.exe	41
PID 2204 wrote to memory of 2976	2204	Kdbepm32.exe	42
PID 2204 wrote to memory of 2976	2204	Kdbepm32.exe	42
PID 2204 wrote to memory of 2976	2204	Kdbepm32.exe	42
PID 2204 wrote to memory of 2976	2204	Kdbepm32.exe	42
PID 2976 wrote to memory of 1652	2976	Kmkihbho.exe	43
PID 2976 wrote to memory of 1652	2976	Kmkihbho.exe	43
PID 2976 wrote to memory of 1652	2976	Kmkihbho.exe	43
PID 2976 wrote to memory of 1652	2976	Kmkihbho.exe	43
PID 1652 wrote to memory of 928	1652	Libjncnc.exe	44
PID 1652 wrote to memory of 928	1652	Libjncnc.exe	44
PID 1652 wrote to memory of 928	1652	Libjncnc.exe	44
PID 1652 wrote to memory of 928	1652	Libjncnc.exe	44
PID 928 wrote to memory of 1528	928	Lplbjm32.exe	45
PID 928 wrote to memory of 1528	928	Lplbjm32.exe	45
PID 928 wrote to memory of 1528	928	Lplbjm32.exe	45
PID 928 wrote to memory of 1528	928	Lplbjm32.exe	45

C:\Users\Admin\AppData\Local\Temp\f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe
"C:\Users\Admin\AppData\Local\Temp\f7bde10ed7687d3f319fe63a2c1c80104316cb88780e6ad97d4fbec6c71a6e9e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\Jabponba.exe
  C:\Windows\system32\Jabponba.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\Jbclgf32.exe
    C:\Windows\system32\Jbclgf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Jmipdo32.exe
      C:\Windows\system32\Jmipdo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\Jmkmjoec.exe
        
        C:\Windows\system32\Jmkmjoec.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Khldkllj.exe
        
        C:\Windows\system32\Khldkllj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbclgf32.exe

Filesize
96KB

MD5
79a246f9be79dc9b1c1d1548b89f4919

SHA1
b0c33418ed4e5f634bef5e7e2a018a47f7f5d866

SHA256
2cebce35ab5f37e97b8524274afb9ef4f90cddcbbd6fc38df4f9f16634c12bd1

SHA512
1fd656571a214dcbc39ab29d006a13b78166fa92c33d20ef03e2ca2f9e2070d6405e4fe767df922b3f9c7b8d3c71f730725a48f51a6cf3d6393778d9220a272d

Download Submit
C:\Windows\SysWOW64\Jmipdo32.exe

Filesize
96KB

MD5
41ea4b46562c31f04897fecaa7e12af3

SHA1
3e23ce2f3203003c3c314b7288c245dd08d352b8

SHA256
0ee892ffde0075ecfcd894ac553483abe495a05376abb755249dd7dcd230f9b1

SHA512
5776c71e2a04c40fb5ca4722d6db8889ac6bc246dfa549e99d9afcb3cbd6c1a46bcf5960b9faac33bf207f6c0ee8bb863ee6b2eb559020ad7d7f88063ee4c4c4

Download Submit
C:\Windows\SysWOW64\Khldkllj.exe

Filesize
96KB

MD5
64b255d75c83459e9477b25e4005fbf8

SHA1
195a68032be8c57c7d6176e61ccf1602e6cdc2f5

SHA256
69919d68a13e6942e7eaed9578f402c3b942a337f35247d36a2ff5fc0f7ac0c1

SHA512
41bc1ec49267936cd1d6ffe7a2da433163cbd621d88becc49e493991b9571177ea3bbdf5e7e57e8c97d7575779a2a135e75abee136688088ab2a2a47a085afbc

Download Submit
C:\Windows\SysWOW64\Kidjdpie.exe

Filesize
96KB

MD5
5cb067824964acd8f3c0fd2fc7fe8b59

SHA1
fdedb6fb08847d7a381c95b34210cbf24783f5b9

SHA256
ecf70b537bd1e3f5303d766460ab527c29d6293aac3624f8ba84708379b32264

SHA512
6ea55a82617e7f8f0ed1bef2e58f98fc0659cc4513b79e30b08e033f039d717ef7ab380bc2482b96e79dbc18938c0f847ef1aac7637ae47f727c326048c4171a

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
96KB

MD5
6918ebd18e80680ef50ad57dc535b939

SHA1
274dac67f410d9ae532446a8360bc5ce08f6ce6d

SHA256
51f5ac723451cad16d43b28495b312ec046d5d28abd85a8c213f1940a916a662

SHA512
d66a4b68306c65a96f0e72d7829141c8ac805021a4ed9e27dced276ee31decec57f8c5cd7f4cff80eab25f717fab1106f879b5fe37e73928420248919cf05f4c

Download Submit
C:\Windows\SysWOW64\Knfddo32.dll

Filesize
7KB

MD5
6fa29086295e56611a660ada7f5ba970

SHA1
c90303cf848c445706d7d1acca252a8ebb3fa4fd

SHA256
e84c3710086b79a822c3849d4e2061b73403a85c65a7e692973e9ef9b1385b92

SHA512
e0bd772644f1b9e5f7dd7d99589cffd2e628ce35b90a4de15c5603410df73ec0135bb17126a2abaa8051bb7b3da7255e46e72842a4a800b1ffb2c4e4bc83ab0d

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
96KB

MD5
4b879f3549a0a04fd7a75808bc0daa18

SHA1
6f6df4a7a28e96bc57a079ab465c159d31994318

SHA256
633bab228bd3a467ff8e9ca6839cd56c126fde08968692b76c0f61b6258007cd

SHA512
4b5893d1d599ea9c055790d8147297d09918316d9370f664f7523dc01fd7eef3c174790991e0ff55b375e21063b3218f6e2840f64b5d1666487abc342729cd49

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
96KB

MD5
a3860b11ea51b42c90b3aea5879965f0

SHA1
0b80b47fbd5f9c628b10a2f5b6849f65c3adeec5

SHA256
b0d38ce40dbaae232b8240b9825c913a41843a2f60d5fb6f4d691e72fe877121

SHA512
646348a37d09383523a1b4dee04b772e59dbecac572c2effaa252d84e4948dadec043e29e0419a11f5b0f81c7ede0fabe036179ef1c4a05bccc302bfa6a00fb9

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
96KB

MD5
e94b7ca48ea6f8f1c63c019a2a486742

SHA1
579d1b1eb70eee74b5b0844841086c4437218fa8

SHA256
8cb94a2d3f2dee57378de2ee363e8918e2979b17d9663fb58f90eb30cf760be3

SHA512
480d3ad6bcd25490f3d449a73c10c3e01689a1ca508f573b66c23b48a4ed6b611f2eb199f5ec308703369417449517acfb9e051023bc6544a6910744aad0b58d

Download Submit
\Windows\SysWOW64\Jabponba.exe

Filesize
96KB

MD5
7e19d82b45eecef02110e1b7efa970cc

SHA1
cfc1773c2548b36c3b6a9200c4f5c2c7d7460961

SHA256
3418557ddf80c811a88ac809ef225bcfa24488ebb4060453d290ddea93c4b7ce

SHA512
c80144bc635c73106500d85b792445d8315f8be7fb88f69bfee6879867941135618144a6e7e55bfabf2bfbad9580b63eb3d1fce74e1a5e55f75861d18dc1a93e

Download Submit
\Windows\SysWOW64\Jmkmjoec.exe

Filesize
96KB

MD5
7daf47029be59d05ffece3c354c3d019

SHA1
3e21748cb51d7fcf5d8be92b58c9b756784184fc

SHA256
5e20b2ee75ec403eaea197e78e81fc722016f2b054f25fec41791068fb29672e

SHA512
262e775bd7c872caf8a8f782a3c2853516cbc9744d2bb110c32f35a3651f6273c967d05ce219c5943ac9b27e841dbd69655a7c97fcc9783ca826f6a4e73ee1ef

Download Submit
\Windows\SysWOW64\Jnmiag32.exe

Filesize
96KB

MD5
2b0d7262a5c00b79f239ae7a6a75ed4c

SHA1
60fa11335f0995a3053731776fd44c853ad28504

SHA256
e9cec9a610e48cdd07752b9a122572d07cf6a6ffc5d34338ae6408a1c9d82422

SHA512
9567795d9034dbdeec5afb274610ea656d2e34e092574fe6950ef9f6f2a3355812b493808b63dbf1595e96ab48a14b99742f148048de88c851589067689c1f9c

Download Submit
\Windows\SysWOW64\Jnofgg32.exe

Filesize
96KB

MD5
671c4e7f0e5d77fd5d58124a899b5d00

SHA1
396a186c69006564bd95b02b3d6d3dc6f00549ab

SHA256
3c8d561d7b4c010d10cf4f51b14f5b0f85934551f9155721e2f42756ea482134

SHA512
100591b44fcee1aa61356fbf78a6e849ca5bf8e6b10d21713ca68d7804ab025ced38a549911e936924cb4d6180ce40faa0d26db26de5649dff891d0acf990306

Download Submit
\Windows\SysWOW64\Kablnadm.exe

Filesize
96KB

MD5
7c3c053e75c3b59e3777fe8fabc05c69

SHA1
48f50511f3375d8a873862c25aa6049a5a7f9266

SHA256
c2ed74fa58587994ad19044f6b96f01879698be1c29e77b9812d7591d8ee3580

SHA512
734c897ad2bee06cf1719e242c004e01dd2927e22044f5047bb734d188730201f5eef16209f61b315ab556669924a767722899f7eaedf9ec19a979fe5df7fecd

Download Submit
\Windows\SysWOW64\Kdbepm32.exe

Filesize
96KB

MD5
f3765f2165aea5638f2503d7b491c2ae

SHA1
90e329f54809c5da69e44d20024f0bf50ea237ec

SHA256
acb9cc20c9f29b18cb7c555ebca1e0668617f348cf689cf7df4ee4a824123423

SHA512
86f9bdd3dfea72f36c19922516d1cc99d7c0a86d9914a4af83c92bea66ca05e50c512f4effc701becb11df59f9219caa88981ce4507c052e0f50532973b3589e

Download Submit
\Windows\SysWOW64\Khjgel32.exe

Filesize
96KB

MD5
3ba5ad52ecd766aae9187e40b62c3f1f

SHA1
dbe67a47c2e202111fd312c1a74f25092fecfd9e

SHA256
4e1edd8923d7293f48bb3837164d2e283b50ca73a16ecc12e6e510a759851f83

SHA512
ae59c90da47f84d4b4edf5cd3360a395ee96443b46c499fe66d05a5f1405c7513b29695290fa63996059b9c639c77f2133112fce85217c0cbd516479bcdbe7fd

Download Submit
\Windows\SysWOW64\Kjeglh32.exe

Filesize
96KB

MD5
e38c204ae787e0ded8f128a142dd666e

SHA1
09926e2bae5e85cb512d7a768ec6c5c21264f3f2

SHA256
597a7ed3d13bab11c49c3bd6a346c536a48217131f5aa98b77a7c5f91e00880e

SHA512
b62d9b227ab18bb9e83473a3ed6ae3de50ac30bc851cbb03cdac89c94633e725056ac3f485897e7dfc820ef25445faffa08163a3b0d299a35fbc56ccf9e29132

Download Submit
memory/928-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-221-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1372-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-145-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-158-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1468-97-0x0000000000360000-0x000000000039F000-memory.dmp

Filesize
252KB

Download
memory/1468-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-223-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2144-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-17-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2144-70-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2144-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-18-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2204-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-184-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2204-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-239-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2204-190-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2244-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2244-69-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2244-141-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2244-78-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2304-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-166-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2304-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2544-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2544-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-32-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2792-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-105-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2840-53-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2840-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2896-181-0x00000000003B0000-0x00000000003EF000-memory.dmp

Filesize
252KB

Download
memory/2896-128-0x00000000003B0000-0x00000000003EF000-memory.dmp

Filesize
252KB

Download
memory/2896-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2896-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2896-182-0x00000000003B0000-0x00000000003EF000-memory.dmp

Filesize
252KB

Download
memory/2944-107-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2944-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-102-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-209-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2976-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-241-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2976-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads