berbew | 746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
Size

93KB
MD5

e3d1c388d2e1e2eb416cf46822310f40
SHA1

4637b6bd6c82356cccc9219f19be5e96deee99a9
SHA256

746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082
SHA512

d49f0401f68667a2dffad49428bcda10b44aa204636c698ca3e6771645bd90ef50160238c22291837a50d44b0db9a17f1f3d001ff894b238243813dd44fa106c
SSDEEP

1536:mzMsGgLXi8e5hR/mLO89aMizWNIb4sOAZF90vyzWmYFRQaRRs3cO57OWxXPu4n63:mBchl2o1zWNIcjUFNSmYFeaE9pui6yYf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iediin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikjhki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iocgfhhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikjhki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikldqile.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikldqile.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inmmbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnmel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlnmel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iocgfhhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikqnlh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjfkmdlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjfkmdlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iediin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kambcbhb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikqnlh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 31 IoCs

pid	Process
2500	Iocgfhhc.exe
1540	Ikjhki32.exe
2748	Inhdgdmk.exe
2796	Ikldqile.exe
2464	Iediin32.exe
2844	Inmmbc32.exe
2708	Ikqnlh32.exe
2744	Ieibdnnp.exe
2072	Jjfkmdlg.exe
2388	Jpbcek32.exe
2568	Jgjkfi32.exe
2600	Jpepkk32.exe
708	Jmipdo32.exe
1704	Jbfilffm.exe
2628	Jlnmel32.exe
1948	Jfcabd32.exe
628	Jhenjmbb.exe
2632	Kambcbhb.exe
1792	Keioca32.exe
1660	Koaclfgl.exe
1340	Kdnkdmec.exe
2028	Kjhcag32.exe
2348	Kmfpmc32.exe
1060	Kdphjm32.exe
536	Kfodfh32.exe
784	Koflgf32.exe
2312	Khnapkjg.exe
2776	Kageia32.exe
2920	Kgcnahoo.exe
2784	Lmmfnb32.exe
2864	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
2272	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
2272	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
2500	Iocgfhhc.exe
2500	Iocgfhhc.exe
1540	Ikjhki32.exe
1540	Ikjhki32.exe
2748	Inhdgdmk.exe
2748	Inhdgdmk.exe
2796	Ikldqile.exe
2796	Ikldqile.exe
2464	Iediin32.exe
2464	Iediin32.exe
2844	Inmmbc32.exe
2844	Inmmbc32.exe
2708	Ikqnlh32.exe
2708	Ikqnlh32.exe
2744	Ieibdnnp.exe
2744	Ieibdnnp.exe
2072	Jjfkmdlg.exe
2072	Jjfkmdlg.exe
2388	Jpbcek32.exe
2388	Jpbcek32.exe
2568	Jgjkfi32.exe
2568	Jgjkfi32.exe
2600	Jpepkk32.exe
2600	Jpepkk32.exe
708	Jmipdo32.exe
708	Jmipdo32.exe
1704	Jbfilffm.exe
1704	Jbfilffm.exe
2628	Jlnmel32.exe
2628	Jlnmel32.exe
1948	Jfcabd32.exe
1948	Jfcabd32.exe
628	Jhenjmbb.exe
628	Jhenjmbb.exe
2632	Kambcbhb.exe
2632	Kambcbhb.exe
1792	Keioca32.exe
1792	Keioca32.exe
1660	Koaclfgl.exe
1660	Koaclfgl.exe
1340	Kdnkdmec.exe
1340	Kdnkdmec.exe
2028	Kjhcag32.exe
2028	Kjhcag32.exe
2348	Kmfpmc32.exe
2348	Kmfpmc32.exe
1060	Kdphjm32.exe
1060	Kdphjm32.exe
536	Kfodfh32.exe
536	Kfodfh32.exe
784	Koflgf32.exe
784	Koflgf32.exe
2312	Khnapkjg.exe
2312	Khnapkjg.exe
2776	Kageia32.exe
2776	Kageia32.exe
2920	Kgcnahoo.exe
2920	Kgcnahoo.exe
2784	Lmmfnb32.exe
2784	Lmmfnb32.exe
2660	WerFault.exe
2660	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pknbhi32.dll	Jpepkk32.exe
File opened for modification	C:\Windows\SysWOW64\Koaclfgl.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Iediin32.exe	Ikldqile.exe
File opened for modification	C:\Windows\SysWOW64\Iediin32.exe	Ikldqile.exe
File created	C:\Windows\SysWOW64\Faphfl32.dll	Iediin32.exe
File opened for modification	C:\Windows\SysWOW64\Jgjkfi32.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Inmmbc32.exe	Iediin32.exe
File created	C:\Windows\SysWOW64\Lpgcln32.dll	Jfcabd32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Bocndipc.dll	Inmmbc32.exe
File opened for modification	C:\Windows\SysWOW64\Jpbcek32.exe	Jjfkmdlg.exe
File created	C:\Windows\SysWOW64\Keioca32.exe	Kambcbhb.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Iocgfhhc.exe	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
File created	C:\Windows\SysWOW64\Fbbngc32.dll	Ikqnlh32.exe
File created	C:\Windows\SysWOW64\Eplpdepa.dll	Jlnmel32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jmipdo32.exe
File opened for modification	C:\Windows\SysWOW64\Jfcabd32.exe	Jlnmel32.exe
File created	C:\Windows\SysWOW64\Kmfpmc32.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Ikjhki32.exe	Iocgfhhc.exe
File opened for modification	C:\Windows\SysWOW64\Inmmbc32.exe	Iediin32.exe
File created	C:\Windows\SysWOW64\Dfaaak32.dll	Jgjkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Jmipdo32.exe	Jpepkk32.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Inhdgdmk.exe	Ikjhki32.exe
File opened for modification	C:\Windows\SysWOW64\Ikqnlh32.exe	Inmmbc32.exe
File created	C:\Windows\SysWOW64\Mnpkephg.dll	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Abqcpo32.dll	Kambcbhb.exe
File opened for modification	C:\Windows\SysWOW64\Jjfkmdlg.exe	Ieibdnnp.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Kambcbhb.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Jlnmel32.exe	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Ncbdnb32.dll	Ikjhki32.exe
File created	C:\Windows\SysWOW64\Lpmdgf32.dll	Inhdgdmk.exe
File created	C:\Windows\SysWOW64\Ikqnlh32.exe	Inmmbc32.exe
File created	C:\Windows\SysWOW64\Jgjkfi32.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Ieibdnnp.exe	Ikqnlh32.exe
File created	C:\Windows\SysWOW64\Jpepkk32.exe	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Khnapkjg.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	Koflgf32.exe
File created	C:\Windows\SysWOW64\Inhdgdmk.exe	Ikjhki32.exe
File created	C:\Windows\SysWOW64\Jbfilffm.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Jhenjmbb.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Kambcbhb.exe	Jhenjmbb.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Ipdbellh.dll	Iocgfhhc.exe
File created	C:\Windows\SysWOW64\Jmipdo32.exe	Jpepkk32.exe
File opened for modification	C:\Windows\SysWOW64\Jlnmel32.exe	Jbfilffm.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Ieibdnnp.exe	Ikqnlh32.exe
File opened for modification	C:\Windows\SysWOW64\Jhenjmbb.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Khnapkjg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2660	2864	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kambcbhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikjhki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikldqile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhenjmbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iocgfhhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjfkmdlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iediin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhdgdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inmmbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikqnlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnmel32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jlnmel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbellh.dll"	Iocgfhhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlnmel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kambcbhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll"	Ikjhki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ikqnlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocndipc.dll"	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikqnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikldqile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iediin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcllk32.dll"	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ikjhki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll"	Jjfkmdlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaaak32.dll"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iocgfhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iediin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikjhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faphfl32.dll"	Iediin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeiojhn.dll"	Ikldqile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmmfnb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2500	2272	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe	30
PID 2272 wrote to memory of 2500	2272	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe	30
PID 2272 wrote to memory of 2500	2272	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe	30
PID 2272 wrote to memory of 2500	2272	746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe	30
PID 2500 wrote to memory of 1540	2500	Iocgfhhc.exe	31
PID 2500 wrote to memory of 1540	2500	Iocgfhhc.exe	31
PID 2500 wrote to memory of 1540	2500	Iocgfhhc.exe	31
PID 2500 wrote to memory of 1540	2500	Iocgfhhc.exe	31
PID 1540 wrote to memory of 2748	1540	Ikjhki32.exe	32
PID 1540 wrote to memory of 2748	1540	Ikjhki32.exe	32
PID 1540 wrote to memory of 2748	1540	Ikjhki32.exe	32
PID 1540 wrote to memory of 2748	1540	Ikjhki32.exe	32
PID 2748 wrote to memory of 2796	2748	Inhdgdmk.exe	33
PID 2748 wrote to memory of 2796	2748	Inhdgdmk.exe	33
PID 2748 wrote to memory of 2796	2748	Inhdgdmk.exe	33
PID 2748 wrote to memory of 2796	2748	Inhdgdmk.exe	33
PID 2796 wrote to memory of 2464	2796	Ikldqile.exe	34
PID 2796 wrote to memory of 2464	2796	Ikldqile.exe	34
PID 2796 wrote to memory of 2464	2796	Ikldqile.exe	34
PID 2796 wrote to memory of 2464	2796	Ikldqile.exe	34
PID 2464 wrote to memory of 2844	2464	Iediin32.exe	35
PID 2464 wrote to memory of 2844	2464	Iediin32.exe	35
PID 2464 wrote to memory of 2844	2464	Iediin32.exe	35
PID 2464 wrote to memory of 2844	2464	Iediin32.exe	35
PID 2844 wrote to memory of 2708	2844	Inmmbc32.exe	36
PID 2844 wrote to memory of 2708	2844	Inmmbc32.exe	36
PID 2844 wrote to memory of 2708	2844	Inmmbc32.exe	36
PID 2844 wrote to memory of 2708	2844	Inmmbc32.exe	36
PID 2708 wrote to memory of 2744	2708	Ikqnlh32.exe	37
PID 2708 wrote to memory of 2744	2708	Ikqnlh32.exe	37
PID 2708 wrote to memory of 2744	2708	Ikqnlh32.exe	37
PID 2708 wrote to memory of 2744	2708	Ikqnlh32.exe	37
PID 2744 wrote to memory of 2072	2744	Ieibdnnp.exe	38
PID 2744 wrote to memory of 2072	2744	Ieibdnnp.exe	38
PID 2744 wrote to memory of 2072	2744	Ieibdnnp.exe	38
PID 2744 wrote to memory of 2072	2744	Ieibdnnp.exe	38
PID 2072 wrote to memory of 2388	2072	Jjfkmdlg.exe	39
PID 2072 wrote to memory of 2388	2072	Jjfkmdlg.exe	39
PID 2072 wrote to memory of 2388	2072	Jjfkmdlg.exe	39
PID 2072 wrote to memory of 2388	2072	Jjfkmdlg.exe	39
PID 2388 wrote to memory of 2568	2388	Jpbcek32.exe	40
PID 2388 wrote to memory of 2568	2388	Jpbcek32.exe	40
PID 2388 wrote to memory of 2568	2388	Jpbcek32.exe	40
PID 2388 wrote to memory of 2568	2388	Jpbcek32.exe	40
PID 2568 wrote to memory of 2600	2568	Jgjkfi32.exe	41
PID 2568 wrote to memory of 2600	2568	Jgjkfi32.exe	41
PID 2568 wrote to memory of 2600	2568	Jgjkfi32.exe	41
PID 2568 wrote to memory of 2600	2568	Jgjkfi32.exe	41
PID 2600 wrote to memory of 708	2600	Jpepkk32.exe	42
PID 2600 wrote to memory of 708	2600	Jpepkk32.exe	42
PID 2600 wrote to memory of 708	2600	Jpepkk32.exe	42
PID 2600 wrote to memory of 708	2600	Jpepkk32.exe	42
PID 708 wrote to memory of 1704	708	Jmipdo32.exe	43
PID 708 wrote to memory of 1704	708	Jmipdo32.exe	43
PID 708 wrote to memory of 1704	708	Jmipdo32.exe	43
PID 708 wrote to memory of 1704	708	Jmipdo32.exe	43
PID 1704 wrote to memory of 2628	1704	Jbfilffm.exe	44
PID 1704 wrote to memory of 2628	1704	Jbfilffm.exe	44
PID 1704 wrote to memory of 2628	1704	Jbfilffm.exe	44
PID 1704 wrote to memory of 2628	1704	Jbfilffm.exe	44
PID 2628 wrote to memory of 1948	2628	Jlnmel32.exe	45
PID 2628 wrote to memory of 1948	2628	Jlnmel32.exe	45
PID 2628 wrote to memory of 1948	2628	Jlnmel32.exe	45
PID 2628 wrote to memory of 1948	2628	Jlnmel32.exe	45

C:\Users\Admin\AppData\Local\Temp\746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe
"C:\Users\Admin\AppData\Local\Temp\746b9be487ca2f87033ff6d497d70165d54061561ed32cc562aa6e5447d50082N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\Iocgfhhc.exe
  C:\Windows\system32\Iocgfhhc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\Ikjhki32.exe
    C:\Windows\system32\Ikjhki32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\Inhdgdmk.exe
      C:\Windows\system32\Inhdgdmk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\Ikldqile.exe
        
        C:\Windows\system32\Ikldqile.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\Iediin32.exe
        
        C:\Windows\system32\Iediin32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Inmmbc32.exe
        
        C:\Windows\system32\Inmmbc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Ikqnlh32.exe
        
        C:\Windows\system32\Ikqnlh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Ieibdnnp.exe
        
        C:\Windows\system32\Ieibdnnp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Jjfkmdlg.exe
        
        C:\Windows\system32\Jjfkmdlg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Jpbcek32.exe
        
        C:\Windows\system32\Jpbcek32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Jgjkfi32.exe
        
        C:\Windows\system32\Jgjkfi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Jmipdo32.exe
        
        C:\Windows\system32\Jmipdo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Jlnmel32.exe
        
        C:\Windows\system32\Jlnmel32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Jhenjmbb.exe
        
        C:\Windows\system32\Jhenjmbb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Kambcbhb.exe
        
        C:\Windows\system32\Kambcbhb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 140
        33⤵
        Loads dropped DLL
        Program crash
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iediin32.exe

Filesize
93KB

MD5
438220ce21ca8544871bb4264ae3a250

SHA1
6045f621bc4546ac0b70f03bad4a1fe7c936284d

SHA256
1538d171a8cf35418b84f1a9bf4b84e7c756ad86f9cdfde11a42530b04a6cb04

SHA512
013911ebddf814b4030eb127471ef155c640d1c929b161320c6654300df2dad20dbbc3fa3297f7bb1bee2a180f29f86783ad138c82e80fb7cd9415bcb597adb0

Download Submit
C:\Windows\SysWOW64\Jgjkfi32.exe

Filesize
93KB

MD5
0e985f72e29910ca280ac8eb799223d9

SHA1
52271d21e4db05a054aebf2a332eb7fd5f0532af

SHA256
a3d0302c20c7a09142a4f1b459932879cf6c7ae775c6cea5dd678bdb583c23d0

SHA512
b0aff4cb08df83f9584e0181508b31abae261703bb11d389b76655fe6c4e5861959e8638bae626565fe94a28228b7de2a2ec5389f0a790791b3ddd2a59b9cccb

Download Submit
C:\Windows\SysWOW64\Jhenjmbb.exe

Filesize
93KB

MD5
c58f0c08191a94696b9645f6fd82a3a0

SHA1
1af3de21584f2ceb3bbda0847f92c6bc416b9601

SHA256
0cde0f069e2ce1b150fe733fcd0526bf57dc2d0f1508519970edf2cca330326d

SHA512
04276d550ae171cfcee44a0544c55f50e8f724030d847669bf70d57ae6a95c0bc060cc9e6d2bfabc48c108d99a8953ef07c578d503784a14ea48403694ba7a61

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
93KB

MD5
57b8fc3a246a6a73cb68d1f59243c5c6

SHA1
9d1b79bc44e4be5c5dc4e5ebf078ec800887988e

SHA256
00aa8dae558fed85904d3f5c818309fd73f65e8bcb55266e319ddde4367cc9e1

SHA512
11210e87e94cb884199042311602d36f2345d53f0e9508108f16072e29b414115e6eb44c14b06b8de98fab797e7955320e8bdb4ecf1e26cef36a4176b74a38f9

Download Submit
C:\Windows\SysWOW64\Kambcbhb.exe

Filesize
93KB

MD5
72d9fa07a9aac19859fe3da9854fb22f

SHA1
d1f4864f393cfdef7e97f0aec5e68e68acafa665

SHA256
7660bcf6616785df690cfe2979f6ed143a145f8b892fecb5f4e397ed4a3b1d09

SHA512
b2aced5cb89bdf920a68a37d37eba0eb3af2cc9a80269b2ff83fb6bb171c3c2371b80c45ead3947f69a6dae3bc9209f206a7bfd8b44a1e5bef33ddf187daf62a

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
93KB

MD5
c78bd539cc077aa61cbb91bdc31421b4

SHA1
4d3c5d5f9d4904631fcf7fed6ba522542358539e

SHA256
33acc9a576dc172066afb58e04e965ad92e7e9da53beba91857d2fd4990a112b

SHA512
0dc4ef0fc84fa498e43d26edd973a8fd88a42e80e445d8f1fec421f56b33fb3c0a4e417337bc4ee1af109a0697c2cbe915594ef2489dd679b5058e2e56a4f9d3

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
93KB

MD5
60ca78e6f55b276752b80aaceb938ec7

SHA1
c6588df767658e0d8d5bf7384fd6cde70e950f38

SHA256
63f015d58e2ecf340afee9dc719e36e2bae1d2fe7c0a11ddf7ecf9870d02f512

SHA512
9bc63bfe19598528b72e796bb39844def2e6fc8c1a5b42c61493088884d2f04983321e97dfe780d7d20030ed2fa907ca4996ef5b8795576c2fe38d6f78798041

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
93KB

MD5
88fe71420effe4c7756b477c52fd0f17

SHA1
ec40ed9b2b08b7d2bfbe19d94473e68f7036361e

SHA256
14903a75219effce7d661c89c9441c08feb6a6e0abb4213cc31d00f621965934

SHA512
1930cfbde74ff17a32416485a643c0c4c50477257f2e2b87d84610107e0d1f17a29b5c5df8fc6af3dcf5a59336627de6397300f571114724ea453205a91f5034

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
93KB

MD5
08e9c5ecf31f0031d476b5e728a3e9a3

SHA1
7b65ccd73a742d0ae65fb9858e71b3b1029533cc

SHA256
12637ed01e80af0c9b11e6d0bdba54a4b76426b9a0c00f9ad203a00def4174b2

SHA512
acd4da47bb69c1698801cb9d53f25ecc7ccb069a7499caed3743ed5857434dd00371f9334c41273a68a2684b1caac6cc6cd9641592a13b128ac5e55c87d86a29

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
93KB

MD5
de10787c0be42ac53c8e68931107e18d

SHA1
93ed155a5ab0fe8098866cf16ef7698b3aba030f

SHA256
43b0ec3872b6fa5c9cdd7e0b0f25afa839b8266a3135b7b293d946d7c0f0048a

SHA512
21b5b28a8093f85db8514dbe694fa5a9a9823fba78a533b3f69423b9e7243c9696a57b4d10ac02f395905649c4cac46450dba18ffcd5dd38d43a2290ebcdec14

Download Submit
C:\Windows\SysWOW64\Khnapkjg.exe

Filesize
93KB

MD5
cc1fd813fa1be060b30eea0be273fa7c

SHA1
9326a71e431abb327d80a1c69908bd9ca4df33f7

SHA256
0b30af493819275e4786e2bced1f996e7cbde0e122b47f9745dd88ba1d5c9b6c

SHA512
06cd1a474ba3267c2b3e92469d81358232ce4f25701bb968ff20a55c11452dcb767c9ba22870619e6f216f809f5e8c72ec9443a01710fd39786b1b989d6d5160

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
93KB

MD5
d2e9055b34a041a5f64d82b6f8c1eb1b

SHA1
dc88af661f1830fddf4c0f5cd2f528b0ed3066e8

SHA256
3043f022cca2a47a583ca680eeee646f199bf53f6aa02cfb063d4d295d70b416

SHA512
0748023eb9981219e531c7ba7831418eb3de96e3e16e83fbb76860bf90bb56c6cf36e032c37476efc51c579d364669c238fbe49b56862078085d8ff225f9f10d

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
93KB

MD5
b8efc40299df65cf23d5d6d2036a97cf

SHA1
b6d874e49b88c09f4ea8e3dd60656a9c3caccfb5

SHA256
67976e714aa049b79d533f626c619a2f1e971ac396e14498b4163fc70645dc5e

SHA512
56148dfca619b30ff11279b4d0cc85916371e02d235e19421a5b4f10c0b4b3e5248f74768af900f2c265a844749c77490d5744396c081c71999183a51dbc06c7

Download Submit
C:\Windows\SysWOW64\Koaclfgl.exe

Filesize
93KB

MD5
57686f6e5021b948cbfb3c678f73f66d

SHA1
d91fdc0f42fb3e1d05c3677f30dbec5d88a3ef40

SHA256
ca487537a84ce5e0b32abf711fc4cb1d793d4a89c1a0fd2ff16a22cb276161e7

SHA512
92caa5554df9dcfe1dd497b54b8a4fbdefffad58891da721ecee2cf321bb58944d45d334ee4b441f4a39c857d1b7126e563d18918edcd0013e017f9dd13d8417

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
93KB

MD5
0d073e69b8f0bc15e9812c4bdb0423ee

SHA1
966895f00c8a247d5f6cb3bb705de00fd2fb4727

SHA256
6e0ad2046054db6379470edf43b75f58053119da52229669ac08e940cc886a8e

SHA512
8d4bbb45dd046023436f46245ec6245e070b91b56fa964d2eda21b4ffaf987ac4bb38d458e153885d9fba1f9b3fb2ab8ce2ed706900964401c021e8349d532f9

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
93KB

MD5
eaf5937d6be920f1efd91d7e6f1b26e1

SHA1
37cf7d57050e305b91d4b9a2a24285ccce85f7e1

SHA256
d62a6b097084a7901527bfaef3d6f21159b8e9ced2d7cbcfd65de3331f038483

SHA512
0ea446658cd9072dd9da8341ce05c94ca66308b8d0350cae128f53c6f9371a0a9d2aefee62ac7c6577eec6dec030b59fdd539a71b9e442c550de32af0fe2569e

Download Submit
C:\Windows\SysWOW64\Ldeiojhn.dll

Filesize
7KB

MD5
f457e6ba6c759b2d038b8b0480604a68

SHA1
ae1f3eb9cd6a89a9c073052900de17c3fc9c6347

SHA256
1a4e3e0e56088b5bf0042d11e174d042b14762bbf05900cbdf7d35362bd5d554

SHA512
07327e0dee796e23665aac0af08f5e143534fcde617bd4c13bfdae4d8c4dfaf4259aa6b01c5642aa835f37c768e10eee9c55a950b2b8c68d939f22ae71407472

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
93KB

MD5
512f9361009b074301fc83b69cbc4fd7

SHA1
3c057233ef35e7e4f84150588a796f5d390772cd

SHA256
81ab158075eccc77624c221a97ed603737559b07f80f8dc83b1579db631ef922

SHA512
2ecd9e669beb03e8848b7eb0e428e69645cf96eb0eaf29ddd50acfb700312e7f73eca79e56371f5a2c3512daa798bc06396e739afcf15be84af7fb0028cb3b6e

Download Submit
\Windows\SysWOW64\Ieibdnnp.exe

Filesize
93KB

MD5
c13edec57cfedbdd6012352801d56a79

SHA1
4ad3b88c77b5d9ea54716d3eba5f63d18f294fef

SHA256
13e1bdde7fef70a03029bbafc9c8c03137a0bd73808d0f2c44d6b146f418e1ac

SHA512
b5f92a0f1145db9d8a5e7155b9a89835131e4e37aa497b0282fc2b1e2d8fc711aff8ebd3c9a3c3dc91d527e3717269ba3224a062ec99b08b0c5d61bf69d0bbfe

Download Submit
\Windows\SysWOW64\Ikjhki32.exe

Filesize
93KB

MD5
1b14374dc8a84c8298356bf993f7a48a

SHA1
dca2392e585bff38a1602cd0062a98c8ac92b387

SHA256
ca00c97d8460f01bdb50886f033f8efbfd659083288ea4c15873d5cae01ca230

SHA512
c6632909d15eb771eb163017de349367933c760a3fa440e1437103aad38606b90792e7b26470b64181e93d16ea38dc4cbe53363997261b2030a5be580cc5a6c3

Download Submit
\Windows\SysWOW64\Ikldqile.exe

Filesize
93KB

MD5
5a6a44e270f7b09d009b918e360bc96d

SHA1
656e90bbe563c33169ab55369ad6835cceb26f14

SHA256
5ff2c24013580793d2ed4bedef9c1f3708573fb56ac6f3bcd9e508aa28242c14

SHA512
0537ecb8f1af8bb176e8b88c7f5216e5ee32f7f5bebea9bee1328c4d3d18c42f16120d66f224240e9596ed69726e62f9c5a014b30760c2f368684c094a0ff61b

Download Submit
\Windows\SysWOW64\Ikqnlh32.exe

Filesize
93KB

MD5
b90ca50422ba8a993eacad5b2d389f53

SHA1
8fc6984690034ce7a4c02c447d8829c6c256b061

SHA256
03e37572a42ea0b3a8ac457e0437c9eb6604179495e8aedeeaa0f656f3c29698

SHA512
c47583e462233a105070828278e56c4be9b6871980f0974375b0309c3ebe62b77c05736d17bd51f7ccc3edf66a3b9b805429265e5260afacef054ee23e8bc51b

Download Submit
\Windows\SysWOW64\Inhdgdmk.exe

Filesize
93KB

MD5
9a490f24c3458a3389beae0ae5ff70ba

SHA1
bbac5dd210871c14b58f95c5b222dc01e6c183f1

SHA256
ea6da0c10a10ea140cbc117f160cd5cecaf053c21c066c98e1673b72699dcfee

SHA512
898c3acf9a61e8b2826c29d70ad197b2f6e54a79ef74159f9e1f27ca3e5a3cbc2830070c150f15cc2cf3a56033f043d121e505b786f6c2c305ac1ba8982aaa23

Download Submit
\Windows\SysWOW64\Inmmbc32.exe

Filesize
93KB

MD5
667d2253e6e56093fb6c34f02277d562

SHA1
f68054a858f966a6924b355ecf58ae5cebcaed0c

SHA256
4aa231bcfc4966e15b13b341777989d9ee6b15b7931c0d21fbb2a099b82517ad

SHA512
f21359005013461cd0b2893071b2530531c583fb473d1ca36ed0f320997a528884a030b7e3e214f16249b8bfedff95899121c24355a343e458f077337c7fa3a7

Download Submit
\Windows\SysWOW64\Iocgfhhc.exe

Filesize
93KB

MD5
2e33bda5df700d0bf1960f3c76864cbe

SHA1
8b155a3d5e825ce2faa25f0a484c782b7f987956

SHA256
9f187df2c324e47b11e897e0ffda0480d1a48e3146712e06976c7a4797bca19e

SHA512
f880d308d60d01f9c426011276bae9d66b5b14845440191767ef8ac9a28429ce959e173ab7ead068aa1c7d413b0e5b7619608cc47652bcd8be8082bfe930ad76

Download Submit
\Windows\SysWOW64\Jbfilffm.exe

Filesize
93KB

MD5
e8438d69d4a7f5809fd815edc0d7ea25

SHA1
6cc8caec22648a7e8a9b775472f11e592e770bb7

SHA256
bebc7c8af2a8c21b13deccb6e2e4b212255109e2ccb8f4008756072e37ff272c

SHA512
75ac755ed04d452698e4313e2a4795e11727ec28bba25d6cb1b282a91f7203743795a2f4a10a1935dcea108848dd2002c22841d27e481c59d5fcb5df74ce0abb

Download Submit
\Windows\SysWOW64\Jfcabd32.exe

Filesize
93KB

MD5
7e7074660a4544f2f1cb7c937c74b18e

SHA1
940b2c5922f5e87f98e6db7755775739df550000

SHA256
39c2f5443705fe5f462b489b35ecf394465340305a3fdc6e281a7dccf0ef74d3

SHA512
09997f0170ed2197be81713122b19cd10e7c45b033be25509ab96de6ca58b2922912232783ffca3ed75cc16cab68e494e3015ba1404f573148163abbb589116f

Download Submit
\Windows\SysWOW64\Jjfkmdlg.exe

Filesize
93KB

MD5
feb3146c941a6c71d95ecb8144446617

SHA1
7646654fcb88a5ee1ef8b239e4d2b6428a8a5f2b

SHA256
e9a2f7688c1f15096dd4dfec41ecf660d1e38f643e9e429dea67f85971f89c2d

SHA512
4f27065f23cbf04a4acfb4ae6a4991f5674e3787ce88bfda65d180088378864a33c21e4c320a5090b0aa6ae290be70abf20aefae1a933f367e0b5bb131c1c2c5

Download Submit
\Windows\SysWOW64\Jlnmel32.exe

Filesize
93KB

MD5
9df89aaac9a05dc519c9ce1d363e65da

SHA1
551afe4776605b7fe39440f59feca31bdc085977

SHA256
c6ebf3f20321a7b92a84964d287dd22add8e5ce8e6a3bf918bb0af81b7f9a43e

SHA512
c49c1d922e586f2b3f3db8895127efd263cff56d95612edfb7ef6da8d1a0e911138c07205168f3704495b1412bbbddc422624f288f0cb5d6cc04d82ed224b169

Download Submit
\Windows\SysWOW64\Jmipdo32.exe

Filesize
93KB

MD5
073adbd7d79cb2947d8a941886ebf3e6

SHA1
e33fde0937bfbe223657f68587188372a2f1ae68

SHA256
1313d6fec4d9369a2c43f60d6b97e1f37e5b8a424040f6b2ef4ed79cf622fde7

SHA512
10a3ac0a615f94f890663e551006c495a24117830dd8d2916fb7fafa45eed2f82cd6fc9bf48d618d40e9faf7d0135a13a5a6744313af38f5ff2b8f3e96f5c523

Download Submit
\Windows\SysWOW64\Jpbcek32.exe

Filesize
93KB

MD5
98371668275268af4b235b7fa46674d1

SHA1
e625dd0637f3bc065c29641e77ae72ef4724e11f

SHA256
656f34660e72dc82ad3f0cd580614bdfaefae7995df3a4ec39799ffc3cb94baf

SHA512
195d9a1749589a1218af1a04fba918e6f7fec95f7f72f86f48e2d7cf06cbf9673ff5879d1b76cba1e688d7e49b5a84dfae4fe5ddfaba1d198c1e5b4948977c00

Download Submit
\Windows\SysWOW64\Jpepkk32.exe

Filesize
93KB

MD5
542ba46ecc4dcf7117a365dc845810a3

SHA1
de41bfec643d7b0daea6ecf5cf35e2a428632d51

SHA256
84dfc9c520fa9a56c49c09625a756dfbf7e380b0d67304336d029904e2ea2ddf

SHA512
bc7ea553c93a262207556e6030615f05a4f0e67042cb4dfd5cb04c998010e737464edc0efb8fbcc8dbaf90e73fb3c651ae122379aecef2db05b2d85d55b5abde

Download Submit
memory/536-312-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/536-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-313-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/628-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-237-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/708-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-188-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/708-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-324-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/784-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-323-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/784-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-274-0x0000000001F90000-0x0000000001FC4000-memory.dmp

Filesize
208KB

Download
memory/1540-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-203-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1704-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-253-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1792-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-135-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2072-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2272-372-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2272-371-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2272-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2272-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-331-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2312-335-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2348-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-293-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2348-292-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2348-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-81-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2464-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-28-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2500-27-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2500-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-162-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2568-161-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2568-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-104-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2708-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-52-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2776-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-345-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2776-346-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2784-368-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2784-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-367-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2796-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-353-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2920-360-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2920-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads