berbew | 135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
Size

88KB
MD5

eb034e0b67fc3c8ba1987860d39ba644
SHA1

87553ebafe8ad6e65f53eb53d828e7a3db284c22
SHA256

135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49
SHA512

5f15ab8b7bb4dd840e67aeea92c0298229166bc0bbd0885b96d75d8a4b647110f4474e9b390a6009e1464df5823134abddeed59c806a458d6916d2bd09c65854
SSDEEP

1536:E3eHHHDt0bOuT2wiXC7PxoXg/oOVcn1ME7G2BWnouy8r:E3YHy2LyKXZOV72Bmoutr

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjifjdg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 31 IoCs

pid	Process
2228	Jmfcop32.exe
3060	Jabponba.exe
2708	Jmipdo32.exe
2764	Jipaip32.exe
2600	Jpjifjdg.exe
2360	Jfcabd32.exe
1844	Jibnop32.exe
2884	Jplfkjbd.exe
2052	Kbjbge32.exe
2816	Khgkpl32.exe
2620	Koaclfgl.exe
2096	Kdnkdmec.exe
572	Kjhcag32.exe
1688	Kmfpmc32.exe
2448	Kdphjm32.exe
2332	Koflgf32.exe
940	Kpgionie.exe
764	Kfaalh32.exe
1684	Kageia32.exe
2524	Kgcnahoo.exe
3052	Kkojbf32.exe
3012	Libjncnc.exe
1656	Lplbjm32.exe
1664	Lgfjggll.exe
2520	Leikbd32.exe
1364	Lcmklh32.exe
2860	Lghgmg32.exe
2616	Lpqlemaj.exe
3020	Lcohahpn.exe
2576	Lcadghnk.exe
1980	Lepaccmo.exe

Loads dropped DLL 64 IoCs

pid	Process
2264	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
2264	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
2228	Jmfcop32.exe
2228	Jmfcop32.exe
3060	Jabponba.exe
3060	Jabponba.exe
2708	Jmipdo32.exe
2708	Jmipdo32.exe
2764	Jipaip32.exe
2764	Jipaip32.exe
2600	Jpjifjdg.exe
2600	Jpjifjdg.exe
2360	Jfcabd32.exe
2360	Jfcabd32.exe
1844	Jibnop32.exe
1844	Jibnop32.exe
2884	Jplfkjbd.exe
2884	Jplfkjbd.exe
2052	Kbjbge32.exe
2052	Kbjbge32.exe
2816	Khgkpl32.exe
2816	Khgkpl32.exe
2620	Koaclfgl.exe
2620	Koaclfgl.exe
2096	Kdnkdmec.exe
2096	Kdnkdmec.exe
572	Kjhcag32.exe
572	Kjhcag32.exe
1688	Kmfpmc32.exe
1688	Kmfpmc32.exe
2448	Kdphjm32.exe
2448	Kdphjm32.exe
2332	Koflgf32.exe
2332	Koflgf32.exe
940	Kpgionie.exe
940	Kpgionie.exe
764	Kfaalh32.exe
764	Kfaalh32.exe
1684	Kageia32.exe
1684	Kageia32.exe
2524	Kgcnahoo.exe
2524	Kgcnahoo.exe
3052	Kkojbf32.exe
3052	Kkojbf32.exe
3012	Libjncnc.exe
3012	Libjncnc.exe
1656	Lplbjm32.exe
1656	Lplbjm32.exe
1664	Lgfjggll.exe
1664	Lgfjggll.exe
2520	Leikbd32.exe
2520	Leikbd32.exe
1364	Lcmklh32.exe
1364	Lcmklh32.exe
2860	Lghgmg32.exe
2860	Lghgmg32.exe
2616	Lpqlemaj.exe
2616	Lpqlemaj.exe
3020	Lcohahpn.exe
3020	Lcohahpn.exe
2576	Lcadghnk.exe
2576	Lcadghnk.exe
1228	WerFault.exe
1228	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Leikbd32.exe
File created	C:\Windows\SysWOW64\Jfcabd32.exe	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Pknbhi32.dll	Jabponba.exe
File created	C:\Windows\SysWOW64\Ebenek32.dll	Jipaip32.exe
File opened for modification	C:\Windows\SysWOW64\Koaclfgl.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Kmfpmc32.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Leikbd32.exe
File created	C:\Windows\SysWOW64\Lghgmg32.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Oiahkhpo.dll	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Jpjifjdg.exe	Jipaip32.exe
File opened for modification	C:\Windows\SysWOW64\Jplfkjbd.exe	Jibnop32.exe
File opened for modification	C:\Windows\SysWOW64\Khgkpl32.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Koaclfgl.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Pbkboega.dll	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Ibodnd32.dll	Jibnop32.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Koflgf32.exe
File created	C:\Windows\SysWOW64\Phblkn32.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Libjncnc.exe
File created	C:\Windows\SysWOW64\Hfopbgif.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Mcohhj32.dll	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Jabponba.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Eplpdepa.dll	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jplfkjbd.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Jmfcop32.exe	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
File created	C:\Windows\SysWOW64\Jmipdo32.exe	Jabponba.exe
File opened for modification	C:\Windows\SysWOW64\Jibnop32.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Fhdikdfj.dll	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Jpjifjdg.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kageia32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Ogegmkqk.dll	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqlemaj.exe	Lghgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jipaip32.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lcadghnk.exe
File opened for modification	C:\Windows\SysWOW64\Leikbd32.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Lpqlemaj.exe
File opened for modification	C:\Windows\SysWOW64\Jfcabd32.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Lcadghnk.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Leikbd32.exe
File created	C:\Windows\SysWOW64\Ikbilijo.dll	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Pcdapknb.dll	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Jmfcop32.exe	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1228	1980	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leikbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqlemaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcadghnk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljphmekn.dll"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Leikbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jabponba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Kpgionie.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2228	2264	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe	30
PID 2264 wrote to memory of 2228	2264	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe	30
PID 2264 wrote to memory of 2228	2264	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe	30
PID 2264 wrote to memory of 2228	2264	135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe	30
PID 2228 wrote to memory of 3060	2228	Jmfcop32.exe	31
PID 2228 wrote to memory of 3060	2228	Jmfcop32.exe	31
PID 2228 wrote to memory of 3060	2228	Jmfcop32.exe	31
PID 2228 wrote to memory of 3060	2228	Jmfcop32.exe	31
PID 3060 wrote to memory of 2708	3060	Jabponba.exe	32
PID 3060 wrote to memory of 2708	3060	Jabponba.exe	32
PID 3060 wrote to memory of 2708	3060	Jabponba.exe	32
PID 3060 wrote to memory of 2708	3060	Jabponba.exe	32
PID 2708 wrote to memory of 2764	2708	Jmipdo32.exe	33
PID 2708 wrote to memory of 2764	2708	Jmipdo32.exe	33
PID 2708 wrote to memory of 2764	2708	Jmipdo32.exe	33
PID 2708 wrote to memory of 2764	2708	Jmipdo32.exe	33
PID 2764 wrote to memory of 2600	2764	Jipaip32.exe	34
PID 2764 wrote to memory of 2600	2764	Jipaip32.exe	34
PID 2764 wrote to memory of 2600	2764	Jipaip32.exe	34
PID 2764 wrote to memory of 2600	2764	Jipaip32.exe	34
PID 2600 wrote to memory of 2360	2600	Jpjifjdg.exe	35
PID 2600 wrote to memory of 2360	2600	Jpjifjdg.exe	35
PID 2600 wrote to memory of 2360	2600	Jpjifjdg.exe	35
PID 2600 wrote to memory of 2360	2600	Jpjifjdg.exe	35
PID 2360 wrote to memory of 1844	2360	Jfcabd32.exe	36
PID 2360 wrote to memory of 1844	2360	Jfcabd32.exe	36
PID 2360 wrote to memory of 1844	2360	Jfcabd32.exe	36
PID 2360 wrote to memory of 1844	2360	Jfcabd32.exe	36
PID 1844 wrote to memory of 2884	1844	Jibnop32.exe	37
PID 1844 wrote to memory of 2884	1844	Jibnop32.exe	37
PID 1844 wrote to memory of 2884	1844	Jibnop32.exe	37
PID 1844 wrote to memory of 2884	1844	Jibnop32.exe	37
PID 2884 wrote to memory of 2052	2884	Jplfkjbd.exe	38
PID 2884 wrote to memory of 2052	2884	Jplfkjbd.exe	38
PID 2884 wrote to memory of 2052	2884	Jplfkjbd.exe	38
PID 2884 wrote to memory of 2052	2884	Jplfkjbd.exe	38
PID 2052 wrote to memory of 2816	2052	Kbjbge32.exe	39
PID 2052 wrote to memory of 2816	2052	Kbjbge32.exe	39
PID 2052 wrote to memory of 2816	2052	Kbjbge32.exe	39
PID 2052 wrote to memory of 2816	2052	Kbjbge32.exe	39
PID 2816 wrote to memory of 2620	2816	Khgkpl32.exe	40
PID 2816 wrote to memory of 2620	2816	Khgkpl32.exe	40
PID 2816 wrote to memory of 2620	2816	Khgkpl32.exe	40
PID 2816 wrote to memory of 2620	2816	Khgkpl32.exe	40
PID 2620 wrote to memory of 2096	2620	Koaclfgl.exe	41
PID 2620 wrote to memory of 2096	2620	Koaclfgl.exe	41
PID 2620 wrote to memory of 2096	2620	Koaclfgl.exe	41
PID 2620 wrote to memory of 2096	2620	Koaclfgl.exe	41
PID 2096 wrote to memory of 572	2096	Kdnkdmec.exe	42
PID 2096 wrote to memory of 572	2096	Kdnkdmec.exe	42
PID 2096 wrote to memory of 572	2096	Kdnkdmec.exe	42
PID 2096 wrote to memory of 572	2096	Kdnkdmec.exe	42
PID 572 wrote to memory of 1688	572	Kjhcag32.exe	43
PID 572 wrote to memory of 1688	572	Kjhcag32.exe	43
PID 572 wrote to memory of 1688	572	Kjhcag32.exe	43
PID 572 wrote to memory of 1688	572	Kjhcag32.exe	43
PID 1688 wrote to memory of 2448	1688	Kmfpmc32.exe	44
PID 1688 wrote to memory of 2448	1688	Kmfpmc32.exe	44
PID 1688 wrote to memory of 2448	1688	Kmfpmc32.exe	44
PID 1688 wrote to memory of 2448	1688	Kmfpmc32.exe	44
PID 2448 wrote to memory of 2332	2448	Kdphjm32.exe	45
PID 2448 wrote to memory of 2332	2448	Kdphjm32.exe	45
PID 2448 wrote to memory of 2332	2448	Kdphjm32.exe	45
PID 2448 wrote to memory of 2332	2448	Kdphjm32.exe	45

C:\Users\Admin\AppData\Local\Temp\135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe
"C:\Users\Admin\AppData\Local\Temp\135d73050d19612ce17cd4bd20d0118a4e1eb48a9a58e5a5022bf75e0f704e49.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\Jmfcop32.exe
  C:\Windows\system32\Jmfcop32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\Jabponba.exe
    C:\Windows\system32\Jabponba.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\Jmipdo32.exe
      C:\Windows\system32\Jmipdo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Leikbd32.exe
        
        C:\Windows\system32\Leikbd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Lpqlemaj.exe
        
        C:\Windows\system32\Lpqlemaj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 140
        33⤵
        Loads dropped DLL
        Program crash
        
        PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebenek32.dll

Filesize
7KB

MD5
bbf80fd632df4311589f676ffbbae490

SHA1
508e89be07e8e7f6c888eedd25910446a3094d6b

SHA256
4eb73d37aaa4f5e4d92f186816f0517c399c0f2061128c2e7c401d4ba945d28a

SHA512
572c576242d5fadeccb98301ffa8a66d8322b028ac73908a237caab3cb25236a326c01aadea734850e67d2eeff5fbc982a9251bace6426ac8ff4d59e77c62ab2

Download Submit
C:\Windows\SysWOW64\Jabponba.exe

Filesize
88KB

MD5
6e76042b4428338db00870a412ccbb06

SHA1
01eb13307ae2d1e096d32e83e478b2178869912d

SHA256
381c2c78c47d1f3e5d169491734f75f88e5e3ecd999b4175c42a7ee120d886f5

SHA512
b9b107d3df91356260f468dc20ed01c741fb62968ad9e4d59ee4663a2b882b05cc7e1bcdbef169e7205b595538edb8ca73ced41998ed8188ccc2cc81ec959de5

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
88KB

MD5
c25087c27d4cc09b05916d5f456e1ef1

SHA1
bf18ec7ff9414d3522c2b3379a2a13b6a1949231

SHA256
39f7386baf141ed28b5eadaa7fc40cdad67c188c94e7107344d8b85f08adb2d2

SHA512
3460966bad7a5179f2ed3d8ce75efa50244052dafb9f38e365face8ffe6b3be9e156bbed8297a675d08997388f41d95df26fac9b041bb26621678a61b5b91a71

Download Submit
C:\Windows\SysWOW64\Jmfcop32.exe

Filesize
88KB

MD5
9be433df84a087aa60a4085d21c97904

SHA1
f42d21181658d28b68a8a0be31a06fb4b5246949

SHA256
4cb3188500009ab00547f125bb1562a75bcbfd336d7ef317d97500ad9d2fb79c

SHA512
c17cc6d26aa7ac7e850052b92e6c96dd61bad54f92a2ddba01dfd39b5f463c3d6a18af38f02817743c9723c1fa60ea477b1b946d101ada760127d72f5b4d97f0

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
88KB

MD5
6fb3bc97e2ced75baea7dcdb7bcd6afa

SHA1
e26979505548e726ac60249690607c290a891a8e

SHA256
9f55ff4c2d77007295dd0bd0e9dad0d7c52d04191855f9cbd153dff73789e3b3

SHA512
dc8ce09332037eac97635afac241f54591c6c3c0786502923a4b4b18bc3481f2225c929d753f62443b512b9ed8ad8d8b07b0d3048cb9bc8e97c5d34389d89afc

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
88KB

MD5
4494c8fe54e249ba74a689c2b28c65ef

SHA1
89ce48448d90e06658e722d47071f65c53a884cd

SHA256
b2c8346862c09a25c8537046bb959b772a1b190db513ea1d138d17022e01ed2a

SHA512
298244018f28f189e7407c5dee340986c320b7a0e5b9d5fd2e59c4be41eb0a60a03ad604f35c8495a017e7f172d8e8185bd68239edd6b695bbc78538c2533f25

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
88KB

MD5
17048dc465cd8344d3b9b67843df1658

SHA1
72a4606ae4052764e9e9394375e9ef9018748141

SHA256
5f44684c1c023651c99aea6307bc909ddf197b14e913d11e28da0821bada526f

SHA512
c4b1cdc0dd754071723169ae8d71e241aaa1d49bf724ab153f9c5ef79c0cdf8e29c3d9107fd86fd2e8568cda64f3a6626d4d38f85dd4c253b42f9d0f7be9b412

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
88KB

MD5
f89c863a28b55ff7679036f3d740d5b4

SHA1
65ed883ad87a1920c51c575d5b53cecc368f3d73

SHA256
ca590f9886b1e5b793c7b4b86b7aa2eb2462b27331615f625dd47f1d809075fb

SHA512
e7462d1981a44a94ae3bdefe5be3a57cb8a37cf7d3e26d5e3e25dd205639897ab6499274145a68130ee22f24ecf39c4cb03f101403991b5a14c60dcd83cf68b0

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
88KB

MD5
299c7f7b2e9f5f3ff82d7842cce7b97a

SHA1
a8220e63f9160571ff140ca4542e5f93c9931ef7

SHA256
d0185d35da8d70a2dd69325fe676b41ceaba279e143486fa96b68debaf637787

SHA512
bf9b23ab663bbd66f1ad902ecf6e912a18de78ab9ed419654ac066a0d8dc44187f744b76f1489d471e60246180da95b4bfe35e464e8a1cfd45f0739c5da59df7

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
88KB

MD5
c6688e7895f67d7305b29de5feee8b54

SHA1
8af056bf724051c5268f0426dbede0bdb8584c4c

SHA256
7e22ac39cb2d73b6791f201b39844fd6e9a07b6990e68c0dd8b2dc6e1ab5a628

SHA512
48afe4ebcf36a8a35bb15a08cd95d47def0520bd43c15c665d88cf88dd14679024249f1d71f45041684a944b166822bda9ba6744571fc9ae78f5fc2d14d929ef

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
88KB

MD5
d696bd7485d9d1fcac0a6af9a8459ba1

SHA1
40e1f1e63865bc743517f9286a9f7268f35c34b3

SHA256
510055dc2ef0662df54857fa0a9ad09da9ab86e5e8112edb86a99d7720d7b716

SHA512
1384e9636d03b1cac0245f8eacb5c247bf8e2933c236f6ea54b1c8b209209bcf005f9824dcbfa391754c0e49da4306ef72e7db9762f50dd27a95f863b09cb1c8

Download Submit
C:\Windows\SysWOW64\Lcadghnk.exe

Filesize
88KB

MD5
31bf7d9813c0c6fe135c9ffb8dee29ac

SHA1
320f45e58ffe871d75fd7ae69441fa52a5cc7b05

SHA256
d18b1acae0a08c63a269cabab0ad4a3f7a6c2b47b9d4c3c94e3e60ff28cc8bf6

SHA512
6b5c0de2ef23370f93aaae937da567fca66e390df9cd0d657751c5663e1a68774afc71732b3f922eea6463a35c1913de29dcaf9992c9e9c8b82c57a962b436e4

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
88KB

MD5
8fb7e5ef754aabe40021f268e91991d3

SHA1
9a9e077c45a02ba5fbb3535a261e7b7ebde124b7

SHA256
efac7898b2640ce616f8e2ce9e8811c252e15fdd7dc35ba38ef005c8fdeb8074

SHA512
b3dd3acf2ac8ac87f3c637348ea408e75922d47918308aa7230b556fa6838815a6d87533d9a2dab7f1352779eec29324439367e652c4c99d1aad46da2fdc3d8c

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
88KB

MD5
fe7a8bd1f6eeef51a12de3a446e52f1d

SHA1
e0058ea25d013277103cb0efbdc596af62b89ff2

SHA256
6aee48160cddebc8c752c122bf5ef9167bac5fdbed4d060d73af2c680548b3d9

SHA512
13e5b00c20b34e3045cea8aec37e9f577695157b783171fa6ab1bd10b15f5e12062ea979e9f838c87d8533e17580b8900a0bc444e8634cedce0d1fc5eb4a49a0

Download Submit
C:\Windows\SysWOW64\Leikbd32.exe

Filesize
88KB

MD5
5d01e9a864d6bbeafc5947d2014413cd

SHA1
40cd1a2c9c6aa1d25be92a43b23abd6fcf485eef

SHA256
95872544d62250bb8d97f3002dbe94792a3dd3822d3b62263f3be3ffc6518738

SHA512
e4b0fbb1f1eaf99f0fba6722b657ecd462074e76e85ac02c2a397961b6f8cbccd91c72e9c56c67f076d54a0b6a3f63a31f8f14fb6d013308bd3e1bf046f44cbe

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
88KB

MD5
dd978e11cd0d6d2812a2ef37965e6f59

SHA1
cc600ef6c1a2f4cbc0b609b5473c19417d2245f8

SHA256
daa6e3e333de8217e47cca602fda6aca27f2f248e93a2c0b40e31f12cadd68e8

SHA512
609c3bfc15b4e0498cb4423ea0835a5aa143cb15abde78ac4ed4c55d3296923f5c8c4283781c6c215d5584f9c511681a24cb0e85de8ec7f95ee4153afd460543

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
88KB

MD5
edabab3f22552116f6bbddb54c56c98d

SHA1
d42222738e1165a0545c73519f991efa9277a668

SHA256
4911d751e3acc09ffd30b8bd0be4640f80890485686c13289448e19773aaafb6

SHA512
1ab92c6de5814f6736bc8b59511823ba348b3d1c1ecd51128506c85ce206c8bc423e7987c8d5db92cf4c161e3484915560e8d3c69bdbd318d08d4ed65c917ad8

Download Submit
C:\Windows\SysWOW64\Lghgmg32.exe

Filesize
88KB

MD5
914e4bb2725d49ad846b63afe13c8062

SHA1
a669833f26284cf19f7292a8cdf1d663c84a601a

SHA256
110f08bbad79240649a6e293276b3876c83f9b19bb81ae642fb5af45dd37642b

SHA512
42da5cdbe6c4c039df8a54475ee1c564c2bcfd80ff20fdd94c5ebd5368dd13892cb79315855ed5ffd85eecfdd71ada3985effcb870126f8ca9fd497fa35aa23d

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
88KB

MD5
e81250c66386a5e224186dbefd23733d

SHA1
928e1a812340e61f0d1c917cb4870ca791e88382

SHA256
42fcb70a5b8d6a0ad9c879adc77866d67f63396141f88dee8be1d64b2069d30f

SHA512
24e456c06110e140aeae6ee2a498645686918acd9dbe3af82ab984eaee3f036c3b6672996cfede5bf04e694b9df353c01f9857d0c5085beaefc57123cc2edb25

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
88KB

MD5
a08bb9894defadfb8ccede3988233ef3

SHA1
8ab854366955adc4926f754cc9f35e78a32373b4

SHA256
f500f9c4b5ac37817aced920d254d7471a10ee5f76f6d3cbc4facc40c55d63ba

SHA512
ba9487a5e47cc5f2871592cc9e1c38e0325c4187ba0ec1c841e7016a33914a339823c6c837818729ec779002e17bddd9bebb76a0af5a130dd0ce1b51783c45fe

Download Submit
C:\Windows\SysWOW64\Lpqlemaj.exe

Filesize
88KB

MD5
b9b10f9ae361b4ee14aa8ff3b1e0a696

SHA1
1a26b1b8cb19c2a5f006f6d833231d14f1434603

SHA256
fc93661f3503016dbc4dc0b593904cb4eb3593e80a5df6bdcb2133f1c5e7d5d0

SHA512
60dcd738089dcea48f1c9db0b3e15045b7b02f7801da71f44dc4daf0cce417a68246e0da958d84980b17a53a5e4836b2c17d36699c515cce7df8f2fa46636219

Download Submit
\Windows\SysWOW64\Jfcabd32.exe

Filesize
88KB

MD5
4fbaaf1efc1487478e76b10befa78034

SHA1
db0ddecd01bab4bef3872e0f1aad7679503bbe6a

SHA256
6dd592d4718631b7f2461a00de40b6063c5310e7da7bd6d7b3debd8280fd1950

SHA512
86f6291628ac9bfd5460d45c7fb121d59173cb93f399abff0f252560b98a5d1fd87ba35535939b19ec6d948df1f7d28005bed431e57c2fabbf127b1ff49ecbab

Download Submit
\Windows\SysWOW64\Jipaip32.exe

Filesize
88KB

MD5
e20afa873b242501e6ad4fd77cff8eee

SHA1
4b6bbb3da027cbeed67fb0ce1a489d131558e677

SHA256
056665692162db0ba9af4ba92bd166718418e0abcf5780752470c8fcb668082e

SHA512
17317451b3e55e3f6de626e1a20003c948e1a29f404b37cf0721ae33abfcb9fe72eb36157a3056aa101e879470aaa08baa0c86e20c3297579068ac08479c2b8d

Download Submit
\Windows\SysWOW64\Jmipdo32.exe

Filesize
88KB

MD5
45f305a13d88290e62e206ef5e603452

SHA1
e7d9b358431cd9fbd683affca21db0bca8b299ca

SHA256
30f841c0286474651512322c9fbfc6b67bdb3b20a9fbd790bc70bf376e7ed5bc

SHA512
3afe33ed9eec9694be41dd0faf156f6d118466d141c4635f57844a85bc948e25547b77833e3a10d09905e30149f4b0f4dcc5ad1611aef93a71c059a05892bc6b

Download Submit
\Windows\SysWOW64\Jpjifjdg.exe

Filesize
88KB

MD5
bc816e9fed4a18042dbf4f6c97bd726f

SHA1
339c4a8964d05df91f4e7356fd045ab293c06342

SHA256
41b62c182131960d4b80aeef3928027b931ad6d269d4a4e7e47f0e6753076769

SHA512
f998a8fc8352f356a85289d2c62e38729eb9edbc873b27ddec32fa2966a86775243a99f9e67aa4e33dcd803482bd42aff8e756a49a58a09880911fa13b7ca283

Download Submit
\Windows\SysWOW64\Jplfkjbd.exe

Filesize
88KB

MD5
093557f9935c96597167262405c243fa

SHA1
5c871475c307518528def7530f3b1ab67ddaf030

SHA256
fbfa069088e9f265b03edfd0a771ef78dc3157d9365fef5d12714e7fc7732834

SHA512
248196ea481f5d0cb9ca649b2e68c3ea411f1e6617e7bea1abdbb58c65557b15073bbb80e7f9e3d85f70a5ce3099f5ffc7e81cb117041eaa5b23d57e4cbb020b

Download Submit
\Windows\SysWOW64\Kbjbge32.exe

Filesize
88KB

MD5
e369534a8bcb03b1cc3e1b11108659b4

SHA1
8b556bc6a006a5bbf381c31a10e710758d1cf0ce

SHA256
20804ea3c17b3dfd9302aa06d08192893e434d15d3c342432eba09dda9e24caa

SHA512
8a2f9a3f7a269a360e36f1b42f472ed14bf096fa9a13317cccb0f5c9731befad2a4dbc9f077e5c85efa80543ad0e34aeb0d4d855f8fd105bf81edfd851649b1c

Download Submit
\Windows\SysWOW64\Kdnkdmec.exe

Filesize
88KB

MD5
bb476db3ed416f5d8e76913715ec22ee

SHA1
e5e48777227730cdefa50e9fdcf0471b6d84e241

SHA256
d02ea77efba6b10670c7c3d8dde5f838e0d10af963fdbe47aa8ca3f6c341e673

SHA512
d56a420f8984626f3e07329f42c072e185b03f570169f02883c9a26c1e7c9bfd6d477deb0473cc418c933531dd87bbaca2a9146289ff65d45a68404f5f517369

Download Submit
\Windows\SysWOW64\Khgkpl32.exe

Filesize
88KB

MD5
d99e0a766585113ecb123cdb0a096de6

SHA1
503e5dc1585677d7896bac4689a346b2042dc6d8

SHA256
5171a51c50f3cf2becd8e8bea58a4f5f25f68bfef851f301ce21a7d28bf0f364

SHA512
3fdd515778f14c13efb53acee7f0c872d3632c6e1a13dfbac5fed6f784eaaa2532790a58da58f8877dae359a6eac14484c68ebc5e03e1cd319bd4670df0b1345

Download Submit
\Windows\SysWOW64\Kmfpmc32.exe

Filesize
88KB

MD5
efb4f04f9c91fcdaee63593c5c9d476c

SHA1
2c9c8bb45de19ce07b8d2877268ddde1f23a6c31

SHA256
f4a38438b49b7c446949317eebd53e080d89e179ce3936d537809113d8d14d82

SHA512
0399179a89c18cdaa701fc3255e0faf66768fd5e484884f3cefaa2938639911b0fdae3411390749838297b063bbcac8cbc605384ff2000c2d3e79d494f3ffa8c

Download Submit
\Windows\SysWOW64\Koaclfgl.exe

Filesize
88KB

MD5
4ce8279880d65d43f109f3500131a5a7

SHA1
0bcf91cacbb6573ab4a3bcb8588e956f6285a8b2

SHA256
0f6ca63b53e381fdae1654524478f7cb1c88e50bca3eecafbb45b4d7ac14bc33

SHA512
de1ab31c5e974a575e155170386846e842c8e5b346ab3c03e0e078ea50c1f6fa23a6b347ed38f1471d393bf740dcad6d0e02bca1d7985e51c7824e399d98ad97

Download Submit
\Windows\SysWOW64\Koflgf32.exe

Filesize
88KB

MD5
40d22e3acae854c6a9669cbe55b82502

SHA1
f08bdece436fe0504791fddaab0f960a07d17c5c

SHA256
7d67e9ff765f9a36e444f722b3526d8a0dd012d2ab124472331f9f3f7b295df3

SHA512
7582446cd9c7a97301b474ec4f12da24ab2c85d7406c996e06d06478faee9c6fb68e07879f3a36ab7ae35173e57db86a98dbd851a14a0af07034265d11c96151

Download Submit
memory/572-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/572-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-244-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/764-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-230-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/940-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-322-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1656-290-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1656-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-301-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1664-300-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1684-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-133-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2052-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-128-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2096-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-24-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2264-369-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2264-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2264-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-93-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2360-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-213-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2448-209-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2448-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-311-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2520-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-312-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2524-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-366-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2576-365-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2600-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-343-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2616-344-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2620-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-156-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2620-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-47-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2708-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-65-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2764-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-332-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2860-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-333-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2860-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-279-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/3020-354-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3020-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-355-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3020-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads