berbew | a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
Size

96KB
MD5

9ed50d6ec6ff5e28245b59ff4c2ba058
SHA1

412e3cf66d65719cda4d456a1c1fd2598f02d95b
SHA256

a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414
SHA512

cfab59986c240a99a3c37f7ebe9461b81449e14590504c404ade170676dfe0bee117690fdd1a7047c4be242210237a05a843b2d01c5cb0ab597311c3f12b9bea
SSDEEP

1536:M9FbQJGZV2SicCKo4cqW2L+ZS/FCb4noaJSNzJOH:IFbQ8wS/T7+ZSs4noakXOH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjfkmdlg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iamfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kambcbhb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjfkmdlg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 29 IoCs

pid	Process
2652	Iamfdo32.exe
2556	Jjfkmdlg.exe
2572	Jmdgipkk.exe
2564	Jgjkfi32.exe
2184	Jmfcop32.exe
1468	Jjjdhc32.exe
2944	Jllqplnp.exe
2888	Jbfilffm.exe
628	Jedehaea.exe
1304	Jbhebfck.exe
2020	Jefbnacn.exe
2788	Jplfkjbd.exe
2360	Kambcbhb.exe
2216	Kidjdpie.exe
1892	Koaclfgl.exe
2436	Khjgel32.exe
2212	Kjhcag32.exe
928	Kocpbfei.exe
2988	Kablnadm.exe
2864	Kdphjm32.exe
1704	Kkjpggkn.exe
552	Koflgf32.exe
2492	Kadica32.exe
1808	Kpgionie.exe
2760	Kipmhc32.exe
2800	Kbhbai32.exe
2736	Kkojbf32.exe
1992	Lmmfnb32.exe
2600	Lbjofi32.exe

Loads dropped DLL 62 IoCs

pid	Process
2688	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
2688	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
2652	Iamfdo32.exe
2652	Iamfdo32.exe
2556	Jjfkmdlg.exe
2556	Jjfkmdlg.exe
2572	Jmdgipkk.exe
2572	Jmdgipkk.exe
2564	Jgjkfi32.exe
2564	Jgjkfi32.exe
2184	Jmfcop32.exe
2184	Jmfcop32.exe
1468	Jjjdhc32.exe
1468	Jjjdhc32.exe
2944	Jllqplnp.exe
2944	Jllqplnp.exe
2888	Jbfilffm.exe
2888	Jbfilffm.exe
628	Jedehaea.exe
628	Jedehaea.exe
1304	Jbhebfck.exe
1304	Jbhebfck.exe
2020	Jefbnacn.exe
2020	Jefbnacn.exe
2788	Jplfkjbd.exe
2788	Jplfkjbd.exe
2360	Kambcbhb.exe
2360	Kambcbhb.exe
2216	Kidjdpie.exe
2216	Kidjdpie.exe
1892	Koaclfgl.exe
1892	Koaclfgl.exe
2436	Khjgel32.exe
2436	Khjgel32.exe
2212	Kjhcag32.exe
2212	Kjhcag32.exe
928	Kocpbfei.exe
928	Kocpbfei.exe
2988	Kablnadm.exe
2988	Kablnadm.exe
2864	Kdphjm32.exe
2864	Kdphjm32.exe
1704	Kkjpggkn.exe
1704	Kkjpggkn.exe
552	Koflgf32.exe
552	Koflgf32.exe
2492	Kadica32.exe
2492	Kadica32.exe
1808	Kpgionie.exe
1808	Kpgionie.exe
2760	Kipmhc32.exe
2760	Kipmhc32.exe
2800	Kbhbai32.exe
2800	Kbhbai32.exe
2736	Kkojbf32.exe
2736	Kkojbf32.exe
1992	Lmmfnb32.exe
1992	Lmmfnb32.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Jmdgipkk.exe	Jjfkmdlg.exe
File created	C:\Windows\SysWOW64\Hgajdjlj.dll	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Koflgf32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Iamfdo32.exe	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
File opened for modification	C:\Windows\SysWOW64\Jbhebfck.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Koaclfgl.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Gkddco32.dll	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Blbjlj32.dll	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kablnadm.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kkjpggkn.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Jplfkjbd.exe	Jefbnacn.exe
File opened for modification	C:\Windows\SysWOW64\Jplfkjbd.exe	Jefbnacn.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Jefbnacn.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Jjfkmdlg.exe	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Jmfcop32.exe	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Kidjdpie.exe	Kambcbhb.exe
File created	C:\Windows\SysWOW64\Ffakjm32.dll	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Jpbpbbdb.dll	Jmdgipkk.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Pccohd32.dll	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Kmnfciac.dll	Jbhebfck.exe
File opened for modification	C:\Windows\SysWOW64\Kidjdpie.exe	Kambcbhb.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Jjfkmdlg.exe	Iamfdo32.exe
File opened for modification	C:\Windows\SysWOW64\Jmdgipkk.exe	Jjfkmdlg.exe
File opened for modification	C:\Windows\SysWOW64\Jgjkfi32.exe	Jmdgipkk.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Koaclfgl.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Khjgel32.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Iamfdo32.exe	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
File created	C:\Windows\SysWOW64\Ibnhnc32.dll	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Lgjdnbkd.dll	Jjfkmdlg.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Jbfilffm.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Aiomcb32.dll	Kambcbhb.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kocpbfei.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	2600	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbnacn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kambcbhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjfkmdlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmdgipkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnhnc32.dll"	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjfkmdlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll"	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgajdjlj.dll"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll"	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjfkmdlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgjdnbkd.dll"	Jjfkmdlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2652	2688	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe	30
PID 2688 wrote to memory of 2652	2688	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe	30
PID 2688 wrote to memory of 2652	2688	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe	30
PID 2688 wrote to memory of 2652	2688	a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe	30
PID 2652 wrote to memory of 2556	2652	Iamfdo32.exe	31
PID 2652 wrote to memory of 2556	2652	Iamfdo32.exe	31
PID 2652 wrote to memory of 2556	2652	Iamfdo32.exe	31
PID 2652 wrote to memory of 2556	2652	Iamfdo32.exe	31
PID 2556 wrote to memory of 2572	2556	Jjfkmdlg.exe	32
PID 2556 wrote to memory of 2572	2556	Jjfkmdlg.exe	32
PID 2556 wrote to memory of 2572	2556	Jjfkmdlg.exe	32
PID 2556 wrote to memory of 2572	2556	Jjfkmdlg.exe	32
PID 2572 wrote to memory of 2564	2572	Jmdgipkk.exe	33
PID 2572 wrote to memory of 2564	2572	Jmdgipkk.exe	33
PID 2572 wrote to memory of 2564	2572	Jmdgipkk.exe	33
PID 2572 wrote to memory of 2564	2572	Jmdgipkk.exe	33
PID 2564 wrote to memory of 2184	2564	Jgjkfi32.exe	34
PID 2564 wrote to memory of 2184	2564	Jgjkfi32.exe	34
PID 2564 wrote to memory of 2184	2564	Jgjkfi32.exe	34
PID 2564 wrote to memory of 2184	2564	Jgjkfi32.exe	34
PID 2184 wrote to memory of 1468	2184	Jmfcop32.exe	35
PID 2184 wrote to memory of 1468	2184	Jmfcop32.exe	35
PID 2184 wrote to memory of 1468	2184	Jmfcop32.exe	35
PID 2184 wrote to memory of 1468	2184	Jmfcop32.exe	35
PID 1468 wrote to memory of 2944	1468	Jjjdhc32.exe	36
PID 1468 wrote to memory of 2944	1468	Jjjdhc32.exe	36
PID 1468 wrote to memory of 2944	1468	Jjjdhc32.exe	36
PID 1468 wrote to memory of 2944	1468	Jjjdhc32.exe	36
PID 2944 wrote to memory of 2888	2944	Jllqplnp.exe	37
PID 2944 wrote to memory of 2888	2944	Jllqplnp.exe	37
PID 2944 wrote to memory of 2888	2944	Jllqplnp.exe	37
PID 2944 wrote to memory of 2888	2944	Jllqplnp.exe	37
PID 2888 wrote to memory of 628	2888	Jbfilffm.exe	38
PID 2888 wrote to memory of 628	2888	Jbfilffm.exe	38
PID 2888 wrote to memory of 628	2888	Jbfilffm.exe	38
PID 2888 wrote to memory of 628	2888	Jbfilffm.exe	38
PID 628 wrote to memory of 1304	628	Jedehaea.exe	39
PID 628 wrote to memory of 1304	628	Jedehaea.exe	39
PID 628 wrote to memory of 1304	628	Jedehaea.exe	39
PID 628 wrote to memory of 1304	628	Jedehaea.exe	39
PID 1304 wrote to memory of 2020	1304	Jbhebfck.exe	40
PID 1304 wrote to memory of 2020	1304	Jbhebfck.exe	40
PID 1304 wrote to memory of 2020	1304	Jbhebfck.exe	40
PID 1304 wrote to memory of 2020	1304	Jbhebfck.exe	40
PID 2020 wrote to memory of 2788	2020	Jefbnacn.exe	41
PID 2020 wrote to memory of 2788	2020	Jefbnacn.exe	41
PID 2020 wrote to memory of 2788	2020	Jefbnacn.exe	41
PID 2020 wrote to memory of 2788	2020	Jefbnacn.exe	41
PID 2788 wrote to memory of 2360	2788	Jplfkjbd.exe	42
PID 2788 wrote to memory of 2360	2788	Jplfkjbd.exe	42
PID 2788 wrote to memory of 2360	2788	Jplfkjbd.exe	42
PID 2788 wrote to memory of 2360	2788	Jplfkjbd.exe	42
PID 2360 wrote to memory of 2216	2360	Kambcbhb.exe	43
PID 2360 wrote to memory of 2216	2360	Kambcbhb.exe	43
PID 2360 wrote to memory of 2216	2360	Kambcbhb.exe	43
PID 2360 wrote to memory of 2216	2360	Kambcbhb.exe	43
PID 2216 wrote to memory of 1892	2216	Kidjdpie.exe	44
PID 2216 wrote to memory of 1892	2216	Kidjdpie.exe	44
PID 2216 wrote to memory of 1892	2216	Kidjdpie.exe	44
PID 2216 wrote to memory of 1892	2216	Kidjdpie.exe	44
PID 1892 wrote to memory of 2436	1892	Koaclfgl.exe	45
PID 1892 wrote to memory of 2436	1892	Koaclfgl.exe	45
PID 1892 wrote to memory of 2436	1892	Koaclfgl.exe	45
PID 1892 wrote to memory of 2436	1892	Koaclfgl.exe	45

C:\Users\Admin\AppData\Local\Temp\a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
"C:\Users\Admin\AppData\Local\Temp\a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Iamfdo32.exe
  C:\Windows\system32\Iamfdo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\Jjfkmdlg.exe
    C:\Windows\system32\Jjfkmdlg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Jmdgipkk.exe
      C:\Windows\system32\Jmdgipkk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Jgjkfi32.exe
        
        C:\Windows\system32\Jgjkfi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\Jmfcop32.exe
        
        C:\Windows\system32\Jmfcop32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Jefbnacn.exe
        
        C:\Windows\system32\Jefbnacn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Kambcbhb.exe
        
        C:\Windows\system32\Kambcbhb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 140
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jedehaea.exe

Filesize
96KB

MD5
0ff04e795827782528d4aa5a66e06eb0

SHA1
4ba7d725d9e08e3c18f259616b796dc042d331cc

SHA256
175200aa490d3cc788d4bc2f564ec7e8132f9c71f54c35e51b36e5c571efe219

SHA512
3f997d5a86cbbfd16c572323dcd1afc6a6f084dcf56c991553e3e4c4d8ec7bf952ac0ed9996d5127c354cfb944ecd34951dc9274e7423eb5e99c500c56f7037f

Download Submit
C:\Windows\SysWOW64\Jmdgipkk.exe

Filesize
96KB

MD5
5c52d1ac93f2d4671ce01ffb77945068

SHA1
248ec0d97e508c55e4a44d80c77ea6f352e24c8e

SHA256
b33408bdbf40c19d14f67201d19a76154d4d1bf623a1814a365ce8208e7ece08

SHA512
f85746de1eba6b6ad539f4a411939930008886f22cadeb6d9430bb83fea9eb18b6ee72bc599e760a4b371ea74a9dd95bc5a06cbe2db98a5243b59f4ed57a12b6

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
96KB

MD5
f7b747ccc83403a4da46f852ff99a6ff

SHA1
3ff269fbca0fc17b41af0a51d99d23a62a0f349f

SHA256
6e1e860c7f66ceeba36fae36c80f525003f75c1f77d8cbc60c746ccb8bbc1b1c

SHA512
61bae951cabbd7070402a01800fb4fe9a834496101d596df6e19bb5cdd26ca09b2c520caf91a694cfccd57d55d669560317c70391b3207705e5e40591d445a26

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
96KB

MD5
3ab715065e891ae08b00d5f752f4d203

SHA1
7e7e916b2a47279fe57b0ef2b27e6dbf2a664492

SHA256
9410b5b31d7832220617ba58e9d2f402a858f08a3c7683e1063e52e0fb0a1160

SHA512
d0d1fcd1e272f2b561c0238cdf5bc3f12c6f9aeb399e2612f8e5e7ed6484d8b34aa3f9a9008f185562c360b516aa23db39d32d9e6e00c15f411afe4654666d7d

Download Submit
C:\Windows\SysWOW64\Kambcbhb.exe

Filesize
96KB

MD5
f36db31b32549a5a9132df0bf915355e

SHA1
b9359111f93cc3704880956af0577197c5f9cc0e

SHA256
b00dde5e18159516ebd7c749e6e9871a67b73c13b8d1736d76f57649a132e8de

SHA512
c047f1932ed2aecc979f26b6a3db70a07cd429a41fbfcbff1cd772a60e65fa2459f1153ce24f6be6d66ec4f9c53a8602a701889ee037138f124bc7b3a862c961

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
96KB

MD5
97159cebf7a250811790b5103d788a07

SHA1
31e599390c117b2375a40075198abedfeb3ae48c

SHA256
0770a2370f8d7a94fcef7288f57e67f95532c47e33ef8d4492a6f59e539560be

SHA512
10576084e61417c4e11376d77fbd408473f8d0e2c681a281fb1b5d8fa6833af088ded990a0b32b2650837f5f6e3810dd6f620e8a9a64d704008410124d6fc669

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
96KB

MD5
72587c6bf36f2cbfcd4342df26767969

SHA1
3d5e35c1f772b0f1bae4be517d555f90da7bd997

SHA256
d2c1b10ca566c0b69f39779e8114bd59692baae70ac5b561e598cbdac68eca36

SHA512
9729ebb1cf037c13271d081789e0b55237e075a15b28ffe250a34c77a8d23a824dfb0afbc68c9597c57e18d2c82ccf5c96150598aecb45a381720683a2f4a552

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
96KB

MD5
96cff06cdefff6e13cdfd6926a91dc7c

SHA1
3cc63e97867902a760bc79cca126a19f98f0d8d4

SHA256
ab04d19c73ec03b2ad5bd2fb5695fe9980f9d40c026f22fcc25f5943bdfe9217

SHA512
1ed365f7271fbe0c1b4bc5cde4754a0f310680bf5c7c0616090c5fe04bf2a18ee126c298f8f38c61a9a8291bce8f0375a3047339536aa5f3d684b989ca1f905c

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
96KB

MD5
93c0119f14b05a1f175cef48394e4daf

SHA1
3a61bc265c6287e92786eb43bf18fccb55839432

SHA256
7c87f5107c8f7e632d9f282a3260a81b67d56b066684a223fa460666b5938314

SHA512
275688463f82ceeaffcf24e5b9fcf77c5f24aa3cc211d0e26e5b1904ac1d8149e4955314dd41b77d7b34afa1f5c5adbca12c813621642c1c3a411c7ec1fd9b83

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
96KB

MD5
112d7437502e56d508b6180c93bf8656

SHA1
63b4bc6d6480e2df396082e923ddac3452a1d4f3

SHA256
4fe726a98af07c399d515c99cb138c895ee410b0be9f7a5d8b7e6071cfee9b22

SHA512
76319df4232e5a92d4d84c4fa3055d1776b9ab0f899ff04855d42f264c9c1750090295876cc64e5a473f858ed95587275091f200225ff4505fdce989de63ff11

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
96KB

MD5
bc23e503aa210a06ec3130f8f184e403

SHA1
a3000666fbaed9d3bf6965dd1be1152cee97d770

SHA256
167bce7aac4305fabc9f6eeca16d37f4e52c3c476412116dbc9e0492c8e03d83

SHA512
50da470590b5e7f8c553a085950073192b062cf31b99b9a66395b12c893dc7dba0944501376b044fcc40145253c455b18b2ead200753fbb1bffaeb6ba7e6517f

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
96KB

MD5
3cb6a165873b5c363b72b6b64129c4d6

SHA1
b6040b0d52514595bd225b5848432f834ebb16ac

SHA256
e987795fb6dbc65cc2387954196f9be89ca912b47055e2a9591c284c7351c8f1

SHA512
f4bf22a3814ba8068ebe87cd27fabf92dc1cf1a66d5c6cd38e013ca47babb5e14d60ff50a097edaef9b7692550c4b8990e91e02ebbfd343b3d4c5ab9f2d1219f

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
96KB

MD5
ecb7271826df3db9f9bd4ace80ecb6c1

SHA1
b189e7f4183f5a48a4910ad05df2923c9d8cfd7e

SHA256
2b2c3c7212c401566e84505a32eb75be4b24a64d086fc5388931ba04f0a55710

SHA512
4274063d3c19e5a1d5a5521e6bc132a13edcd45a5b80f4e7d797d5f24a9efc5cee344692c62de1a7c51bf2472e3c21a06ab6eaa44b63d4d934121c513217fb30

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
96KB

MD5
48a453598e47bda60aa3947dd07e5a46

SHA1
60c4be113fdbfe9311847413a932181c99159e8a

SHA256
9dffb451e79a46772200186b9129010e5aa81ff39d27f64de8f37e015f0c1eb3

SHA512
a0bc056280f10ded6835e0bf6cee8e2421e5f7d2be796e126af802a6cee44b53d88c235bc7a6cedcc6044c0d33bd2a2b6afbada3b97b8ffa500de69f3909ebf5

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
96KB

MD5
9a69970cf23d749347d37ef6f56e4033

SHA1
a7175ffa06a6552e4ab62c75bbb519b3fe4b86bc

SHA256
98a3e4ec2173a25d098c6ce0b487c7e055b1d53490fa0341b42460fcf00ae6ab

SHA512
a49be377ecf6918534af6a82f703de5002531af4a02c31369c3c523fd1e8e647d604c06a2c2b3e82776e560b68956ffcfbaf23ac54dcecc17eea97d6d25f0360

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
96KB

MD5
4a374344ff076f96be3cb47b6f570b14

SHA1
6acbe10e31e05470b608c1718e8ba132e9953ee0

SHA256
2dc1c7ad4bdf1365e3deaf608a92a2e261364f6450d7fbf31a9422c1c484bf69

SHA512
854ffd668db7a8f2e8bcb2519516c589df65f3210b29930c3291c404cdd9bb2e7b35d8fbf3cc2917b2a9ef1c5b0301c6b12294cd888d4d113ef358866eb1ad03

Download Submit
\Windows\SysWOW64\Iamfdo32.exe

Filesize
96KB

MD5
c4011d4d2c5333a65fd3c5f1156442e3

SHA1
83c59e4811777b9463971412c947dcceec15de60

SHA256
c1380ddbb6cf1fa28f75c2d64bf8019a34f65d7bc9dee120195d9fc627a8f009

SHA512
5b2f4d59cd10f13e9db661568b8a544c4e4c3f0fc65f2954e7b534a889ae020cdd5845301eb83c5afe8dbb975da910a470e22686333fc43efedfeecdf311eef3

Download Submit
\Windows\SysWOW64\Jbfilffm.exe

Filesize
96KB

MD5
f808e1da7bb9a39fa710d497cac70e7a

SHA1
de55cd0164dfaaeff9df9db9f8af9df06dde2f67

SHA256
3f730042897e572904afabc70bdd6a70b1e388e1b65746591dea3219cfa1ba1b

SHA512
c877e769c4b967f23e86412a3288d87a4e5e8824c0b018013ed1e65057b75cab8a8dca1148af7882d0de6eb50f6b5bb39ce10c101495ab38483c6e47d76fdfef

Download Submit
\Windows\SysWOW64\Jbhebfck.exe

Filesize
96KB

MD5
7f62e9e44e7c4cc9677bdcb08b5d2931

SHA1
3582410a1765f421fdcbee3b4a9c0883b0d1113d

SHA256
c283fe8cd26ac18d7ea148298490e1163fa5a2005e8e396bccd2a06a4edaa81c

SHA512
1e67260d0862e24a5e7e67c6974b8f3856cbe42fb8fa8f19251f0199e4093e5c5368deaa71d74a814ddb1d72e163434946b15af84a656c2a064140251f68f5e0

Download Submit
\Windows\SysWOW64\Jefbnacn.exe

Filesize
96KB

MD5
92c0eb8007cedac18b1082c7b204cc4e

SHA1
44f58bb650a384e5b5e0bba2e020ea3636d0ec4b

SHA256
f2ef4d1ec7376dec83a8b750f3bea562b9fd1a68f9f3237a04839cf352dd6639

SHA512
b7268c01d4c75bee4770ea698409dec3f65eb8cc0307c30dc9f8a3f6d824a08338e67f001c330a291230daba1f426033ca16125b9593a3ccc3966678d446e6b1

Download Submit
\Windows\SysWOW64\Jgjkfi32.exe

Filesize
96KB

MD5
7556f9ec9455b5f8d92f5d3f1caa56ee

SHA1
9cafd4a0e95154ea6d134bbfd1b33710f78efcfc

SHA256
6a2e386fe16be88e26b799c08dde92a485f25c94077b53d07ed978cf2a10d335

SHA512
86e5dd3173b72de38c0ed31f3452a3df1ea06126f7413fcc1faec9b967b61f3e732e76be16080ff7f2a27e9c792277ed395f9f5766fd9862dd93055b442acfad

Download Submit
\Windows\SysWOW64\Jjfkmdlg.exe

Filesize
96KB

MD5
6af002f479df143f9bf8dec3679fe65b

SHA1
905dd63b1dc6f7b167c976d172b0a97760ee2a1a

SHA256
1de4ba4635b53f4fc60aa1d29adfdf1de04331dc8480c8a9d8589acd9dac38a2

SHA512
63e84f69bdb848381f9cd70b739c8a46077e9981e4b4a68b365f1ecb0115617ad4a4105520a31e76d7acb59461179527093f07c7f20a0da839a67aaec90ed56c

Download Submit
\Windows\SysWOW64\Jjjdhc32.exe

Filesize
96KB

MD5
ab1f912ac557a5a324ff4f9033610016

SHA1
a7b7ea85ee8bb5b134f41e896566175c93f9611e

SHA256
cbd7240ca77a53d781b6d4b58bad1609c38bf45f0d2ac079234e135fdbd5bf97

SHA512
d6ba6b5d0cad74e137d977ba2e4435fd24a7e51d10e1e4f9c9ddf2584e5acf3b14ff3c3ea0f86d69fcc1016c40ffc132580857a2510231a5d48ca31b624e849b

Download Submit
\Windows\SysWOW64\Jllqplnp.exe

Filesize
96KB

MD5
b71695c03770a454b681a3ba40c736c7

SHA1
3afae4ed1c9e8f382fdd6d93457232ec427ffec4

SHA256
cca36f35a2974dc9dfa7aea9b10da12c2046d178b430ee5760d6235b16ced91f

SHA512
bc5dce956a068c22cc02f414db26fc1b9c5a4305f65fa0666b8b194346b660bb9822f933806560326bf4b81f499eb7238e1cb1c42f60628820c06d0120f7670f

Download Submit
\Windows\SysWOW64\Jmfcop32.exe

Filesize
96KB

MD5
355aef1be5ff8d099e9b59dbb9c993ac

SHA1
4e34351d48d2a96105dd70e748624d1149a860d2

SHA256
7d48846aaabe7280dd31ce039397f210f0bced54a609cccd903b0a05f36f26b7

SHA512
78fe3f7d889b9e73a569efdfadb84b4c599c7c413fb7fac71602189f8427ee46fb3269213aa3a27239d3f7f30c47963f6822b345a7a9edc75047e4f52d85d831

Download Submit
\Windows\SysWOW64\Jplfkjbd.exe

Filesize
96KB

MD5
93455152978f6041deeba1cc577672ef

SHA1
3235f9adcb83907166a7865e3902a6e672ed5cef

SHA256
197ec7b620c80f3725898d5fa488c36a9014b3addf324665042dcacc1ab80665

SHA512
2e80c957031adbd24a10aa460616b454efa6ad1685c3581d1aab5d37d8985b7a571c3aa09e4ca2c595e59383cbdfa0f338880e3c1c630f7c386fb6a726deccb2

Download Submit
\Windows\SysWOW64\Khjgel32.exe

Filesize
96KB

MD5
d7b3aa5e447d274afaa881337368a5c9

SHA1
6bc8e2f31ceb6458e836c5e9179959399a0385f2

SHA256
02b1f23b82ed4ff19508feb4c6f5bd8e62ea7745011919aa5668b1c96858d86c

SHA512
ebb61f0a6dc18a7b224a9ef6b790733897c89c622375a18fcade1e8283086e1c65a3646a6dff3c2d55480ad5ec1f290d81b367fb5ee622b4a5e86de0fdb91c92

Download Submit
\Windows\SysWOW64\Kidjdpie.exe

Filesize
96KB

MD5
c97eea52f4c4c12ef5b9e71308884550

SHA1
63397eb353b4ecfb44623c38258ba08185b91e5c

SHA256
12972506b4b2bedf427eb7bbe28eb37994eb8b80a44344b8b0c8ff88d29f7349

SHA512
e737d0bb9cc98b4a9f1366af4b9de371c3f3c9855d95085baf7165a727fd4b5c4f30d0eee5286bbd786e2a15db3a67374387cda9392f6d66f10bad60cbf4f467

Download Submit
\Windows\SysWOW64\Koaclfgl.exe

Filesize
96KB

MD5
e6c57fd6a2cb5dc9b338cfc268917e48

SHA1
e1a4f5fa11343a12a8b66943d52d55110aee5d38

SHA256
14f3aff6c84b06ec285ce1dd58d61cd038d9be9af8bf2534434dcabb5a31e1d7

SHA512
0d762888e7484b5f2d51ecdd26f4c824edaaa7eb44d7e8450818d9058bc755ee617960a06ae16722db84842e1bfdfeafb8341ebfeb7b26384367d18c413fcf8c

Download Submit
memory/552-286-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/552-285-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/552-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-131-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/628-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-271-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/1704-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-304-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/1808-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-303-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/1808-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-209-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1992-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-347-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1992-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-157-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2184-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-76-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2212-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-293-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2492-292-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2556-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-41-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2564-67-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2564-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-54-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2572-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-32-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2688-13-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2688-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-12-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2736-337-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2736-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-333-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2760-315-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2760-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-314-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2760-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-330-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2800-325-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2800-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-122-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2888-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-102-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2944-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-252-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2988-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads