berbew | 8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
Size

608KB
MD5

06f37dec5f44acb1c17fe1fdbafdce98
SHA1

12eb3e1286a2b904ac28a91b97678b1990dc6869
SHA256

8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072
SHA512

7a8b7ae00d61f8bd925c054f1fb166536e45f2359f0434c95d039d2565ceaa22cb4f0b43b32e510d2bd3c2b02b2096ed9336e7da746e9f6d37c6360073b6abc5
SSDEEP

12288:i63t3cjkY660fIaDZkY660f8jTK/XhdAwlt01A:i63BcjgsaDZgQjGkwlp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 33 IoCs

pid	Process
2376	Jgjkfi32.exe
2776	Jikhnaao.exe
2724	Jpepkk32.exe
2720	Jcqlkjae.exe
2596	Jfohgepi.exe
1776	Jmipdo32.exe
2440	Jcciqi32.exe
2116	Jfaeme32.exe
1260	Jmkmjoec.exe
2816	Jpjifjdg.exe
2476	Jfcabd32.exe
2096	Jhenjmbb.exe
572	Jnofgg32.exe
2084	Keioca32.exe
340	Khgkpl32.exe
2356	Koaclfgl.exe
2368	Kekkiq32.exe
288	Khjgel32.exe
1236	Kocpbfei.exe
1584	Kenhopmf.exe
2104	Kfodfh32.exe
2252	Koflgf32.exe
2492	Kadica32.exe
2120	Kpgionie.exe
2688	Kmkihbho.exe
2864	Kageia32.exe
2580	Kdeaelok.exe
1516	Kbhbai32.exe
2444	Kkojbf32.exe
904	Libjncnc.exe
804	Lmmfnb32.exe
1548	Lplbjm32.exe
2328	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
2188	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
2188	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
2376	Jgjkfi32.exe
2376	Jgjkfi32.exe
2776	Jikhnaao.exe
2776	Jikhnaao.exe
2724	Jpepkk32.exe
2724	Jpepkk32.exe
2720	Jcqlkjae.exe
2720	Jcqlkjae.exe
2596	Jfohgepi.exe
2596	Jfohgepi.exe
1776	Jmipdo32.exe
1776	Jmipdo32.exe
2440	Jcciqi32.exe
2440	Jcciqi32.exe
2116	Jfaeme32.exe
2116	Jfaeme32.exe
1260	Jmkmjoec.exe
1260	Jmkmjoec.exe
2816	Jpjifjdg.exe
2816	Jpjifjdg.exe
2476	Jfcabd32.exe
2476	Jfcabd32.exe
2096	Jhenjmbb.exe
2096	Jhenjmbb.exe
572	Jnofgg32.exe
572	Jnofgg32.exe
2084	Keioca32.exe
2084	Keioca32.exe
340	Khgkpl32.exe
340	Khgkpl32.exe
2356	Koaclfgl.exe
2356	Koaclfgl.exe
2368	Kekkiq32.exe
2368	Kekkiq32.exe
288	Khjgel32.exe
288	Khjgel32.exe
1236	Kocpbfei.exe
1236	Kocpbfei.exe
1584	Kenhopmf.exe
1584	Kenhopmf.exe
2104	Kfodfh32.exe
2104	Kfodfh32.exe
2252	Koflgf32.exe
2252	Koflgf32.exe
2492	Kadica32.exe
2492	Kadica32.exe
2120	Kpgionie.exe
2120	Kpgionie.exe
2688	Kmkihbho.exe
2688	Kmkihbho.exe
2864	Kageia32.exe
2864	Kageia32.exe
2580	Kdeaelok.exe
2580	Kdeaelok.exe
1516	Kbhbai32.exe
1516	Kbhbai32.exe
2444	Kkojbf32.exe
2444	Kkojbf32.exe
904	Libjncnc.exe
904	Libjncnc.exe
804	Lmmfnb32.exe
804	Lmmfnb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jhenjmbb.exe
File created	C:\Windows\SysWOW64\Abqcpo32.dll	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Jmipdo32.exe	Jfohgepi.exe
File opened for modification	C:\Windows\SysWOW64\Jfaeme32.exe	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Jfcabd32.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Koaclfgl.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Libjncnc.exe
File created	C:\Windows\SysWOW64\Jikhnaao.exe	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Pknbhi32.dll	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Kenhopmf.exe	Kocpbfei.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Jikhnaao.exe	Jgjkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Jpepkk32.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Dgcgbb32.dll	Jcciqi32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Jpbpbbdb.dll	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Jgjkfi32.exe	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Aaqbpk32.dll	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Hapbpm32.dll	Jfaeme32.exe
File created	C:\Windows\SysWOW64\Agioom32.dll	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Qmeedp32.dll	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Dfaaak32.dll	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Jcciqi32.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Lpgcln32.dll	Jfcabd32.exe
File opened for modification	C:\Windows\SysWOW64\Koaclfgl.exe	Khgkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Kekkiq32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Qmgaio32.dll	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Jcciqi32.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Jfaeme32.exe	Jcciqi32.exe
File opened for modification	C:\Windows\SysWOW64\Jfcabd32.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Jnofgg32.exe	Jhenjmbb.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Jpjifjdg.exe	Jmkmjoec.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Kekkiq32.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Jpepkk32.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Jhenjmbb.exe	Jfcabd32.exe
File opened for modification	C:\Windows\SysWOW64\Jhenjmbb.exe	Jfcabd32.exe
File opened for modification	C:\Windows\SysWOW64\Khgkpl32.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Pcdapknb.dll	Keioca32.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kenhopmf.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Jfohgepi.exe	Jcqlkjae.exe

Program crash 1 IoCs

pid	pid_target	Process
2012	2328	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhenjmbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaeme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmkmjoec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcciqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll"	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqcpo32.dll"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll"	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll"	Jmkmjoec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll"	Keioca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaaak32.dll"	Jikhnaao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2376	2188	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe	30
PID 2188 wrote to memory of 2376	2188	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe	30
PID 2188 wrote to memory of 2376	2188	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe	30
PID 2188 wrote to memory of 2376	2188	8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe	30
PID 2376 wrote to memory of 2776	2376	Jgjkfi32.exe	31
PID 2376 wrote to memory of 2776	2376	Jgjkfi32.exe	31
PID 2376 wrote to memory of 2776	2376	Jgjkfi32.exe	31
PID 2376 wrote to memory of 2776	2376	Jgjkfi32.exe	31
PID 2776 wrote to memory of 2724	2776	Jikhnaao.exe	32
PID 2776 wrote to memory of 2724	2776	Jikhnaao.exe	32
PID 2776 wrote to memory of 2724	2776	Jikhnaao.exe	32
PID 2776 wrote to memory of 2724	2776	Jikhnaao.exe	32
PID 2724 wrote to memory of 2720	2724	Jpepkk32.exe	33
PID 2724 wrote to memory of 2720	2724	Jpepkk32.exe	33
PID 2724 wrote to memory of 2720	2724	Jpepkk32.exe	33
PID 2724 wrote to memory of 2720	2724	Jpepkk32.exe	33
PID 2720 wrote to memory of 2596	2720	Jcqlkjae.exe	34
PID 2720 wrote to memory of 2596	2720	Jcqlkjae.exe	34
PID 2720 wrote to memory of 2596	2720	Jcqlkjae.exe	34
PID 2720 wrote to memory of 2596	2720	Jcqlkjae.exe	34
PID 2596 wrote to memory of 1776	2596	Jfohgepi.exe	35
PID 2596 wrote to memory of 1776	2596	Jfohgepi.exe	35
PID 2596 wrote to memory of 1776	2596	Jfohgepi.exe	35
PID 2596 wrote to memory of 1776	2596	Jfohgepi.exe	35
PID 1776 wrote to memory of 2440	1776	Jmipdo32.exe	36
PID 1776 wrote to memory of 2440	1776	Jmipdo32.exe	36
PID 1776 wrote to memory of 2440	1776	Jmipdo32.exe	36
PID 1776 wrote to memory of 2440	1776	Jmipdo32.exe	36
PID 2440 wrote to memory of 2116	2440	Jcciqi32.exe	37
PID 2440 wrote to memory of 2116	2440	Jcciqi32.exe	37
PID 2440 wrote to memory of 2116	2440	Jcciqi32.exe	37
PID 2440 wrote to memory of 2116	2440	Jcciqi32.exe	37
PID 2116 wrote to memory of 1260	2116	Jfaeme32.exe	38
PID 2116 wrote to memory of 1260	2116	Jfaeme32.exe	38
PID 2116 wrote to memory of 1260	2116	Jfaeme32.exe	38
PID 2116 wrote to memory of 1260	2116	Jfaeme32.exe	38
PID 1260 wrote to memory of 2816	1260	Jmkmjoec.exe	39
PID 1260 wrote to memory of 2816	1260	Jmkmjoec.exe	39
PID 1260 wrote to memory of 2816	1260	Jmkmjoec.exe	39
PID 1260 wrote to memory of 2816	1260	Jmkmjoec.exe	39
PID 2816 wrote to memory of 2476	2816	Jpjifjdg.exe	40
PID 2816 wrote to memory of 2476	2816	Jpjifjdg.exe	40
PID 2816 wrote to memory of 2476	2816	Jpjifjdg.exe	40
PID 2816 wrote to memory of 2476	2816	Jpjifjdg.exe	40
PID 2476 wrote to memory of 2096	2476	Jfcabd32.exe	41
PID 2476 wrote to memory of 2096	2476	Jfcabd32.exe	41
PID 2476 wrote to memory of 2096	2476	Jfcabd32.exe	41
PID 2476 wrote to memory of 2096	2476	Jfcabd32.exe	41
PID 2096 wrote to memory of 572	2096	Jhenjmbb.exe	42
PID 2096 wrote to memory of 572	2096	Jhenjmbb.exe	42
PID 2096 wrote to memory of 572	2096	Jhenjmbb.exe	42
PID 2096 wrote to memory of 572	2096	Jhenjmbb.exe	42
PID 572 wrote to memory of 2084	572	Jnofgg32.exe	43
PID 572 wrote to memory of 2084	572	Jnofgg32.exe	43
PID 572 wrote to memory of 2084	572	Jnofgg32.exe	43
PID 572 wrote to memory of 2084	572	Jnofgg32.exe	43
PID 2084 wrote to memory of 340	2084	Keioca32.exe	44
PID 2084 wrote to memory of 340	2084	Keioca32.exe	44
PID 2084 wrote to memory of 340	2084	Keioca32.exe	44
PID 2084 wrote to memory of 340	2084	Keioca32.exe	44
PID 340 wrote to memory of 2356	340	Khgkpl32.exe	45
PID 340 wrote to memory of 2356	340	Khgkpl32.exe	45
PID 340 wrote to memory of 2356	340	Khgkpl32.exe	45
PID 340 wrote to memory of 2356	340	Khgkpl32.exe	45

C:\Users\Admin\AppData\Local\Temp\8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe
"C:\Users\Admin\AppData\Local\Temp\8dd0662bb975ba28855664a87d2ed97baaa7742349a76a40b3cf11bfb6d3c072.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\Jgjkfi32.exe
  C:\Windows\system32\Jgjkfi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\Jikhnaao.exe
    C:\Windows\system32\Jikhnaao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Jpepkk32.exe
      C:\Windows\system32\Jpepkk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\Jcqlkjae.exe
        
        C:\Windows\system32\Jcqlkjae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Jfohgepi.exe
        
        C:\Windows\system32\Jfohgepi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Jmipdo32.exe
        
        C:\Windows\system32\Jmipdo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Jcciqi32.exe
        
        C:\Windows\system32\Jcciqi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Jfaeme32.exe
        
        C:\Windows\system32\Jfaeme32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Jmkmjoec.exe
        
        C:\Windows\system32\Jmkmjoec.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Jhenjmbb.exe
        
        C:\Windows\system32\Jhenjmbb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Kekkiq32.exe
        
        C:\Windows\system32\Kekkiq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Kenhopmf.exe
        
        C:\Windows\system32\Kenhopmf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 140
        35⤵
        Program crash
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jcciqi32.exe

Filesize
608KB

MD5
9a5d403a1c645a49231cd0eaa2421641

SHA1
e6fc54dbd8d81ee990eb227c7e32b239378cf0a9

SHA256
36204c567562f1e31e1c8d2f0be4e556f5fb64a4d76e0e641d22bcc3e7e3dc4d

SHA512
36f078e0de5bd2ba745e97c926edd15d5aee9f89bddce1583f9185c49389495fca8708308b5586983c2a0c2846383b46d765c6e7154d183267a499bf6d43c4b8

Download Submit
C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
608KB

MD5
a1e2ba838effa0af2452d51e891837a3

SHA1
acd017f17b444aa3fec8f1c70dbc10417920f80f

SHA256
7ceb2e32910db3ee938f8eeb638fb866d6149a9c5f80d525dc649ba31981b716

SHA512
8e8b8f2d40624829282559682563ba5ea5bcf8adf811fdf97482d941193919317e7a7359907252f5563f4df290ba551fb28b872df065b72ab18d5093492f7fd9

Download Submit
C:\Windows\SysWOW64\Jfaeme32.exe

Filesize
608KB

MD5
acca48fa1e20556f78290185d9d24209

SHA1
1626012179c493f38a078632b0c6a694a33a7ecd

SHA256
d824d9b08965ad0a468665fdb33a9065e4c3975c20ebda9fee57facd1b23f000

SHA512
9b31cadf312cccbf9fd90750448b6d3185c2c077ff1cffe87ec571fbcf56ad8042ec6bde2880c92df6165f1ff940f2a7a48b1e36672d401dd3920e8e9ba6f648

Download Submit
C:\Windows\SysWOW64\Jfcabd32.exe

Filesize
608KB

MD5
425b264198e2694e2817822f7bd3b9d2

SHA1
df3678cb6c26f8088ba3ca8c337218b0a6928796

SHA256
9bbace35995ffddeaac95c54c233879fb4b87e37161b90c60e4084e08a072e50

SHA512
043b48164d8da0a87451688c4df3d27976a57be82c64c0042722b6b619688a9c5f3e3cee0118bc3621df844a63784e12124930a03df66d015b044fb802f129db

Download Submit
C:\Windows\SysWOW64\Jhenjmbb.exe

Filesize
608KB

MD5
664c8d2be7fd44d32e7e36fb329e13a7

SHA1
b8d567ec07a2eae278be0f3f976f2a4e312b5132

SHA256
41fa38a800b4d3513914e6ea525b1f6f43de8201dd185370134d65fafa4f3fe0

SHA512
e748879a3a8fd763132bfbde6205e9fef666516b573cc128f0368053780fba7b064e23e3d77fa8d785dc10a6d41207f4f5dd79bed7c3d14ab0b165d3f51a3ae6

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
608KB

MD5
f1493dc6bdf8c39a6fa034c6af97c3b6

SHA1
cfd1ad71d0ac6b7603506ac3d009793d10751296

SHA256
47459645ba5c36c393ecba673182b2e7467f363f49df71e3aff5b3b77140a0b9

SHA512
bd96bed50234d1c21817501fc3566dc4e438a5811c713b486d7a4681ffecdf366b20aed464d6578cacc0f5bbf5e28f4e28253d3a6d6e901e165d2ea89cd81ec7

Download Submit
C:\Windows\SysWOW64\Jmipdo32.exe

Filesize
608KB

MD5
0b663cb74316b197b0274d66f8a5f0db

SHA1
a86ca7cb322ea7410e3690745639c48981967689

SHA256
22c7b28ad0ae1039232f7e5ca50153d75e1f5902236ce3619684eb4f70451cb1

SHA512
69935e0787c5f330e0cf6ba53444599d5d756a5f7b5c6b315f5d83add48f36714d8cbc4da1b3426b6ee30e4f3ba25ef42ab7223ba337301981773359c02e4466

Download Submit
C:\Windows\SysWOW64\Jmkmjoec.exe

Filesize
608KB

MD5
8a948902e762c2a8703feb51d118748d

SHA1
824cd073fd32767f1c1a8ab635fd8167ccc4b49a

SHA256
a38c3df6fb143121a555e60c257d9a6306f91b205355c68ec7056481efa7f40c

SHA512
7af48f3c317fd338132e50293c673a48327a47b3c8852c297863485bfb20f577a70e41c816d189435a1db63b4089347cd42bf5f9d9ba776a5fdefacb9be739aa

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
608KB

MD5
1ba315098cbc4c97d835f8a68d857e49

SHA1
5ce6191e291878543a043b49f12c39b2c4863423

SHA256
47a4612d1a60cd43022870475f5b5d3f388d817d0b3bfad31c4010df2d1aa870

SHA512
f16b1575406f4d69a47418e92655765d5c0a405fa1015c5bc1ce15a0449582792d0fa6628ebd1f990d70ab540a42e64486a84b48e9e47a88d7b3591e674027bf

Download Submit
C:\Windows\SysWOW64\Jpepkk32.exe

Filesize
608KB

MD5
2d1afed1eaed60754cc81ab9d310b5cc

SHA1
aea14c46c3f76b1e298953d5b30969c3df3d364d

SHA256
3cb7ebc48b1df6519d92800fc05f122d53cbbca77a9106e09961060131b2dc6a

SHA512
0d198e04f8f463828c8f877323e40170f788ca57226e98eb6195df6d0c8d2241d480ef35ef6ef2523a9fe69ae7a5321dbb0569894fae97ed30d6b529e269eae2

Download Submit
C:\Windows\SysWOW64\Jpjifjdg.exe

Filesize
608KB

MD5
863d469700231ef04282fea94809ffaa

SHA1
3bdb1ac90ad827b6df359225f77ed5ebe2f56642

SHA256
8d251ef77066d6c430e2ebdf8462957d21bdae9c67c1e974d385fb20d71bd1b2

SHA512
2aedc5583cf2ca715627061c1db89c7061d656fb2674699114ae7c2b5a311720bfebc14326c3842354950562046c6a2d751a7ba408fdad5843845ea93a6c1cfb

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
608KB

MD5
46b0a6081894e7b147a444ed3d6f37e8

SHA1
30334df494aeb2a5d2381ae17ae643d07f663b09

SHA256
01d1169c07f815667e201f0a8a789e04376d75cc1237e98b924b9e566dfeb925

SHA512
ca0d06826a0c5d0f32eed53837c0a40535ffb949d929af1bbe0d16653625b1195880bc5c0698702959bcf0485b6aa958726ec64865917478bdab4cdd66b0a95c

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
608KB

MD5
cd98c10b6f6b13452d7d294ff49755f9

SHA1
18d06188a577d3e4ff7f0a943d64ce9fe6f5b44b

SHA256
2c5389e8383416a8ba69b539bbb683ca2df212a036819572c51b3258da401ea8

SHA512
937e9502ad00717a5360eff51fed98d90904a9bf3b36d41a7717139e21771dcd838ee250ae0476fbde843aee4bb9a81e835130f0527fc99831dc1ed9f77fd7aa

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
608KB

MD5
36f251666c4702c88c843f34447797cb

SHA1
19ec06b8ed8a6d3b2200dd0bc7b46e6f69fdc864

SHA256
142665af676d0ee25c6481a085d031fc4abe6c8385ad3b818a9591b3a6d30b23

SHA512
853c6b3ffe8383ae2439bf401494d2b9257d792fd3357505115dd83f8af7ea07bd2d3e54175a17074b224e94ff45ac37bacf572d571c2568635ff7ff1f43c8a0

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
608KB

MD5
c933b14120ab4f92bc3102381021d7f6

SHA1
f0b9e678013ae0db4b02cd757bc2bfdead2ec2f9

SHA256
b779f0eda14d980570ef89730b9b25eef0fea09707bbe3a67a5079b639041981

SHA512
bef9c773baff24c1b074d7f3da7f137dd0025445c0971030f01f13c42002404fdf246c033a1733235bd35250ca5099e0df6fc73e906c37367bda6c146203a813

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
608KB

MD5
57dc59c06b48f35757de0464b3ab2125

SHA1
73bd550644f5661df06fb67083a03e7859649b06

SHA256
feb9815db3ebc6a7c18cdecd58e183497e576c5cc0e1030ec7a97b749a3d0863

SHA512
29599207eef546d17f3ff060b1b5f3a7624172b24b8ac8069b58d21604f8b729d8d449f844f9d4ad82df76ccaf6a409c1ade73df8d05b5cd01c014cc46a36734

Download Submit
C:\Windows\SysWOW64\Kekkiq32.exe

Filesize
608KB

MD5
3fd1264ba0fc8517b127e936641ee0f0

SHA1
5f1531cfbb87fcd4a80816973d7fe913e326cd27

SHA256
a35827e4eafcd13e24a3528fa4d46a96ffc860bce099bc31af99c89afa852083

SHA512
5e1573e4dbbc149c088d62d5598b0b6b5bc1e19c7406a6addbc34a12e050f389a07c11e3225e26013bc210f74452ca4f5c236bdc97ff98d4730189a2b761938b

Download Submit
C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
608KB

MD5
458cebb203f76dd47a3fb7efb6cd5384

SHA1
949c7386efe4eef50abeeb54b07ed68ff29a3cbb

SHA256
9e7927b62075a28c3f7a5931b15322aab86dfa347448a4fe038847fc8d92bb3e

SHA512
7bf65ba127f20b296aad332f949f7f7d739d41cfa406bf4ef03d7e4d00b510953ee54937e55b2f036757106d7415dea7ec478d311f71952a2cd0946c7238093c

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
608KB

MD5
67379e6b5444f9252136e8b3b3f1727e

SHA1
9ff4cbe199bae61c7988b88f67b50f0dbc413a4c

SHA256
540bba80b8631d31fa42ae6b1c44e6bb72fb2900dea391d47e4b31f77b6e1463

SHA512
8c29a0f9088bab2ef6461dd775f3398a5d4f756c3007c36924c20f86ccbd6d16534d46898b22fd729f9c4a522e93e863b2c79bef41ac0ae4cbdfd063b3712840

Download Submit
C:\Windows\SysWOW64\Khgkpl32.exe

Filesize
608KB

MD5
15ff8f6470458bd7898f66a0f91b552c

SHA1
82eac723d1dbfedb3f8dcc07742876b2c27621e9

SHA256
4aa103119221788816f6da8f9355fc554ccf5c8350b400377e1462836facf74f

SHA512
48e3f26fa375298c9998a1183f780b2feb81a29675a67943d4140060d34291a26ff26edc8d4a6218407e5bbdd53fb5014d25d41a716d3b7a5c4a3a425a2cf0f1

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
608KB

MD5
df6919c2917555915e89321ce4349111

SHA1
bba107f3899adc40bb235fa360e6fa9930e8af99

SHA256
6073c0098327a989884a91b9a8bc89aaea9e3ee0406b6885a36d5c8388dde946

SHA512
efc57dd070734812345abd311ca06ae9c6e401d007da91130fe83858d4a962bb97642fae75c345a1cc6ec4203f392fde055642f2e56e3bef3b4ca41356f47089

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
608KB

MD5
b56a5a67d79930ef83c1d3fcb16d0f37

SHA1
5672c51ebd888f08e4875c392a526f4fcadbfb1c

SHA256
1d383c11d41c18f0432eeea6a8a160e92ab055ba889384c677d9ec61e9276766

SHA512
a1f114d6de1ef4cdd8628c7d4a8628a71911dac0ec54ef269d55106f094e27842b77a5a7e5ffe5515efeb589f6b8ff54d4d18d033396924a85597bc6a1019f4c

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
608KB

MD5
d3c3d0094c4cf4f89ec4a10b7639955c

SHA1
41f11d12878d36689d08996d3aa870cceb17dad8

SHA256
d9e121997e43b98a75727c9582843379b85cc69b408a0f8ad69fcd8aac6b29ed

SHA512
5201c224d65564d20fa624caa28dc39f9267513ff33551a97b694594fd34fd806b12e655db4a2730c562d0007d0d2329c069d3c616733cad6de50e6352f47b79

Download Submit
C:\Windows\SysWOW64\Koaclfgl.exe

Filesize
608KB

MD5
b3f97aa5514870eb67ee40ae42c537f1

SHA1
6ec04ad80a6bd027d1e805c7ac0378ac8a0a02e3

SHA256
0074ce27712cd9f7e4daae2978e1cde043d056cf17874539c2caf64af67d769b

SHA512
2a4833ed70730ae4651d7b2764c22c6a85c80ca243f44d26db6d33edeb3f9cea4b2f3da11a23a26826ca5687dfbf411e985c7585f0ef310cd71138eee28d37cd

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
608KB

MD5
5bf60dc17a13c3057838a06684b3a091

SHA1
075592d4829aa33e3fa3e51182ac298ed95f5e07

SHA256
a6708d2ccd00c5e0ba336e8e6d67f13df72042fb376b5b308ea5ea7ddb1d1854

SHA512
75de3486085688f920a8098aa2c65808ef708cd2b7dac3f0f1901c1cdb09da5f98c4e80389c13c7a4c11e70b194aada0862fe6cb3aa6c28f02b277d5a4b51f4d

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
608KB

MD5
e7f66f5de4e6bc5abbc981095c64164c

SHA1
f453e6db5747e52cdaed2b2b4ba78ddd9b55e7d8

SHA256
84e3ee087721f6c28b7ebd2dccd39763dbd2ccb59e2c4f9b7b3dca797dce139b

SHA512
d0214f65ad036442282ed1ed0d6718974c272894efc0e163baf78c2f72ba84b6d81864b4120cf67402358e869928ce553a636a90331672a34cafdd731be2aadd

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
608KB

MD5
d451e528cb6d15ce5613c17cb7d8d25a

SHA1
2551409d7675fff69cd92cd4ad6dfa6b8ca2cec8

SHA256
68c90e09eb916ae5d7c54ae94c107b95a66499338b9b558ce6c3ff99893021cb

SHA512
3755f281c721ac3ce6c33bd27d71fbd4f8c6610de5de6c028a8ff159e50a5d32d79e669a31f0ea7bad61a383472dd186d9f68548032aa26941bd624e9e22818b

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
608KB

MD5
074c5da8cf753acb60b2eb5dabef6886

SHA1
1d272b0fc07906efe53c3e20729b1b4aff176046

SHA256
9612094e871a75f5eafd1cc313275c0bad8aa8177724f1bf317823cb68954518

SHA512
74f8c728b041a694d44d8c745cc8047db686e302c69fb5cdc5f9e9fd7f593356a59a1e4bb84e02e805fbaa78f485b04797fc479f0449da8556c4029cccbdb45b

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
608KB

MD5
7f38154a011be9d74f498780df68f1ed

SHA1
b2e46fe4039e40c775c9602a16ff0620bd29132a

SHA256
520e6a000c69798de2eb36b82005c553bdd4b36006cb701482ff5535887f6767

SHA512
d3b7f3a342e56b816dc0f614d0988a916c5712a18e94e8f5172bf63cc44e59db072373e0ff92add328d1d4eef279047a63686ea66299d8d6b93eb98f182d1826

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
608KB

MD5
be32d06b480427adc84567ceb41805c6

SHA1
96f43215fd035f0172b86a918a058bd13748ae09

SHA256
7ea85481f0b8f17440f8d1ec697e268dea543eb48b69ef527eb0397e4c800efb

SHA512
a97f7fe8e9b6995a3f3b211510a7a68769d63d1351067c9ce5e273e4e7998489269aa9e7659a64462dcc88c3e172fa2091a03ec223f137be516c4a3e2d1b9958

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
608KB

MD5
4001aecefbc130536a18aa5da5e1351b

SHA1
19f1a52e9b24bb7e0ac3897118401bfc33b638eb

SHA256
f566c73e3c1d4699e0609f6bb22aa318777b83dbe301f0b50e0ad0be80cba759

SHA512
8c82047e72cc47aa84699e509ffdf9759dd73a3c69a1fc2314cd126c8a13167dd6b9fced400913d409b3ab7a587738e8c050f4276357c05c2520f5248267c7a3

Download Submit
C:\Windows\SysWOW64\Qmgaio32.dll

Filesize
7KB

MD5
ed4a20579aa66b4f0bcb763fd927eb0f

SHA1
5367426acfe9583479f18056ea2ea2caaa4c7fa1

SHA256
e504c1c53d7c91bbfb02fe685b912249b3afa180618308ac48434eefd580f9d0

SHA512
c0cba60d0b5dd394ecc71697efa99730b79bde636b59d95c64c19287f5b863f53024783b9dba61b2f4fb6ddbf15ddc1d3447461a1fb1be19644e4a3bc7e82b85

Download Submit
\Windows\SysWOW64\Jfohgepi.exe

Filesize
608KB

MD5
9b59c917341f80137cdbab2bedd88571

SHA1
0a8d40abd6729aa9bb14d762e4882185ac49d93f

SHA256
cdf985dc0b36633bec03216c68c00a649a6dbea8cc32814916d6492701d6b111

SHA512
97aef24352b98f179da87949480cf6c868397cf9329aa198a2b25853335ad4741391fd9f9117f21d06a79c2252473c9a93b5e2c83c7dac24a89c02957fe9d73c

Download Submit
\Windows\SysWOW64\Jgjkfi32.exe

Filesize
608KB

MD5
c935365f856d5445796a5195161743ad

SHA1
f451424ff20358e31f613f68e5cbf1a76c63f7bc

SHA256
d71e986a90334f461ec8e33abf29859780e9c32d6f8289dc4ce247a97a578ecd

SHA512
9dbb4a1806a1005a78bd60d5dbd3e3be14285db2c589b879adb3ebdeb5aef884de4bf9169136da2a298d22bd5ccc2f0aca626e162819d55ecb564af91040ff29

Download Submit
memory/288-253-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/288-254-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/288-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/288-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/340-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/340-221-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/340-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/340-220-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/572-191-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/572-190-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/572-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/572-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/804-397-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/804-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/804-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/804-396-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/904-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-386-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/904-385-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1236-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-264-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1236-269-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1260-135-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1260-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-364-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1516-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-363-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1516-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-407-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1548-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-276-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1584-275-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1776-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-205-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2084-206-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2084-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-176-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2104-287-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2104-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-286-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2116-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-124-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2116-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-322-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2120-323-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2188-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2188-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2252-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-297-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2252-298-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2328-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-231-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2356-232-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2368-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-243-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2368-242-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2368-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-107-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2440-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-378-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2444-374-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2476-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-312-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2492-313-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2580-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-352-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2580-353-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2596-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-330-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2688-335-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2688-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-67-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2724-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-149-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2816-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-341-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2864-342-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2864-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads