berbew | dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe
Size

320KB
MD5

6e68beb8e3ab857a10fa4cbc6bcaf463
SHA1

5d5ce99346a825f443071e0554560b4494dcdc24
SHA256

dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1
SHA512

237e67f9ee5296e3180b89120d229b75cbe400f7af2ed78e079dce8c560dd1a087103f45e6c644399d26267f50dbd57a4bdc0fde3fc3c0e11d44e1e292b16d88
SSDEEP

6144:kO7SWSVUoB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5RV:l7SWS96t3XGCByvNv54B9f01ZmHByvNB

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icncgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Injqmdki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Injqmdki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieponofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Leikbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmdkjmip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leikbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icncgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieponofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 30 IoCs

pid	Process
2732	Hifbdnbi.exe
2820	Hqnjek32.exe
2620	Hmdkjmip.exe
2856	Icncgf32.exe
2704	Ieponofk.exe
308	Injqmdki.exe
2480	Ijcngenj.exe
2672	Jggoqimd.exe
1128	Jfmkbebl.exe
756	Jmfcop32.exe
2084	Jcciqi32.exe
1212	Jedehaea.exe
1824	Jefbnacn.exe
2240	Kbjbge32.exe
2404	Koaclfgl.exe
1292	Kdnkdmec.exe
1624	Kfodfh32.exe
2944	Koflgf32.exe
2292	Kdbepm32.exe
2132	Kipmhc32.exe
2164	Kdeaelok.exe
1772	Libjncnc.exe
1696	Lgfjggll.exe
2740	Leikbd32.exe
2776	Lghgmg32.exe
2412	Lhiddoph.exe
2596	Lcohahpn.exe
2632	Liipnb32.exe
804	Lofifi32.exe
2096	Lepaccmo.exe

Loads dropped DLL 64 IoCs

pid	Process
2192	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe
2192	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe
2732	Hifbdnbi.exe
2732	Hifbdnbi.exe
2820	Hqnjek32.exe
2820	Hqnjek32.exe
2620	Hmdkjmip.exe
2620	Hmdkjmip.exe
2856	Icncgf32.exe
2856	Icncgf32.exe
2704	Ieponofk.exe
2704	Ieponofk.exe
308	Injqmdki.exe
308	Injqmdki.exe
2480	Ijcngenj.exe
2480	Ijcngenj.exe
2672	Jggoqimd.exe
2672	Jggoqimd.exe
1128	Jfmkbebl.exe
1128	Jfmkbebl.exe
756	Jmfcop32.exe
756	Jmfcop32.exe
2084	Jcciqi32.exe
2084	Jcciqi32.exe
1212	Jedehaea.exe
1212	Jedehaea.exe
1824	Jefbnacn.exe
1824	Jefbnacn.exe
2240	Kbjbge32.exe
2240	Kbjbge32.exe
2404	Koaclfgl.exe
2404	Koaclfgl.exe
1292	Kdnkdmec.exe
1292	Kdnkdmec.exe
1624	Kfodfh32.exe
1624	Kfodfh32.exe
2944	Koflgf32.exe
2944	Koflgf32.exe
2292	Kdbepm32.exe
2292	Kdbepm32.exe
2132	Kipmhc32.exe
2132	Kipmhc32.exe
2164	Kdeaelok.exe
2164	Kdeaelok.exe
1772	Libjncnc.exe
1772	Libjncnc.exe
1696	Lgfjggll.exe
1696	Lgfjggll.exe
2740	Leikbd32.exe
2740	Leikbd32.exe
2776	Lghgmg32.exe
2776	Lghgmg32.exe
2412	Lhiddoph.exe
2412	Lhiddoph.exe
2596	Lcohahpn.exe
2596	Lcohahpn.exe
2632	Liipnb32.exe
2632	Liipnb32.exe
804	Lofifi32.exe
804	Lofifi32.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Lhiddoph.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Iaimld32.dll	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lofifi32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lofifi32.exe
File opened for modification	C:\Windows\SysWOW64\Hqnjek32.exe	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Aaqbpk32.dll	Jmfcop32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jefbnacn.exe
File created	C:\Windows\SysWOW64\Mgqbajfj.dll	Ieponofk.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Injqmdki.exe	Ieponofk.exe
File created	C:\Windows\SysWOW64\Diodocki.dll	Injqmdki.exe
File opened for modification	C:\Windows\SysWOW64\Jmfcop32.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jefbnacn.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Ghcmae32.dll	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe
File created	C:\Windows\SysWOW64\Pccohd32.dll	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Jcciqi32.exe	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Jefbnacn.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Koflgf32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Hfopbgif.dll	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Leikbd32.exe	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Icncgf32.exe	Hmdkjmip.exe
File created	C:\Windows\SysWOW64\Lghgmg32.exe	Leikbd32.exe
File created	C:\Windows\SysWOW64\Ogegmkqk.dll	Leikbd32.exe
File created	C:\Windows\SysWOW64\Liipnb32.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Aonalffc.dll	Hmdkjmip.exe
File created	C:\Windows\SysWOW64\Ljnfmlph.dll	Jggoqimd.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Mcohhj32.dll	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Ieponofk.exe	Icncgf32.exe
File created	C:\Windows\SysWOW64\Ijcngenj.exe	Injqmdki.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Lofifi32.exe	Liipnb32.exe
File created	C:\Windows\SysWOW64\Icncgf32.exe	Hmdkjmip.exe
File created	C:\Windows\SysWOW64\Keppajog.dll	Ijcngenj.exe
File created	C:\Windows\SysWOW64\Jfmkbebl.exe	Jggoqimd.exe
File opened for modification	C:\Windows\SysWOW64\Jfmkbebl.exe	Jggoqimd.exe
File created	C:\Windows\SysWOW64\Nmdeem32.dll	Lghgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Ijcngenj.exe	Injqmdki.exe
File created	C:\Windows\SysWOW64\Jggoqimd.exe	Ijcngenj.exe
File opened for modification	C:\Windows\SysWOW64\Lghgmg32.exe	Leikbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lofifi32.exe
File created	C:\Windows\SysWOW64\Njboon32.dll	Icncgf32.exe
File opened for modification	C:\Windows\SysWOW64\Jggoqimd.exe	Ijcngenj.exe
File opened for modification	C:\Windows\SysWOW64\Jedehaea.exe	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Hqnjek32.exe	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Dllmckbg.dll	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Aqgpml32.dll	Hqnjek32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2144	2096	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhiddoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifbdnbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmdkjmip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijcngenj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lofifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbnacn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jggoqimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcciqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leikbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqnjek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icncgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieponofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injqmdki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllmckbg.dll"	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll"	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icncgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieponofk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njboon32.dll"	Icncgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lofifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icncgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopqjabc.dll"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jggoqimd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll"	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonalffc.dll"	Hmdkjmip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diodocki.dll"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jefbnacn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2732	2192	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe	31
PID 2192 wrote to memory of 2732	2192	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe	31
PID 2192 wrote to memory of 2732	2192	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe	31
PID 2192 wrote to memory of 2732	2192	dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe	31
PID 2732 wrote to memory of 2820	2732	Hifbdnbi.exe	32
PID 2732 wrote to memory of 2820	2732	Hifbdnbi.exe	32
PID 2732 wrote to memory of 2820	2732	Hifbdnbi.exe	32
PID 2732 wrote to memory of 2820	2732	Hifbdnbi.exe	32
PID 2820 wrote to memory of 2620	2820	Hqnjek32.exe	33
PID 2820 wrote to memory of 2620	2820	Hqnjek32.exe	33
PID 2820 wrote to memory of 2620	2820	Hqnjek32.exe	33
PID 2820 wrote to memory of 2620	2820	Hqnjek32.exe	33
PID 2620 wrote to memory of 2856	2620	Hmdkjmip.exe	34
PID 2620 wrote to memory of 2856	2620	Hmdkjmip.exe	34
PID 2620 wrote to memory of 2856	2620	Hmdkjmip.exe	34
PID 2620 wrote to memory of 2856	2620	Hmdkjmip.exe	34
PID 2856 wrote to memory of 2704	2856	Icncgf32.exe	35
PID 2856 wrote to memory of 2704	2856	Icncgf32.exe	35
PID 2856 wrote to memory of 2704	2856	Icncgf32.exe	35
PID 2856 wrote to memory of 2704	2856	Icncgf32.exe	35
PID 2704 wrote to memory of 308	2704	Ieponofk.exe	36
PID 2704 wrote to memory of 308	2704	Ieponofk.exe	36
PID 2704 wrote to memory of 308	2704	Ieponofk.exe	36
PID 2704 wrote to memory of 308	2704	Ieponofk.exe	36
PID 308 wrote to memory of 2480	308	Injqmdki.exe	37
PID 308 wrote to memory of 2480	308	Injqmdki.exe	37
PID 308 wrote to memory of 2480	308	Injqmdki.exe	37
PID 308 wrote to memory of 2480	308	Injqmdki.exe	37
PID 2480 wrote to memory of 2672	2480	Ijcngenj.exe	38
PID 2480 wrote to memory of 2672	2480	Ijcngenj.exe	38
PID 2480 wrote to memory of 2672	2480	Ijcngenj.exe	38
PID 2480 wrote to memory of 2672	2480	Ijcngenj.exe	38
PID 2672 wrote to memory of 1128	2672	Jggoqimd.exe	39
PID 2672 wrote to memory of 1128	2672	Jggoqimd.exe	39
PID 2672 wrote to memory of 1128	2672	Jggoqimd.exe	39
PID 2672 wrote to memory of 1128	2672	Jggoqimd.exe	39
PID 1128 wrote to memory of 756	1128	Jfmkbebl.exe	40
PID 1128 wrote to memory of 756	1128	Jfmkbebl.exe	40
PID 1128 wrote to memory of 756	1128	Jfmkbebl.exe	40
PID 1128 wrote to memory of 756	1128	Jfmkbebl.exe	40
PID 756 wrote to memory of 2084	756	Jmfcop32.exe	41
PID 756 wrote to memory of 2084	756	Jmfcop32.exe	41
PID 756 wrote to memory of 2084	756	Jmfcop32.exe	41
PID 756 wrote to memory of 2084	756	Jmfcop32.exe	41
PID 2084 wrote to memory of 1212	2084	Jcciqi32.exe	42
PID 2084 wrote to memory of 1212	2084	Jcciqi32.exe	42
PID 2084 wrote to memory of 1212	2084	Jcciqi32.exe	42
PID 2084 wrote to memory of 1212	2084	Jcciqi32.exe	42
PID 1212 wrote to memory of 1824	1212	Jedehaea.exe	43
PID 1212 wrote to memory of 1824	1212	Jedehaea.exe	43
PID 1212 wrote to memory of 1824	1212	Jedehaea.exe	43
PID 1212 wrote to memory of 1824	1212	Jedehaea.exe	43
PID 1824 wrote to memory of 2240	1824	Jefbnacn.exe	44
PID 1824 wrote to memory of 2240	1824	Jefbnacn.exe	44
PID 1824 wrote to memory of 2240	1824	Jefbnacn.exe	44
PID 1824 wrote to memory of 2240	1824	Jefbnacn.exe	44
PID 2240 wrote to memory of 2404	2240	Kbjbge32.exe	45
PID 2240 wrote to memory of 2404	2240	Kbjbge32.exe	45
PID 2240 wrote to memory of 2404	2240	Kbjbge32.exe	45
PID 2240 wrote to memory of 2404	2240	Kbjbge32.exe	45
PID 2404 wrote to memory of 1292	2404	Koaclfgl.exe	46
PID 2404 wrote to memory of 1292	2404	Koaclfgl.exe	46
PID 2404 wrote to memory of 1292	2404	Koaclfgl.exe	46
PID 2404 wrote to memory of 1292	2404	Koaclfgl.exe	46

C:\Users\Admin\AppData\Local\Temp\dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe
"C:\Users\Admin\AppData\Local\Temp\dd6bd7f9f4ab51c00e6d38e9ba4f923714b1096a4ae5886c5b91844dfbcce7b1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\Hifbdnbi.exe
  C:\Windows\system32\Hifbdnbi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\Hqnjek32.exe
    C:\Windows\system32\Hqnjek32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Hmdkjmip.exe
      C:\Windows\system32\Hmdkjmip.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\Icncgf32.exe
        
        C:\Windows\system32\Icncgf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\Ieponofk.exe
        
        C:\Windows\system32\Ieponofk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Injqmdki.exe
        
        C:\Windows\system32\Injqmdki.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\Ijcngenj.exe
        
        C:\Windows\system32\Ijcngenj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Jggoqimd.exe
        
        C:\Windows\system32\Jggoqimd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Jfmkbebl.exe
        
        C:\Windows\system32\Jfmkbebl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Jmfcop32.exe
        
        C:\Windows\system32\Jmfcop32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Jcciqi32.exe
        
        C:\Windows\system32\Jcciqi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Jefbnacn.exe
        
        C:\Windows\system32\Jefbnacn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Leikbd32.exe
        
        C:\Windows\system32\Leikbd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Lofifi32.exe
        
        C:\Windows\system32\Lofifi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 140
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hifbdnbi.exe

Filesize
320KB

MD5
d3bbf1aced2b2fd697dd8d1235e82169

SHA1
3f12e96aa5bcbd7316adc9b5643a5b217b155b71

SHA256
41e63501811386ecfcd64874d084c940a79149aeaf28f34c5f564ad95c37f0a6

SHA512
475db0753ae749597742d51831e8e6f5cdb09ecb02f8cf7dd734ae9f26ba8cf461c54e39f1ef979591cacefba8e47cdb85081cc74a3344fd00c7a2133635c900

Download Submit
C:\Windows\SysWOW64\Icncgf32.exe

Filesize
320KB

MD5
4f4171ff4ded7b93e8c2967a7e906c11

SHA1
1cf33c169501d9413435c10a4e4bd5ddd5cd20e5

SHA256
195a0d5d27f5306e6c0f64b85ced7b5bd087180876100bef7b299c6978542965

SHA512
a557745debc1d4ca3a7ab8d5586931624787a076c688ed7bacd43abd16e90b44c2d72ed6a833189f4c8d90e3434425a8374732d944685e3fc23a424478e2b361

Download Submit
C:\Windows\SysWOW64\Injqmdki.exe

Filesize
320KB

MD5
bae6c7658e6504b84f8c3ed76c5cc7a8

SHA1
c429b39a641c32aff7a6a29d4bdb63100df814c6

SHA256
9a76a3793eb80896ccbed3b524ad565b3004d7522ffc215630b494037235fc19

SHA512
553e92b458b0b7c0a0ad7f7d39c0c90d68a341645fc68f43536a600b02693fd4b23ea03ac6d16eff3ba51ae2a95dd60e03d6cdf68be1484d3df54885c579852d

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
320KB

MD5
cb2ffdf413bbe8c9d3964d13d698b11b

SHA1
56991771a7395a3c291281a49b583ac385a101b4

SHA256
62209074151742efd8cb410ec68fba3d7f735b446c600011d65f31ec2f7a0df9

SHA512
29f5580d445a2d9c80eccc8180aa148d17c6115841d5e49dd59ecbe377efe05d9a48b72eb138ec0cf9ab48156dff991ddc7b970198dd9d6b3df9cc7a794c9ec0

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
320KB

MD5
260152a1fdf4d551ee0134d2db00287e

SHA1
03a8a1a083315657e3296b5db42e492908afe7aa

SHA256
717f5bc934b5db54eef10e96dc4a91214e2360245b4c3bdc42898cdafe922ce0

SHA512
e856e936e0facd2494f11d5a20f0ff62fe9593b1d63e206aacf3dfea2a3a3dd65586e54d731447d52e24b6be88dd308981671674ef32d16a3c761d89e8082f3d

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
320KB

MD5
773b5e70ef8e97fa552508cc3468f820

SHA1
14bdbd98ad8a08a2cc9c197b3701fe066c9d90d9

SHA256
4f16a0124a0d40e95dd1eaafcf873f86b83a8073c0c30a9e0c85529b4c2cf579

SHA512
225a890b2a1a2b82f5ea8ea4b7d93378510e60e611029902ac03f2fdbe94f3b548cb90ba7d913550f47886a6321449f3ec0f028e7815c87d96e85c151c8d98b1

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
320KB

MD5
bf312125681bc5cccdc79fb2879cec65

SHA1
289c490b389dd48df44d953ebc09774ad76d5478

SHA256
69b0f5280516d98ba6dd762cd6d6f3d2f14864ca624657d0a8209af16a3158b1

SHA512
851739717f7a0498751793d67ebef85129dde095b6c5348628a5685c8f2c5af8aab56617679f2154631f31c7bb9f4c2a83e694bb2a0c35599e1c2ff6ade0d353

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
320KB

MD5
db3359ac9e1ca6035543cdf6c8d00668

SHA1
c909e9b8ab2b280af776b3f8e3c344b9d161b52f

SHA256
c00d0cf05b0181d6a4cb67b7a5270e89cde7fdb4595929b732988285ccf87ce4

SHA512
5ca935a0f40dd3dfd062ebd0ee447310a7aba1672ccf4f575a90579d52204ada705cd434046a3520c902ee6867142a237e677a73eef7de5b04ba9bfeccb6ffed

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
320KB

MD5
07c91d81c30f0af655211045e0bf9967

SHA1
7cf62b1ed02125351f21984c46724fe5061a6dd6

SHA256
0755a752962fcd873802299dfb7ddf6c040a14f018a73322553298d63cf0a2f6

SHA512
8cc90fc3bb5fe6bbbf989e2cb3f7d0a132f9166a7fee3bc8ff0b64f23a6e401174d8a4fe1be4545dc0df0e67c737a77780c6a9a801e090390b7d7cb6f7e7d62b

Download Submit
C:\Windows\SysWOW64\Leikbd32.exe

Filesize
320KB

MD5
f0432a36ccc7fb2b8a8c145923e81ceb

SHA1
ea50c0c81dcca5a5573ffb023019c2eb3d899b58

SHA256
acf8273d16f55f1ac625abaf2d7f2f5e13c892e9dcfcd026187e8c6407e2a45f

SHA512
82f31096c36a5c05284a69848bd4cd4d361057dbfd55bebbe331b62b3492fc44c6d893916de14820c047f2c1c7cd47dcc48161f3b9d0b5a79c5f4b66a3807a5a

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
320KB

MD5
9972d934f085a0e333eb9774b1a89e1d

SHA1
fd7d0c928adf0edf56159f2419fb7d0e16be2eec

SHA256
01c414a6680b2380efb111c226362917a7e0389049174430d120e1f7e8edc5f9

SHA512
69080fa9a55eca5d6c3c59d552b3eba017e65f99d3b21501433a8b275af5c2ce87f005ce9df651df33da96675c35b5758b6fe3e876627f7bd5b74d2bcf2b775c

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
320KB

MD5
973e6cfc05d0dc60946931df404073b9

SHA1
42c401b7ce162eebb30a1d5d7a435058856ad444

SHA256
08da7997a0a6b491a3afccaa2d13f205d9171640fae2a9d96f9c09e7774eb5cc

SHA512
ddeaa91f87e01e4ff94234026630f4c0aaf0df106147536cc8b8603831db515802abd1c43b3be115c3f77d9baf2fc599d8825ab538c1dd6a8723aa340ba4e665

Download Submit
C:\Windows\SysWOW64\Lghgmg32.exe

Filesize
320KB

MD5
54b5724f452029f81ae9b2b03ba584fc

SHA1
624f01e99eadc6f01798baabd1aa90c0d78bb757

SHA256
e9675f1e55c48d65b11249e8feebf659575f181f0e0634d2b1a50771db4893ea

SHA512
06295fc75fe502c02d615123b70a38554e72ce9e8bd4a3002212ecbefb61a7ab14df127d9e0aa994b444f4609844b8d7c4401939af56afc19654316dffd683b0

Download Submit
C:\Windows\SysWOW64\Lhiddoph.exe

Filesize
320KB

MD5
be94ed731853d2f66b89e4e478cfc18f

SHA1
adead823ebe0b04fd3b0992a2fba8d2b8cf0debe

SHA256
365bd829662f5a0065853607f1f3a03995779d1ad6cd970684773eb57ff36f39

SHA512
cafcb0fec9242400edf08e91ee3f40b40596b87a61fa271fe2762d717fcdfcc9f6a358579a723e8db920c157a9accc0bb507e366c61953ab9b581b2728fea87a

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
320KB

MD5
3d291b07b280bb44599ec7398e8be045

SHA1
17ca0fc598e871fb18809737a17d438bfb7dbbab

SHA256
2ef5922f14beff67775ddc4b63a656232c190150c96031e6b7202546a37215d9

SHA512
fe8b77a45eeb51264f35fb505688ef57dfa1d099bf791b9a4d96c0c14964a2aa8af1769b11d1f81b7e424c2045c602f486a1614db210cdfbe06858c614a56e82

Download Submit
C:\Windows\SysWOW64\Liipnb32.exe

Filesize
320KB

MD5
eb01755edf9adb85daa8e2ccac50609e

SHA1
b5d68efc042188bc8135d76b815a412338f1a83a

SHA256
571673bd53f6d3e60c6767d69a8edaaa3764646c11f7754568581252a29a2c9c

SHA512
9ca3cb713478c897da157aa4ba2204d30959361dc1e7a251e6a2f79dd5c79188e0cdbf87325671480ccb495d1b37495578dd873b0af0a211ba9c04c2931516cc

Download Submit
C:\Windows\SysWOW64\Lofifi32.exe

Filesize
320KB

MD5
b660fe75480791eb1fb4d57986794658

SHA1
daa32df394fb140522d6700fba0a9aed69b4a36b

SHA256
8511968de8b5dca4d871e4ed1acac5d8ee349b38fa83bb3427a11889faec7ae5

SHA512
0f561156c092e8becc78811755f4e4043cd36d5e01a0e6da9d765cb73a110dc85954b03ec5098c84e0c1c62bd0f01dd9cbc643f09eb683ecae159e5c7a8d7dbd

Download Submit
C:\Windows\SysWOW64\Njboon32.dll

Filesize
7KB

MD5
900609facd5d0eddde562cd8606cdeb7

SHA1
cbecfb413ef33ba17fb32d1ff952c2224002d173

SHA256
bae4d49c3d9e368da9aa76acc6528bebd613efe7ac87b40728d3b6174f84600b

SHA512
3e587aa2f9a67dd36849f3439a84ca10b0e4cc2d51571f6fdbf7cd8f7ef6a4cd73d7e175178113d4687b4059b4e92b701fc701fe009cc6c083e45d0cd6f91684

Download Submit
\Windows\SysWOW64\Hmdkjmip.exe

Filesize
320KB

MD5
8c75a8a0679c81a67202e2be498c39f9

SHA1
9a02325def1ec683f64a792ad32e94339e583a66

SHA256
5d8f3e2bbb15f6a8cf92cb8755e8dbc23e54b568ce015e292aa9078972fa1856

SHA512
35329ff33bad7c0ed0ff2300509cd1cc619cc06221e47f6541ca15f32b3d49c9dde364f7a8026ee605e8a998a34dca3fcf83d5cb6f90bd8f213bc2b401c7d941

Download Submit
\Windows\SysWOW64\Hqnjek32.exe

Filesize
320KB

MD5
798313e8946f8de7ac32d85402c37af6

SHA1
35153f0cc03abcfbe6578ee65a152015e272c9a6

SHA256
e8eec4dfbddde602153b5ec80b3cea12ab9e0f4eeae1c2958f070d550add8252

SHA512
d4640c96ce5d76b5dad2a627a1b59a4847369f0ca425782092d65879813450b09cb4ce9cc5fad2953cbdacf6b40b3dd62ff646005b56d5e0df55de0636cc4481

Download Submit
\Windows\SysWOW64\Ieponofk.exe

Filesize
320KB

MD5
9cc7619e1ceb815ec86c130c3ab492b3

SHA1
64de7a2a74da02707406ac21eb123bf869ace375

SHA256
eb48d7295ecb8d57946f7bbe63014a8c57207a2f42ac91c70b5d88b1b6c9cf9e

SHA512
f031f63961d807cc86d9b6d94a749c0c1f18d0fb292a0f036c73ebb9757fea3bf94ef80a4759ec15360753aa4ac1e3e85a51ddbc6292cf7a71620c48658c345d

Download Submit
\Windows\SysWOW64\Ijcngenj.exe

Filesize
320KB

MD5
e45f63e41cab10b810821f9c978a0bf8

SHA1
cbc0e2a09ce75c11fe9722a1570bf338ba128310

SHA256
b4bb3f36c823342562ed0bb631d68b310fea1ba82ce4841f96ad84cc0c074789

SHA512
4203b38423d6f3d31230e2c8de6e69349eff0b5213d5e2d586b0c3a6fb309e414275d1703b8af2d061a002debbc8e70a71bd3d198fc99e8499926c1f3418ed41

Download Submit
\Windows\SysWOW64\Jcciqi32.exe

Filesize
320KB

MD5
2cbbc420374db9bb26a98eb60c94cc4e

SHA1
277931795e8b19e5a7bd3186f22b88bc82b7cdf6

SHA256
f6466cf763281cb13277425180b7d728dbe9d8ecb9f1ebf81361130f313cf7f3

SHA512
cc9901d50fff68d8a4884c0cae91bbeca1a554fa2bf586fdb142df53f96ac3a157d64b690c41a169c5283f60290543ba97cb03c2b4496814939f5283d9b900a8

Download Submit
\Windows\SysWOW64\Jedehaea.exe

Filesize
320KB

MD5
817eccb3072c3f2537ed9930661bfd45

SHA1
eee9a84546e39f893ec6983a878ce2ca97562644

SHA256
5a7c2cd552a8b21ccd531bda87a4b73cd79e1ef656546d00f5cf50bac07306a8

SHA512
e1aec22d5dbe05f19bb3ca856ac365ad54df858e1a1a56351c51a91b55604ff7f15f6e53c999dfa0a6c4f6b6e5c723fd8b7c769fdff85293bc7fb2d932088d2b

Download Submit
\Windows\SysWOW64\Jefbnacn.exe

Filesize
320KB

MD5
81a7a933205d6e9e64f67ed16ce12a14

SHA1
24628e7a6e5a0a7be550db1c9fc76491bf355f2c

SHA256
27d4669cc5878615e01be552907dc4b53bbff2d6517a4a08552a3d67c1e7f131

SHA512
08c06acb6c2e123bee326b6bdc2afe5d4efa6e3ecd6853ad0853d70df9ed5192129329255c78b8aff523d7497153cdaf6e7a68efe04000b73897abc145cc3ee2

Download Submit
\Windows\SysWOW64\Jfmkbebl.exe

Filesize
320KB

MD5
17f359bc51072d360229a2cb7101c5c5

SHA1
ea9cece0104be8d33a0917c2b8703915cab12ac4

SHA256
1d76c6fad782a2a14a118144dfe82e0b86412fc7e4215a9b7c1b566e49ca2476

SHA512
e99a2a648e2562d0e000522676e07faf8eabebb401647b535e921a31903c64465bead2a7d611507552d8f3656a1a29e2833fc5271872d24dd5f46fa9bd3dbd9b

Download Submit
\Windows\SysWOW64\Jggoqimd.exe

Filesize
320KB

MD5
45d91829071432fdd8b1599b69a8843f

SHA1
b901dc2815458ae5c9461be4286aed0c98f7aa79

SHA256
6dc5c2d26235855da419b14f4334255cbdf12013ffa80b2d139dfaeb61fad0fb

SHA512
c4b7514d696dd8ffeace11bdb1d9b58064fa2f360a1019c113874a36905d025e111ea1abaf7a1463c1b4589bb84a1c7e3b064be3cad61c9c713b680bd355ddf8

Download Submit
\Windows\SysWOW64\Jmfcop32.exe

Filesize
320KB

MD5
af71a564821f203daaa151108177344f

SHA1
d088bcfebba91331dee99ea9ecbb1fd5c8d2ada0

SHA256
007147945e03d0195092b42d6b5bce94cba70306e080648b5c90d217456a16f0

SHA512
ae257d159ab61620faf2026b140fefc4b9288891d9e2b5aa85fddda80d2257636f7c41179890406c56c236186ff6713c15ac36cb542fec757b82baec52aabef1

Download Submit
\Windows\SysWOW64\Kbjbge32.exe

Filesize
320KB

MD5
19566d0054f79427f597fbae81cbaa67

SHA1
b5675895eb5e7de9cc340190077c4128d64873e0

SHA256
c6d7edf665a20d85bd0d1e166a434f7cc8f7aca8bcb1191964cf86150c88cc54

SHA512
2cfc8440632cce3f11a913f1a9ea84b2a9cdaab39d4a7b800511a388ac9454ccfeaeb6850ceab1ed56adb5d84eb47b01be8a8812d34d9e7a4dc74480484e4a55

Download Submit
\Windows\SysWOW64\Kdnkdmec.exe

Filesize
320KB

MD5
053086e1ac224a0f445fefed0f424d52

SHA1
2781927571c0bdb8ebf48050e33062d9336cfd21

SHA256
1b0cf8109a64925b14ec6294cf9b14c73981c64a7a0e67cf323cffaea0dcb9cd

SHA512
37709ed7b0f3e72656fb699ff9301e0410af7dbfc5131f251525d71451bb343f7649a6ad569d5013fff15797d229013c2774556cf4bbc916c64f08783134b91a

Download Submit
\Windows\SysWOW64\Koaclfgl.exe

Filesize
320KB

MD5
b801a1ed443207f495943bfc0f3ce4b3

SHA1
728e8b17c565a60bcf2c75a94cecd3bed1cbfd5b

SHA256
9931561faee38431d44a8b1670a5e14bda883a37de13501a68f592e993ff16fe

SHA512
984afc0524a0eff905dc21da25a3582744b4dc1f23615d9d910b186fc74be37a01c881bcb21a7b420a791789d953a333696488c3cc066b9f3d081dca2bc9ef05

Download Submit
memory/308-83-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/308-90-0x0000000000290000-0x00000000002D6000-memory.dmp

Filesize
280KB

Download
memory/308-397-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/756-139-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/756-392-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/756-146-0x0000000000260000-0x00000000002A6000-memory.dmp

Filesize
280KB

Download
memory/804-374-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/804-377-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/804-375-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1128-129-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1128-394-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1128-133-0x0000000000370000-0x00000000003B6000-memory.dmp

Filesize
280KB

Download
memory/1212-178-0x0000000000300000-0x0000000000346000-memory.dmp

Filesize
280KB

Download
memory/1212-389-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1212-179-0x0000000000300000-0x0000000000346000-memory.dmp

Filesize
280KB

Download
memory/1212-166-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1292-393-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1292-231-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/1292-223-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1624-387-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1624-242-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1696-298-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1696-308-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1696-307-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1772-297-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/1772-287-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1772-383-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1772-296-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/1824-390-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1824-181-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1824-193-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/2084-391-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2084-164-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/2096-382-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2096-376-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2132-265-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2132-274-0x00000000002E0000-0x0000000000326000-memory.dmp

Filesize
280KB

Download
memory/2132-275-0x00000000002E0000-0x0000000000326000-memory.dmp

Filesize
280KB

Download
memory/2132-388-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2164-384-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2164-286-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/2164-285-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/2164-276-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2192-357-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2192-23-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/2192-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2192-24-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/2192-359-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/2192-363-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/2240-195-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2240-202-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/2292-254-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2292-263-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/2292-264-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/2292-385-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2404-396-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2404-217-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/2404-210-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2412-337-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/2412-379-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2412-341-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/2412-331-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2480-97-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2480-109-0x0000000000380000-0x00000000003C6000-memory.dmp

Filesize
280KB

Download
memory/2596-351-0x0000000000300000-0x0000000000346000-memory.dmp

Filesize
280KB

Download
memory/2596-350-0x0000000000300000-0x0000000000346000-memory.dmp

Filesize
280KB

Download
memory/2596-378-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2620-46-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2632-364-0x0000000001FB0000-0x0000000001FF6000-memory.dmp

Filesize
280KB

Download
memory/2632-352-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2632-380-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2672-111-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2672-118-0x0000000000260000-0x00000000002A6000-memory.dmp

Filesize
280KB

Download
memory/2704-70-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2704-81-0x0000000000280000-0x00000000002C6000-memory.dmp

Filesize
280KB

Download
memory/2704-398-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2732-25-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2732-26-0x00000000007A0000-0x00000000007E6000-memory.dmp

Filesize
280KB

Download
memory/2740-319-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2740-318-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2740-395-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2740-309-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2776-329-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2776-381-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2776-330-0x00000000003B0000-0x00000000003F6000-memory.dmp

Filesize
280KB

Download
memory/2776-320-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2820-28-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2820-365-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2856-67-0x0000000000280000-0x00000000002C6000-memory.dmp

Filesize
280KB

Download
memory/2856-66-0x0000000000280000-0x00000000002C6000-memory.dmp

Filesize
280KB

Download
memory/2856-54-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2856-399-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2944-386-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2944-243-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2944-248-0x0000000000280000-0x00000000002C6000-memory.dmp

Filesize
280KB

Download
memory/2944-253-0x0000000000280000-0x00000000002C6000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads