berbew | dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
Size

97KB
MD5

ffd4eddf1aa2dab5e508e7876cb2b2f0
SHA1

1a08d197e9f134d278a59bdee3ae143678753992
SHA256

dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291d
SHA512

85c18bca1f0d9becaa3c65fcd1d01e2e74271bced196ea8a3bb03c5b06d6f2584aca3a9c4695f865bae6b6930c31871938a128cd819a101553cd6bf0fd614609
SSDEEP

1536:KoOIQObpE3zvYilc1LhI5yEM7O74SgCkBXUwXfzwE57pvJXeYZE:nQObe3vg9aMKzgCkVPzwm7pJXeKE

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igebkiof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaeme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakino32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioeclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igebkiof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakino32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inojhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inojhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioeclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifolhann.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgbd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 29 IoCs

pid	Process
2492	Ioeclg32.exe
3036	Ifolhann.exe
2848	Injqmdki.exe
2900	Igceej32.exe
3004	Iakino32.exe
2692	Igebkiof.exe
2732	Inojhc32.exe
2788	Jmdgipkk.exe
2208	Jjhgbd32.exe
2288	Jpepkk32.exe
2376	Jfohgepi.exe
2620	Jllqplnp.exe
708	Jfaeme32.exe
1704	Jnmiag32.exe
2628	Jefbnacn.exe
1948	Kbjbge32.exe
628	Kidjdpie.exe
1732	Kjeglh32.exe
620	Kapohbfp.exe
1760	Khjgel32.exe
308	Kocpbfei.exe
1776	Kenhopmf.exe
2884	Kfodfh32.exe
2548	Koflgf32.exe
2316	Khnapkjg.exe
300	Kkmmlgik.exe
928	Kpieengb.exe
3048	Llpfjomf.exe
3000	Lbjofi32.exe

Loads dropped DLL 62 IoCs

pid	Process
2156	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
2156	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
2492	Ioeclg32.exe
2492	Ioeclg32.exe
3036	Ifolhann.exe
3036	Ifolhann.exe
2848	Injqmdki.exe
2848	Injqmdki.exe
2900	Igceej32.exe
2900	Igceej32.exe
3004	Iakino32.exe
3004	Iakino32.exe
2692	Igebkiof.exe
2692	Igebkiof.exe
2732	Inojhc32.exe
2732	Inojhc32.exe
2788	Jmdgipkk.exe
2788	Jmdgipkk.exe
2208	Jjhgbd32.exe
2208	Jjhgbd32.exe
2288	Jpepkk32.exe
2288	Jpepkk32.exe
2376	Jfohgepi.exe
2376	Jfohgepi.exe
2620	Jllqplnp.exe
2620	Jllqplnp.exe
708	Jfaeme32.exe
708	Jfaeme32.exe
1704	Jnmiag32.exe
1704	Jnmiag32.exe
2628	Jefbnacn.exe
2628	Jefbnacn.exe
1948	Kbjbge32.exe
1948	Kbjbge32.exe
628	Kidjdpie.exe
628	Kidjdpie.exe
1732	Kjeglh32.exe
1732	Kjeglh32.exe
620	Kapohbfp.exe
620	Kapohbfp.exe
1760	Khjgel32.exe
1760	Khjgel32.exe
308	Kocpbfei.exe
308	Kocpbfei.exe
1776	Kenhopmf.exe
1776	Kenhopmf.exe
2884	Kfodfh32.exe
2884	Kfodfh32.exe
2548	Koflgf32.exe
2548	Koflgf32.exe
2316	Khnapkjg.exe
2316	Khnapkjg.exe
300	Kkmmlgik.exe
300	Kkmmlgik.exe
928	Kpieengb.exe
928	Kpieengb.exe
3048	Llpfjomf.exe
3048	Llpfjomf.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Dfaaak32.dll	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Kmnfciac.dll	Jnmiag32.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Igceej32.exe	Injqmdki.exe
File opened for modification	C:\Windows\SysWOW64\Igebkiof.exe	Iakino32.exe
File created	C:\Windows\SysWOW64\Knfddo32.dll	Jfaeme32.exe
File opened for modification	C:\Windows\SysWOW64\Llpfjomf.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Ioeclg32.exe	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
File created	C:\Windows\SysWOW64\Ifolhann.exe	Ioeclg32.exe
File created	C:\Windows\SysWOW64\Injqmdki.exe	Ifolhann.exe
File created	C:\Windows\SysWOW64\Mgqbajfj.dll	Ifolhann.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Khnapkjg.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Jmegnj32.dll	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Bgcmiq32.dll	Injqmdki.exe
File created	C:\Windows\SysWOW64\Jnmiag32.exe	Jfaeme32.exe
File created	C:\Windows\SysWOW64\Kjeglh32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Ffakjm32.dll	Khjgel32.exe
File created	C:\Windows\SysWOW64\Iakino32.exe	Igceej32.exe
File opened for modification	C:\Windows\SysWOW64\Jmdgipkk.exe	Inojhc32.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Kapohbfp.exe	Kjeglh32.exe
File opened for modification	C:\Windows\SysWOW64\Kenhopmf.exe	Kocpbfei.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Inojhc32.exe	Igebkiof.exe
File created	C:\Windows\SysWOW64\Jmdgipkk.exe	Inojhc32.exe
File created	C:\Windows\SysWOW64\Lgjdnbkd.dll	Inojhc32.exe
File created	C:\Windows\SysWOW64\Dgcgbb32.dll	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Ifblipqh.dll	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
File opened for modification	C:\Windows\SysWOW64\Jpepkk32.exe	Jjhgbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaeme32.exe	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Kidjdpie.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Leoebflm.dll	Iakino32.exe
File created	C:\Windows\SysWOW64\Jfohgepi.exe	Jpepkk32.exe
File opened for modification	C:\Windows\SysWOW64\Jnmiag32.exe	Jfaeme32.exe
File opened for modification	C:\Windows\SysWOW64\Jefbnacn.exe	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Qmgaio32.dll	Jpepkk32.exe
File opened for modification	C:\Windows\SysWOW64\Kapohbfp.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Ifolhann.exe	Ioeclg32.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jefbnacn.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jefbnacn.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	Koflgf32.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Jjhgbd32.exe	Jmdgipkk.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jefbnacn.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Kapohbfp.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Igceej32.exe	Injqmdki.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2844	3000	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injqmdki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapohbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifolhann.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igebkiof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmdgipkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioeclg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakino32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inojhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbnacn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igceej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaeme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inojhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbclpfop.dll"	Igebkiof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcmiq32.dll"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakino32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmplbgpm.dll"	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ioeclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igebkiof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaeme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inojhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifblipqh.dll"	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioeclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll"	Jmdgipkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kidjdpie.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2492	2156	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe	30
PID 2156 wrote to memory of 2492	2156	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe	30
PID 2156 wrote to memory of 2492	2156	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe	30
PID 2156 wrote to memory of 2492	2156	dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe	30
PID 2492 wrote to memory of 3036	2492	Ioeclg32.exe	31
PID 2492 wrote to memory of 3036	2492	Ioeclg32.exe	31
PID 2492 wrote to memory of 3036	2492	Ioeclg32.exe	31
PID 2492 wrote to memory of 3036	2492	Ioeclg32.exe	31
PID 3036 wrote to memory of 2848	3036	Ifolhann.exe	32
PID 3036 wrote to memory of 2848	3036	Ifolhann.exe	32
PID 3036 wrote to memory of 2848	3036	Ifolhann.exe	32
PID 3036 wrote to memory of 2848	3036	Ifolhann.exe	32
PID 2848 wrote to memory of 2900	2848	Injqmdki.exe	33
PID 2848 wrote to memory of 2900	2848	Injqmdki.exe	33
PID 2848 wrote to memory of 2900	2848	Injqmdki.exe	33
PID 2848 wrote to memory of 2900	2848	Injqmdki.exe	33
PID 2900 wrote to memory of 3004	2900	Igceej32.exe	34
PID 2900 wrote to memory of 3004	2900	Igceej32.exe	34
PID 2900 wrote to memory of 3004	2900	Igceej32.exe	34
PID 2900 wrote to memory of 3004	2900	Igceej32.exe	34
PID 3004 wrote to memory of 2692	3004	Iakino32.exe	35
PID 3004 wrote to memory of 2692	3004	Iakino32.exe	35
PID 3004 wrote to memory of 2692	3004	Iakino32.exe	35
PID 3004 wrote to memory of 2692	3004	Iakino32.exe	35
PID 2692 wrote to memory of 2732	2692	Igebkiof.exe	36
PID 2692 wrote to memory of 2732	2692	Igebkiof.exe	36
PID 2692 wrote to memory of 2732	2692	Igebkiof.exe	36
PID 2692 wrote to memory of 2732	2692	Igebkiof.exe	36
PID 2732 wrote to memory of 2788	2732	Inojhc32.exe	37
PID 2732 wrote to memory of 2788	2732	Inojhc32.exe	37
PID 2732 wrote to memory of 2788	2732	Inojhc32.exe	37
PID 2732 wrote to memory of 2788	2732	Inojhc32.exe	37
PID 2788 wrote to memory of 2208	2788	Jmdgipkk.exe	38
PID 2788 wrote to memory of 2208	2788	Jmdgipkk.exe	38
PID 2788 wrote to memory of 2208	2788	Jmdgipkk.exe	38
PID 2788 wrote to memory of 2208	2788	Jmdgipkk.exe	38
PID 2208 wrote to memory of 2288	2208	Jjhgbd32.exe	39
PID 2208 wrote to memory of 2288	2208	Jjhgbd32.exe	39
PID 2208 wrote to memory of 2288	2208	Jjhgbd32.exe	39
PID 2208 wrote to memory of 2288	2208	Jjhgbd32.exe	39
PID 2288 wrote to memory of 2376	2288	Jpepkk32.exe	40
PID 2288 wrote to memory of 2376	2288	Jpepkk32.exe	40
PID 2288 wrote to memory of 2376	2288	Jpepkk32.exe	40
PID 2288 wrote to memory of 2376	2288	Jpepkk32.exe	40
PID 2376 wrote to memory of 2620	2376	Jfohgepi.exe	41
PID 2376 wrote to memory of 2620	2376	Jfohgepi.exe	41
PID 2376 wrote to memory of 2620	2376	Jfohgepi.exe	41
PID 2376 wrote to memory of 2620	2376	Jfohgepi.exe	41
PID 2620 wrote to memory of 708	2620	Jllqplnp.exe	42
PID 2620 wrote to memory of 708	2620	Jllqplnp.exe	42
PID 2620 wrote to memory of 708	2620	Jllqplnp.exe	42
PID 2620 wrote to memory of 708	2620	Jllqplnp.exe	42
PID 708 wrote to memory of 1704	708	Jfaeme32.exe	43
PID 708 wrote to memory of 1704	708	Jfaeme32.exe	43
PID 708 wrote to memory of 1704	708	Jfaeme32.exe	43
PID 708 wrote to memory of 1704	708	Jfaeme32.exe	43
PID 1704 wrote to memory of 2628	1704	Jnmiag32.exe	44
PID 1704 wrote to memory of 2628	1704	Jnmiag32.exe	44
PID 1704 wrote to memory of 2628	1704	Jnmiag32.exe	44
PID 1704 wrote to memory of 2628	1704	Jnmiag32.exe	44
PID 2628 wrote to memory of 1948	2628	Jefbnacn.exe	45
PID 2628 wrote to memory of 1948	2628	Jefbnacn.exe	45
PID 2628 wrote to memory of 1948	2628	Jefbnacn.exe	45
PID 2628 wrote to memory of 1948	2628	Jefbnacn.exe	45

C:\Users\Admin\AppData\Local\Temp\dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe
"C:\Users\Admin\AppData\Local\Temp\dc252a2dd2286162da8b56f182c812bfa94d6b249b631b8c536a6e2a9850291dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\Ioeclg32.exe
  C:\Windows\system32\Ioeclg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\Ifolhann.exe
    C:\Windows\system32\Ifolhann.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\Injqmdki.exe
      C:\Windows\system32\Injqmdki.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Igceej32.exe
        
        C:\Windows\system32\Igceej32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\Iakino32.exe
        
        C:\Windows\system32\Iakino32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Igebkiof.exe
        
        C:\Windows\system32\Igebkiof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Inojhc32.exe
        
        C:\Windows\system32\Inojhc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Jmdgipkk.exe
        
        C:\Windows\system32\Jmdgipkk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Jjhgbd32.exe
        
        C:\Windows\system32\Jjhgbd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Jfohgepi.exe
        
        C:\Windows\system32\Jfohgepi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Jfaeme32.exe
        
        C:\Windows\system32\Jfaeme32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Jefbnacn.exe
        
        C:\Windows\system32\Jefbnacn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Kapohbfp.exe
        
        C:\Windows\system32\Kapohbfp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Kenhopmf.exe
        
        C:\Windows\system32\Kenhopmf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:300
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Injqmdki.exe

Filesize
97KB

MD5
1f4cf30af95cab05b48b544c7ba34db1

SHA1
022278f53526dfd1dab0aa4b2179265d25cceb4f

SHA256
2edcffdb73894cfaff3bdff195a60d023f1a6c96a5712142d020ba61599f1b26

SHA512
f2c9f86237e7f5eefb4e56bc2e446dd9c73abe0b88eefb30a4c98cf4cebacdbd1a50a17e493210c25c43ce254563ecb491a5d1b66c990e3ca341e557907bbec6

Download Submit
C:\Windows\SysWOW64\Kapohbfp.exe

Filesize
97KB

MD5
6de470111436171adb17f7b4766c96e4

SHA1
341d01ad0c0e5ab89a7e579fcc72ca75cb1d9531

SHA256
dd5d18f161a273123c4403fd0546ddcdcccf3a9a86b9c9e62bc21db500a9fb09

SHA512
23c68eb6f1c98f93d569a06316e6b77ce31447160f342dad7b0744d8810b02f8df37522a06ffe0b0706b463401ef5f5c964f939d683cc9e553fd2333a3ec0874

Download Submit
C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
97KB

MD5
32b4ee47df044a09c984ee96008b5bb6

SHA1
c706d682d29b5e1e3f0e49658102d2d00808f5a3

SHA256
0e57fecc9ec7765c6208b5738742b89a63c7e739186b3826e6e182fbdceeeea7

SHA512
c790abdad4f501c1ba270a86b244511b4d5f3fa2aae7d3c583b662c015c09f3b230476d72d917ed1b1b1aa00f64a70b27d47e0552e1f25b0b1b7cc51bdd8f64f

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
97KB

MD5
694b4ad7046040fa42cae71cd2747e6d

SHA1
afa4e191d60a78767c9f8f9270f663ccea6d24c2

SHA256
47ed515a74460a7b835851fb30264b38dfd0f5a250e85f6a76de71585faa8a2a

SHA512
b58b8a620a49fbc8202e3eb1f2f1510c32a1e56950267b021a73b3f8c109718bcf527c9d033c625ad69f8e3891f49ff7b1a9267a902d53b63930afb05c83b40a

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
97KB

MD5
371577e1d5d3874efd47687ab749662a

SHA1
904593d5d95cbf676aee783626cb5a0a0ec9c383

SHA256
f409f77ab6ffd5296ed4e70b102090bda4c4be2bea6be4a3f7ebeb94256ff528

SHA512
f1808e9c3a91cbcbda5e218751c0a064b72f5cbd3c9e0b3e548ae732b3bdcb378176cb721f7bde07e2baca34942b809ebf62bf50cde19d8ba2d9beaa98b58667

Download Submit
C:\Windows\SysWOW64\Khnapkjg.exe

Filesize
97KB

MD5
1d824701d16017217b6d792f41b73830

SHA1
9ffa28fb80072904cc0e7407a0cf78447f4ba1e4

SHA256
e01d6476a9e0a7e107d7e6f25f8ccf224817bc0ec151be0f353b890cd1cea2b4

SHA512
58899aa9a402701a6bc5afa2d80850bdc75ac0e58011c00253a53888731d014239aa04dcb2e087459a15f261914198138889237835d2d9b70f77391a53c177f8

Download Submit
C:\Windows\SysWOW64\Kidjdpie.exe

Filesize
97KB

MD5
cca12b6ed249054536160d3e2cbc041c

SHA1
7b470410ba6bdac4673dee1ce75ef6023053f87d

SHA256
0035e07d0d5de6b3e08dd4f911e40d0bbdfef4661b3150803247308a59f2a8d3

SHA512
2c720a03f3c846552969c86675a19d5682f197282e35b033bf3812a756ed64ed74db5fe147f56d84f34bb35bfcf83d1c4abf01519ce133c4c8bc52d75d275cd1

Download Submit
C:\Windows\SysWOW64\Kjeglh32.exe

Filesize
97KB

MD5
0658d7fce2e6a39fc3bfabe60cdbdb33

SHA1
8faea1deac8373a74113ca33eae14b806af69f0e

SHA256
b2452c8dc92901480ed80d8289fdde9af92de533af9d9cabd5b5d0c4ae756b4c

SHA512
97a39a8ad7f80a2a7a5a0e21dca85c8902aa3600d5a09c2de76ce9587cf6db237c5a124ea26f8eb8cef337cbaf7e3af7a78180db4940c496f5f4279aac7fb186

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
97KB

MD5
8311239ae5604b44210ef5d713b69395

SHA1
cd4fd78c6a7332275e3f225de7245be32a9d6d09

SHA256
9af270a3ffcdf600d2ab3eb04956e6775b67fd71dc0b1c1ac81a66bbf529f7c3

SHA512
c8261e9105e90b6df68d83cfa44f0f360fb616cb317a4ce301890e7f478c551e09baf997fc970079f570b06f1da08dc932144b78a64e0d6e23010c9a3301fc20

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
97KB

MD5
5c8176a08fbc69b582695092b1d91535

SHA1
a16e8ab2b01051b84bd306390d1812bfd63c09d7

SHA256
26ac48316948608e0e7114a947a9a1ca5acaf901972a6db5946a2ab541cd8989

SHA512
61e337eb9233ab900f451346b4a8eaa7afa0a8ff05cef0e9630c66c631bf87c799ea216987b9db2656b944162d32d28f359ddeb39c4591fc0a40474f9bf15098

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
97KB

MD5
c8bfae0970bd7f32fedd488cc0e539c9

SHA1
3d9ed010ce154ced069318900092c271e745d6da

SHA256
29a5ed0f9d3deaf0d746dd64ed126fd6abc4cec31f0dfce737b46c51d8f860b4

SHA512
7bb6dc87e2bea9ceba2cf4f9963bddf8a5842e62e328584a3b5a13cf52dcad810c0032bf2068c0a124e2e60eea5f4de74261fcba150b316be4423835daf2d833

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
97KB

MD5
bbe0b92685015e004fc24ff51b35e1d3

SHA1
ec7fa307a99dd3046a6c28592cbe25602a8c629f

SHA256
099e5b351f6c3591820628abf24a688355d3bf28e7b754b3f7f5c37665009bd0

SHA512
80a4e0144afe43fc1b63d6e18e8ffed91d676bf7b9a737f7f6436f5cd810048ef25a9741f65910b21a2a35d3c87bd3832a75bad5cd0a4a4d44072f311d9fea88

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
97KB

MD5
2aeb00d4861d29756f4698b2edb18442

SHA1
64a905857a779a7ced9fc5e7044588ca62339665

SHA256
56ed581535a3cd950766c32c970ab8b5eda19dd592dfdf395041c961b7a8f2b7

SHA512
152970a5d33054f354466c9acbba5ab12f7be9a7d965c551bc12674408db5b95b0a4bdd34630f90e7dd59653580cb68f293ce062e1a4a623a1e5fd148e51eac8

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
97KB

MD5
18d5c24038de2c43bf0139430476f8e2

SHA1
459260644bd07a88f20bfe5f2378008128a1f479

SHA256
68e3b5fad82ca9bde21c16d6a60943c3faf2b6a5fcf2f2cf183f375dbb681b80

SHA512
788d2d5edeb65c22974637f3317117a942331bce35800b80b93407d007fd2d877454d0287b78cf0ae6bd0ee8cb039e66a4315eb518893e892dfc802385db758a

Download Submit
\Windows\SysWOW64\Iakino32.exe

Filesize
97KB

MD5
79dfcc98fd2d5229dcbd8282adf3c761

SHA1
6f874d778e9bf8b4e4f86ac48c77e40d4fe58943

SHA256
bdac0bcd05cbbe3df2880dc428915066b485ae0581409d1ce97c23da3ed7ac9f

SHA512
7018827f66fbafe99603d1beec9b0d152c075b97c1e61c830afff843c708e56dc40e06f13a643c2f12e11e8189a768d39e29c84db5475c31ab1bba3dcaa1ac42

Download Submit
\Windows\SysWOW64\Ifolhann.exe

Filesize
97KB

MD5
8f554dd87447ac92e5842cfeb61676ea

SHA1
92b6030d9452ffe3bf4f7d9d9c266b4890926b73

SHA256
c15daded637d10f903faf5a8f099f9c8bfd7cbff7845b44b7c2adc5d1444278c

SHA512
76d7aa2cd0ff989a808bbf63d23565d3eb8d0b1fb36ecc25b8d3449ae292185ee79dabcdfa6b06524e88cd36aef982633ea2ff7f2286ae7ccc4acaa176a9f27b

Download Submit
\Windows\SysWOW64\Igceej32.exe

Filesize
97KB

MD5
ecb2c249b93aabbbb452ac852b7bd37d

SHA1
468bd14bf3e1fb0add9c51a5b605c898c69fe22a

SHA256
cbfd975e92c33ca41bae2668cb86df529d68dedb10df4b6292bbfb520c6d20c5

SHA512
9fbf896518fcde0619996c2fb3ac9199a228398d30e2aef9a371ff6ecbce348d7833a151ec79f4be8b5428a39493c84a0295ab250c5991955713a488c2997522

Download Submit
\Windows\SysWOW64\Igebkiof.exe

Filesize
97KB

MD5
a30b6e411645452457a387076ea91a0d

SHA1
bd2460321a7d0d6889c654619e20e6c7bc1627cd

SHA256
30e28846528ad5be7b3407f54fc98d648e715aced622a81c33b7681749d77512

SHA512
48bd1eafb3d7fea6b43af3bfaf5782e8a03623e9fd5b1fa12c2edab78a6ef36b0f4036e773e895542e9bbdeca1a4bd8f07c81c74ac6e5c9a08db944e54d2a238

Download Submit
\Windows\SysWOW64\Inojhc32.exe

Filesize
97KB

MD5
b9d1e81677d787b2379666942afbbd8f

SHA1
ab66fccec6366aedf252ac8fe341fac358274153

SHA256
bf31981442275595d9cb1b03f877469b60a1e0f89b96a68545b86fb25a7ad078

SHA512
0a239c575651d11a1e46f3d88697669fb354e2c711998fb7d842a57c4194b97d9776b018417366f97d61836387fb8da50240af384c303731760bebe9e7410fc0

Download Submit
\Windows\SysWOW64\Ioeclg32.exe

Filesize
97KB

MD5
cf52d3dc8481a5bd3d77c03b52898959

SHA1
d8ddd3c47abc63150deb746e9d42e93a7e7b3516

SHA256
2889f9daa9730874f34ad9747e663de4721360148ea3f3b7f0749640346fde05

SHA512
253dafd4370d7b3d0b0d1c48bcef500bac95946a447601aa3690b8ed92fca128e1eb76db05b2b1da9748b8dbb8c2f3c5c01d499de9157375b0195b06b50bf718

Download Submit
\Windows\SysWOW64\Jefbnacn.exe

Filesize
97KB

MD5
04c152472fd165a17c47f66ed3beecf1

SHA1
032404ef31284024b21d79277efecdce1cdc5042

SHA256
82bb4676ed09e13a03d95d12ea7275ea6ca7d8df7dc916fd28932662ff98c1f4

SHA512
f57e414b9c8d4062f265749f87aadac403cba4f3729b8ef43140eafd5db80079a71402031cf6a1775387c594c6af366f4d4582854e2df3cefb45961e75922c18

Download Submit
\Windows\SysWOW64\Jfaeme32.exe

Filesize
97KB

MD5
b5123574c840f773625568642afa1658

SHA1
add2b05c51ffd0a24ecd41765c6ed72d5a57f277

SHA256
cbe11f68a55f6233464409300ed166282d6e2c8b292e3527af9405c009578f69

SHA512
854b61f544e21e5b42a55b41d42fbb7cdfbc20e0d1ef6467b336e2ece44dbdfd9e505eddc9ae12d1e76334b7071d3ee340dc540b9f7cdaa999d080e0c5fa2208

Download Submit
\Windows\SysWOW64\Jfohgepi.exe

Filesize
97KB

MD5
861dc7253e344e0be65b387d097305e1

SHA1
bd27de9bfe3b0ad9e17ad9cb982c9e02cd27951a

SHA256
7d9caced7719819b47d4be6e8cccfb4fc39f70f7e13a3fb2dc9bcb45c2f32a36

SHA512
385e49d3affb8706c0843e2a4c1420911422ea4a9ea6230777267e7deef6a06ab608a8d59ceaf45b495466e7f28cd0aaec7e25abf9abb0f719e546527b0630f7

Download Submit
\Windows\SysWOW64\Jjhgbd32.exe

Filesize
97KB

MD5
057b296bd762909246427aa4da18a62b

SHA1
73720a9934a94eda4834e7433b8f3fca7ecc8dbc

SHA256
30ce49544ec42b11836d1a38fb121f224cd06b2618473e09ea1ec58a60523c12

SHA512
c5a8472dc07c3b9e31c57d1b8e2238c0902bb79fe4f5f87d1701a7b30e90dcc6573f47243b9912e3a564407399ecf14f384af28f0d93f9fea52d77b4d64bd745

Download Submit
\Windows\SysWOW64\Jllqplnp.exe

Filesize
97KB

MD5
c3143cd5a09aa18c4ab88628d6697cdf

SHA1
a0ca920ac90e57b8f3aeb3b315e8599419dd82c0

SHA256
8a57a80c831b0b6024e3d50f9f0dd296cd231a9877ebf5280a30051e69ae3340

SHA512
7e9b4867a470aaa31f81108255c801243f6f32e1e719a10822fc81b58534189d1f28791d7e7efad95d90eaf0e6aa44011e02a4cdc0c95dfe2c3d3ab621fcc3de

Download Submit
\Windows\SysWOW64\Jmdgipkk.exe

Filesize
97KB

MD5
20b5b58a11ce733d670ff389d8d15dfb

SHA1
51fd10325cc1b5541c2e98db44f2aafb18781878

SHA256
462e63eec56fe54329a741d03df78478c86e61b6b4ee458f534a068d1fdfdef1

SHA512
394338e06ee1a15fb770dd0d2211ce67b59cb9b531b64f7b315ab1059114fa27cdf6d503bba61460f4d879d113a7f53ddbe352c1eb407ae61acfce778cdbcdb6

Download Submit
\Windows\SysWOW64\Jnmiag32.exe

Filesize
97KB

MD5
1408eea4a8c87aab6f878f40346e3a3f

SHA1
6db8b9f2d6d348f29c761d9d4638420e70e7ad1e

SHA256
302e44d8d332512d993376a9ab92e414e0419cf100c222f5a8411f599b59604c

SHA512
929477ef5ac3f64429f51694a11f690b4326350e7c4c061cc4b9224eaf41236bcf1a36da9f695a85e354706017ef17a36e58855feac6c64045202dad106d9363

Download Submit
\Windows\SysWOW64\Jpepkk32.exe

Filesize
97KB

MD5
53ee7170b293a447b8a06c11ba6fa196

SHA1
d23270e465d30eb4bc902ded8214c71e9f3b51c0

SHA256
17df1d4b83a2a4ac342e49552ad56da7963c87b0c1030bf6236452ffed5baefe

SHA512
e5c31dd108498c75676f4378e9fdc2962488fa2b68a607119a5e1c0ba9fb56284c425c85f3b7a1e486d88977cd855ecb17543e52e485b5a27c4519c47a5f12e3

Download Submit
\Windows\SysWOW64\Kbjbge32.exe

Filesize
97KB

MD5
4255f1e3751fbc2fb0e487cd6639a075

SHA1
0d792d4090d699c19587d1b93715e6826b30895b

SHA256
e94e6d13cda36bb242a4bd0a47dadc7e3c9986ed77c3ef9682fd387a8a85d46f

SHA512
54d772ea5e7c53000e46690cf4e5bd8a289dbf575c37e473fb7c242a01a64ec69b914ec7b77d2f498119d2bc0e8b1d28b61a341466bee24af37051d91f5a0712

Download Submit
memory/300-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/300-326-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/300-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/300-321-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/308-272-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/308-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-253-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/620-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-234-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/628-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-238-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/708-183-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/708-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/708-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-336-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/928-335-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1704-203-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1704-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-266-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1760-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-282-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1776-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-224-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1948-228-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1948-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-12-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2156-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-13-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2156-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-350-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2156-351-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2208-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-132-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2288-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-310-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2316-315-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2316-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-158-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2492-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-353-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2492-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-28-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2492-22-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2548-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-304-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2620-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-212-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2628-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-109-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2732-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-409-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-55-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2848-56-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2848-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-78-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3004-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-42-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/3036-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-347-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/3048-346-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/3048-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads