berbew | eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
Size

64KB
MD5

c0a5234196732fe61fa76126589973ba
SHA1

af9e2e01877db327dec77d91ec563aaaf4c81457
SHA256

eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc
SHA512

02527966751d8625214d2c480c685fde6c94942bf66f289a4a977088d60b61aa5b683b3eb72e09052f57aab4b0f221382d7ce8c1975e88a429021068b658b720
SSDEEP

768:3JVAC717k4BVq5KcHcPc1YEMgsAVezWiZaryR4JprhYhzvb/1H5tXdnhgl72KNtX:sO7k4Bge8pH9gK6WprhYhDptgNtX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klcgpkhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 27 IoCs

pid	Process
2376	Jikhnaao.exe
2776	Jpepkk32.exe
2724	Jjjdhc32.exe
2720	Jllqplnp.exe
2596	Jcciqi32.exe
2892	Jedehaea.exe
3024	Jipaip32.exe
3068	Jbhebfck.exe
1868	Jibnop32.exe
568	Jplfkjbd.exe
2248	Jnofgg32.exe
2124	Keioca32.exe
1548	Klcgpkhh.exe
628	Kjeglh32.exe
2420	Kapohbfp.exe
1920	Khjgel32.exe
2552	Kjhcag32.exe
2468	Kablnadm.exe
288	Kdphjm32.exe
2484	Kkjpggkn.exe
764	Koflgf32.exe
1924	Kpgionie.exe
1284	Kipmhc32.exe
1988	Kmkihbho.exe
1336	Kbhbai32.exe
1880	Lplbjm32.exe
1484	Lbjofi32.exe

Loads dropped DLL 59 IoCs

pid	Process
2188	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
2188	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
2376	Jikhnaao.exe
2376	Jikhnaao.exe
2776	Jpepkk32.exe
2776	Jpepkk32.exe
2724	Jjjdhc32.exe
2724	Jjjdhc32.exe
2720	Jllqplnp.exe
2720	Jllqplnp.exe
2596	Jcciqi32.exe
2596	Jcciqi32.exe
2892	Jedehaea.exe
2892	Jedehaea.exe
3024	Jipaip32.exe
3024	Jipaip32.exe
3068	Jbhebfck.exe
3068	Jbhebfck.exe
1868	Jibnop32.exe
1868	Jibnop32.exe
568	Jplfkjbd.exe
568	Jplfkjbd.exe
2248	Jnofgg32.exe
2248	Jnofgg32.exe
2124	Keioca32.exe
2124	Keioca32.exe
1548	Klcgpkhh.exe
1548	Klcgpkhh.exe
628	Kjeglh32.exe
628	Kjeglh32.exe
2420	Kapohbfp.exe
2420	Kapohbfp.exe
1920	Khjgel32.exe
1920	Khjgel32.exe
2552	Kjhcag32.exe
2552	Kjhcag32.exe
2468	Kablnadm.exe
2468	Kablnadm.exe
288	Kdphjm32.exe
288	Kdphjm32.exe
2484	Kkjpggkn.exe
2484	Kkjpggkn.exe
764	Koflgf32.exe
764	Koflgf32.exe
1924	Kpgionie.exe
1924	Kpgionie.exe
1284	Kipmhc32.exe
1284	Kipmhc32.exe
1988	Kmkihbho.exe
1988	Kmkihbho.exe
1336	Kbhbai32.exe
1336	Kbhbai32.exe
1880	Lplbjm32.exe
1880	Lplbjm32.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbhebfck.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Jnofgg32.exe	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Klcgpkhh.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Dfaaak32.dll	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Klcgpkhh.exe
File created	C:\Windows\SysWOW64\Kapohbfp.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Jnofgg32.exe	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Ikbilijo.dll	Jedehaea.exe
File created	C:\Windows\SysWOW64\Jibnop32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Jipaip32.exe	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jcciqi32.exe
File opened for modification	C:\Windows\SysWOW64\Jipaip32.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Jcciqi32.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jplfkjbd.exe
File opened for modification	C:\Windows\SysWOW64\Kapohbfp.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	Kapohbfp.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Ifkmqd32.dll	Jbhebfck.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Jjjdhc32.exe	Jpepkk32.exe
File created	C:\Windows\SysWOW64\Hgajdjlj.dll	Jipaip32.exe
File opened for modification	C:\Windows\SysWOW64\Jplfkjbd.exe	Jibnop32.exe
File created	C:\Windows\SysWOW64\Ibodnd32.dll	Jibnop32.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kkjpggkn.exe
File opened for modification	C:\Windows\SysWOW64\Jedehaea.exe	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Keioca32.exe	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Mebgijei.dll	Jpepkk32.exe
File created	C:\Windows\SysWOW64\Jcciqi32.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Jpepkk32.exe	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Jikhnaao.exe	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
File created	C:\Windows\SysWOW64\Qmeedp32.dll	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Jllqplnp.exe	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Abqcpo32.dll	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Klcgpkhh.exe	Keioca32.exe
File opened for modification	C:\Windows\SysWOW64\Klcgpkhh.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Jikhnaao.exe	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2392	1484	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcciqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapohbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klcgpkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll"	Keioca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaaak32.dll"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqcpo32.dll"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll"	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jedehaea.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2376	2188	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe	30
PID 2188 wrote to memory of 2376	2188	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe	30
PID 2188 wrote to memory of 2376	2188	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe	30
PID 2188 wrote to memory of 2376	2188	eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe	30
PID 2376 wrote to memory of 2776	2376	Jikhnaao.exe	31
PID 2376 wrote to memory of 2776	2376	Jikhnaao.exe	31
PID 2376 wrote to memory of 2776	2376	Jikhnaao.exe	31
PID 2376 wrote to memory of 2776	2376	Jikhnaao.exe	31
PID 2776 wrote to memory of 2724	2776	Jpepkk32.exe	32
PID 2776 wrote to memory of 2724	2776	Jpepkk32.exe	32
PID 2776 wrote to memory of 2724	2776	Jpepkk32.exe	32
PID 2776 wrote to memory of 2724	2776	Jpepkk32.exe	32
PID 2724 wrote to memory of 2720	2724	Jjjdhc32.exe	33
PID 2724 wrote to memory of 2720	2724	Jjjdhc32.exe	33
PID 2724 wrote to memory of 2720	2724	Jjjdhc32.exe	33
PID 2724 wrote to memory of 2720	2724	Jjjdhc32.exe	33
PID 2720 wrote to memory of 2596	2720	Jllqplnp.exe	34
PID 2720 wrote to memory of 2596	2720	Jllqplnp.exe	34
PID 2720 wrote to memory of 2596	2720	Jllqplnp.exe	34
PID 2720 wrote to memory of 2596	2720	Jllqplnp.exe	34
PID 2596 wrote to memory of 2892	2596	Jcciqi32.exe	35
PID 2596 wrote to memory of 2892	2596	Jcciqi32.exe	35
PID 2596 wrote to memory of 2892	2596	Jcciqi32.exe	35
PID 2596 wrote to memory of 2892	2596	Jcciqi32.exe	35
PID 2892 wrote to memory of 3024	2892	Jedehaea.exe	36
PID 2892 wrote to memory of 3024	2892	Jedehaea.exe	36
PID 2892 wrote to memory of 3024	2892	Jedehaea.exe	36
PID 2892 wrote to memory of 3024	2892	Jedehaea.exe	36
PID 3024 wrote to memory of 3068	3024	Jipaip32.exe	37
PID 3024 wrote to memory of 3068	3024	Jipaip32.exe	37
PID 3024 wrote to memory of 3068	3024	Jipaip32.exe	37
PID 3024 wrote to memory of 3068	3024	Jipaip32.exe	37
PID 3068 wrote to memory of 1868	3068	Jbhebfck.exe	38
PID 3068 wrote to memory of 1868	3068	Jbhebfck.exe	38
PID 3068 wrote to memory of 1868	3068	Jbhebfck.exe	38
PID 3068 wrote to memory of 1868	3068	Jbhebfck.exe	38
PID 1868 wrote to memory of 568	1868	Jibnop32.exe	39
PID 1868 wrote to memory of 568	1868	Jibnop32.exe	39
PID 1868 wrote to memory of 568	1868	Jibnop32.exe	39
PID 1868 wrote to memory of 568	1868	Jibnop32.exe	39
PID 568 wrote to memory of 2248	568	Jplfkjbd.exe	40
PID 568 wrote to memory of 2248	568	Jplfkjbd.exe	40
PID 568 wrote to memory of 2248	568	Jplfkjbd.exe	40
PID 568 wrote to memory of 2248	568	Jplfkjbd.exe	40
PID 2248 wrote to memory of 2124	2248	Jnofgg32.exe	41
PID 2248 wrote to memory of 2124	2248	Jnofgg32.exe	41
PID 2248 wrote to memory of 2124	2248	Jnofgg32.exe	41
PID 2248 wrote to memory of 2124	2248	Jnofgg32.exe	41
PID 2124 wrote to memory of 1548	2124	Keioca32.exe	42
PID 2124 wrote to memory of 1548	2124	Keioca32.exe	42
PID 2124 wrote to memory of 1548	2124	Keioca32.exe	42
PID 2124 wrote to memory of 1548	2124	Keioca32.exe	42
PID 1548 wrote to memory of 628	1548	Klcgpkhh.exe	43
PID 1548 wrote to memory of 628	1548	Klcgpkhh.exe	43
PID 1548 wrote to memory of 628	1548	Klcgpkhh.exe	43
PID 1548 wrote to memory of 628	1548	Klcgpkhh.exe	43
PID 628 wrote to memory of 2420	628	Kjeglh32.exe	44
PID 628 wrote to memory of 2420	628	Kjeglh32.exe	44
PID 628 wrote to memory of 2420	628	Kjeglh32.exe	44
PID 628 wrote to memory of 2420	628	Kjeglh32.exe	44
PID 2420 wrote to memory of 1920	2420	Kapohbfp.exe	45
PID 2420 wrote to memory of 1920	2420	Kapohbfp.exe	45
PID 2420 wrote to memory of 1920	2420	Kapohbfp.exe	45
PID 2420 wrote to memory of 1920	2420	Kapohbfp.exe	45

C:\Users\Admin\AppData\Local\Temp\eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe
"C:\Users\Admin\AppData\Local\Temp\eb5e0eb2f7764e179cea952453fe547d1fe64c8139f55e2a67a4aee07e78edcc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\Jikhnaao.exe
  C:\Windows\system32\Jikhnaao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\Jpepkk32.exe
    C:\Windows\system32\Jpepkk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Jjjdhc32.exe
      C:\Windows\system32\Jjjdhc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Jcciqi32.exe
        
        C:\Windows\system32\Jcciqi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Klcgpkhh.exe
        
        C:\Windows\system32\Klcgpkhh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Kapohbfp.exe
        
        C:\Windows\system32\Kapohbfp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 140
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
64KB

MD5
24a75a3ede9941d089d142e2fc1842aa

SHA1
796c050f0de9f05ae41da3afc5b97d57e8e166f3

SHA256
9fd4016c2aa3656e74c287067a82e3c297dfd6483c0b1f4e943ffa43a9acef20

SHA512
eaa4803f37f56760194e4a4290627ff2c593ca0bd145bf16e151637c65032b930f3290cbc225556030761fdaf47c645d837c065685f9595ee94fb36e1b9c84ee

Download Submit
C:\Windows\SysWOW64\Jedehaea.exe

Filesize
64KB

MD5
34029cf1a0a144e721e677b255c78ee3

SHA1
d10bd3a3e613b5c41589988f06db8baf61baaeae

SHA256
ad63c22e91d7d464e23fc6c52bd258d26f108f74d94a27bf634ac61576100363

SHA512
61fa5b8cc68e53df0ca01982423f00c16aba50cabed976cdbf0578546b722683a8e554c3921519d799a808d6ad2eea5f6b0cf11416f88a12e56e3a331039c408

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
64KB

MD5
ae2417f99e8a317913d2c089eb09a425

SHA1
fd02592f6da0f19d26e60e6003fe1fd8a1b33778

SHA256
8f151a25c582e13a8528d56dc469dd26fa107041ed720f2b9cf329bd3e4a7fa3

SHA512
6467ab7b6af07765235a7f42ecda0a09b4156d4c604196b8c7fea07d1f8444fe36000967ba1a328cf50ff1040d9b14b1529dfb583072acb4b20f6a13e4cfbdc4

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
64KB

MD5
af0f5341a8a08a3e6315d798c6228def

SHA1
6923e8e677aee00f951b2edebb9cbce1e1be3e11

SHA256
845bf65d64267d230a511c3fb192c60ff8665b1d9b2368a629a85cabd72d1e3e

SHA512
1fdf9bc47d9cd7f369b1894e53830bc5ce694927639ab0a559b01e95d257dd6a0c551e47a9594906d49bf56539d85d6c46930c9b6bc9689f78d2edd9acce0121

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
64KB

MD5
103714bec4bf785c7f0100e25cd3585f

SHA1
a544f0d31bb646629693b349f174f477a73faf22

SHA256
9af46360dfc9e72ced5c7bc0b90e4e40086ed08d9766d0a9c17ca6e7737337a0

SHA512
2b1998b088359a2ac5b4c94312eca48a619834b5e8863764e8288196a17ec4bdf096a2293e5f3825ffbe3379fe4e981aec2307cf4afd5e62ae2501f1420e22a6

Download Submit
C:\Windows\SysWOW64\Kapohbfp.exe

Filesize
64KB

MD5
cf805acf395efeb49ba47d0af907e4e9

SHA1
0f7159cbe33f438e8df6622c1a2e87f8cf05bdd5

SHA256
f9d9302b720b11315fc22420ba3b115a4e6ccc2524e3a5ca4aa2a4ec100abe92

SHA512
5c4286f2747a0bc1244adf6943a560bec39b1225c3c662f9c10a35925f3ed332e9168e22f4231679fa973bc9ca189fc79d290d0de58e3bbc60b3f3cd2f388132

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
64KB

MD5
6e4631d42889bc5accbfae4ac278a207

SHA1
1ab6889382700d840778f96c2475320931c30d75

SHA256
f88dfa8d6afcdd54697165031bdad0a93b54befcc351afca574771cf63fce8c4

SHA512
fab1a1dcb51fe00347f6a30904c313533c22d10149d2d171c6cc2c88dc53e6289ce94cadb7dfc5c1645a2f7ee0c93d3d32ea26149488768b551725f72fff2863

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
64KB

MD5
c6a9862315b98dc3e9ddc3f3275707f1

SHA1
f62dd7d8227f60ea32d5e28b37142b83b02ca20b

SHA256
82fbbe40436439a1876207393a3e300caadc7cbb5f9f0d877000c5e221fa6217

SHA512
dda6e139fec47e53e146ece8688c4745f6c76cfeb2fecb294e2eb9123ef494612ef0541c951f3e72bee4bc434b670225c1fcc33641d144930f6d21fae0f62626

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
64KB

MD5
95e13dd9e9aadbe128c2dc6b60ecfacb

SHA1
3c6ba00b6013830c03c4542527f3e610e35e6fce

SHA256
c214dcd8c5a905248f4dddce583acf77db6e33a80cd9c30c8707dabf73da9392

SHA512
4a81a2f771b8d48930d0a72b45daf54b0de2b5c168e48d0d41efbe4e0f94a8dbf51a3bd9acc6730c1a120a872b27693fb1c0dc9ef676a22c2e18840c9dcd07f3

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
64KB

MD5
0536980b4e71d4c0b4b2b8267d792dfc

SHA1
98cf59b6088e8ac89c0896a5d4c99ca167e6190c

SHA256
d6f00926eca756586b1960e05f28bedae34ef7cd786d5128b948fd496c9c7fe5

SHA512
a608ef9f7e668cfe3fcf060bcc930b4147fb08a418a782aa8bfa225f4568d9e86c3013b27be7636518176d071845f2ec358d70d0912f78f3bde99c47c787ccc1

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
64KB

MD5
845bae038abb8bded68b4cf3046e3b4e

SHA1
321d5e79a8c8008e58c170ea522d2b0f52806510

SHA256
dfc1c9ef907a4f28c45aa8efc0224e7b9ff0782fbaba29ba1464c756c1acf899

SHA512
c54e8584ac98498302b87248b1b6271593679e4de62eb046ab2964476f0517c3f6d1104870d544125abad6d1fab1b3e989d9d6ed2df5b192f64f4582d701d05e

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
64KB

MD5
f19fa91faffddd9b3504d5af0c7fe8bb

SHA1
93dc5f14ac5f2b344f3205db0a73742414a2d528

SHA256
20e2b1236c5eb141dd8758f3cf949bca3c3f1ec2d451366ad99febae6a92c3a1

SHA512
9e2ddcf22cd0e85d7c789d5023cbf30562ca134f1b39e160d8009e63ffcadc24fa0605b5edaaef5fb6696f551fff7c28654969c345015a71774618d7bd60e80b

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
64KB

MD5
7fc4c3662b340ce7f5b8dd152cfa7665

SHA1
b79681010bdbba79dc9155944fbee5faac256502

SHA256
e535efd10ef5396e8585b3384e0085f643225bc60a9ba6b3323ec88619f9511e

SHA512
ed666b33f2ef02e67a155ec07c8e3fb7e17fe8c19164251018b8481012d3fa1ae7cc40f201d0dddae6e0b2083ffafa20a5abd74bf1c7fbf9aec5a315c7b168b4

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
64KB

MD5
e77071c653d80452d911f63fa44232f1

SHA1
997268e534be755adffd60fe999e54d25d5fc476

SHA256
b70143603e871ad08455d49005470b7d28bd21c470bf5366291af760bf8cf593

SHA512
658f9e37babf9e8b295b0d06adc3efa4db1b3e3fedbe3f7fa844b6947e6b8cead0223eda09182c7f084236e8eea39c4d6a5b0f07f72084cbcc84705c1cc9fab9

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
64KB

MD5
bfbb25013dc40449b0f03cb33e7b77e5

SHA1
3583af699478373e43a63576ab33e82b02709897

SHA256
6a4adf0310f0b917e0c7677c3e5bbd8afb1062c977010e7c5d838ac989d27197

SHA512
678d96bdbe6fd01c45535c2b9e518307254888c14df4da964498ef322918e1d1ad841a1ecb742f1a3652aeb293e74174d52bcbe3e63ba833e41beb23d27754b2

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
64KB

MD5
adfd1bb8955bf30ab1bad99f3e9fd7fb

SHA1
2b4b56fea2a126107d0671583d740ff3d0dfc091

SHA256
04cd5e73e5cd8e07a6d6a7c090e70c271c8c45d5404b6ba782399fd473141154

SHA512
4cc292a5d917c56476f2a5f3d6879cc836b5e13c54bc9bf64daf3f78d83adc5931bfeae6bacd6052db319e89ad63fdf653f9c316bd461495c48834924475dbf8

Download Submit
\Windows\SysWOW64\Jcciqi32.exe

Filesize
64KB

MD5
1efa3da64418bfc8f5ee3e473cdeaa4f

SHA1
c1eaeafbf6a6ac0d42aee6a52a15e89e222fb787

SHA256
f6611095c54952d59838b898e70fcb76a86aa72c59d2a120e9fc0aa458b65e85

SHA512
364dceea2e6b439913b5d76e1a2d899440113bffc20ed9c911ac356e05c6b35295e6c98f2809cc914eab33706357c8e8248526cf602d22316256136488f4eca0

Download Submit
\Windows\SysWOW64\Jikhnaao.exe

Filesize
64KB

MD5
05740831cf4ce5d7fcb8b0b2ebfd02f2

SHA1
54148ccafdfc59a0764a0a38f47a4a0edd3b1cb0

SHA256
32a2a1c3992b6434808897e0b4051c56b7cfb40726d3812d083a051cee2899b5

SHA512
b467eeede34c3c12bccb13d221dabf9f8ebc02aea618abb456c1de39281e2de26f528437a21b5efd3028533ce866b50f5692988fac7462d4b01e084233e8f426

Download Submit
\Windows\SysWOW64\Jjjdhc32.exe

Filesize
64KB

MD5
6ed6f8d538f463cb1543ed4c0129ba55

SHA1
cb804ff0026d2f6652a51f8c45bab5700c0c6c7b

SHA256
d5ba9184a919f2d1d6275947d3ec62b8e1d78b54ecbf0e5c6b9b2c54b1900cd4

SHA512
612bcf2c8a7667c60edcf06edee10e2b2ddb8980795eba827ec53bf2cb8cb70fbf4f4df0f46e76ba6b7deb2fc4d23a447ab7f9f8fc02ecc9862566a50d9c7c07

Download Submit
\Windows\SysWOW64\Jllqplnp.exe

Filesize
64KB

MD5
40857810f30211fec9177e8ad89790ca

SHA1
7e9bc212136e7fae19623ad60e9619a93538110f

SHA256
4ca388e7397430ad3abfb28955880bf4e0ef3c3bde4e274e981bf5732ec80097

SHA512
0e543183060afc497234ea9cd5fd894274eb7c5c9e3f9278d65f5f0adeb73ce6ea3254cdde44a74c3071ec18507658559628fb1ed2a21e2c753a0f0c5050db3a

Download Submit
\Windows\SysWOW64\Jnofgg32.exe

Filesize
64KB

MD5
769b8832852424e8c2c2ce17f8b0eb4d

SHA1
62a858ddad68ebf9e6f4c29404822cb43b600220

SHA256
84dc6e075d99bba5af89c27ca8010d1b4234e43b33c4f52a7c1d5c648238f15e

SHA512
80714caa1b5b9117e59dd2ea019eb1241716387ce4213ee4034cd606b740619161f1f51de7377c420864df5d77bd6951ad79950b1b12f9aa9176c8900869317a

Download Submit
\Windows\SysWOW64\Jpepkk32.exe

Filesize
64KB

MD5
b8993857e995e9714dcbd9c78591a9eb

SHA1
72f291a199828d261e4c9b6eaec9fd4f88f6756d

SHA256
c3b1edd04f28dc908adffe9369ec475c7c0bc33c16477d364d1f7363f09cabce

SHA512
74d18053c55f5743de37ad158ce28be0eaf6f25dced78031122c3af0b180f996df3829d10b7ca0d1270b4692ffffd82f6f1fbf630e2906e1cf84968a2461b48f

Download Submit
\Windows\SysWOW64\Jplfkjbd.exe

Filesize
64KB

MD5
4a8401c77dc7c5201bece5ba6aea72ae

SHA1
c5cc4cf2b0ad20d2d35a7153788b6f41c1cc447e

SHA256
2fe3f5354d8efb4b8f1881d8f91e6ebf0fc99c5716319821711450ae1f79457e

SHA512
ee9ba37bb27aeb6199621b2d02e3db1d3f7f686c0028a71c530b31d5e1c789dd3a48f5446e96cb668b43efd5f05477f14f3d0282f895efc90e0ac571bb8664be

Download Submit
\Windows\SysWOW64\Keioca32.exe

Filesize
64KB

MD5
90c2b6413b8a7d3fc79d1356c6151d47

SHA1
21e87f5eb2e6c1a1c78e24ac66db2504ce03b96f

SHA256
f87c869293f83c7610466aeb2589a27bc7832f75612f94f876ed116a8678e808

SHA512
aeb9303d3483ff1955d0b20da895355e45d034901bc8c28468b67e7ea9bf8ffe2baf9e03c9aee480e0c4ebdefbaf32f0e5e7251d0cc385754ced378c14a88ae0

Download Submit
\Windows\SysWOW64\Khjgel32.exe

Filesize
64KB

MD5
00d0b357831f9004b6ccb9f6ca79bdc6

SHA1
2d74ebe276c24a2efc650d6199c142997ded876e

SHA256
c7e039b6a7809fd92f52f43b22fc0f755f60ca7a1c35261b3ee189b7ff9aff4b

SHA512
a17491198eb0b6e5266b264c856302e327c9e875d5664ee542b9733b90d58c24972d7d9e6abbaa45f37bc2fc81a8ec463b948d9c125523d314cb1ccde81f79d9

Download Submit
\Windows\SysWOW64\Kjeglh32.exe

Filesize
64KB

MD5
8deaae4d91b423c24dbc9d5c92adb5cc

SHA1
3b4fbf8076e384cfd13076ce233af7e4ffbb5df6

SHA256
2e8e9d7dad2912e0c2306551c787e9e7bfbf5db3d3da6cb523e981d645b9a371

SHA512
18dde01198b8d25d9d9bfdec3a3fc601845412838c33c94aa753a7bc8cf494339248a906799de218be0037092d7debcdb12f623fdf58f4e3ff002d8579238de3

Download Submit
\Windows\SysWOW64\Klcgpkhh.exe

Filesize
64KB

MD5
2447ed2ad498df1e7a0d647804917fe2

SHA1
7ddf8c09f67a0795a49d576cae69a1aefdfbe177

SHA256
98076491f7817aff3a5fd2bcdbdb2fe41ac0a40ded4b19381692ba99f6bfe84f

SHA512
d2e64a21a198e57e95a02f9c5c72b8c224737b1b5119f0fd82a4a236fb297b566ed64d095e56f474f7aa43fd366f26e98b2b545e4cf8f28e27eeda66389de6b9

Download Submit
memory/288-249-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/288-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/568-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/568-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-264-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/764-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-285-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1284-292-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1284-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-309-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1336-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-307-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1484-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-183-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1548-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-321-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1880-320-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1920-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-278-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1924-277-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1988-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-300-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1988-299-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2124-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2188-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2188-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-21-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2376-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-210-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2420-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-240-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2484-255-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2484-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-52-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2776-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-104-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3024-100-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3068-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-114-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads