berbew | 54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
Size

45KB
MD5

ae03918e9f29c83d997fd93ed146d46e
SHA1

c7f9c7c1585abf9a5f687396cac478b5915737a2
SHA256

54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d
SHA512

f0cf3a191870d7de4e81c42147f476317d61330e1f35f1f7aae8fcc3ae4928ffd7aadefe9c27ec54a7e98b373b344a23e050ba72d6f3f2fff890c395f87f339f
SSDEEP

768:5V7xQZ2d7YrMCQ3TASHNWcbfyiWZ5f2lfBr/65CB/8UiVl/1H5O:mZnOUuN+BYV48s0

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pigklmqc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abinjdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Admgglep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anpooe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmelpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anpooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhominh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojkhjabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgcnnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcmkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgaahh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okkddd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbdipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbdipa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnpcpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcmkhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogaeieoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjpnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckkenikc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okkddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pigklmqc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjiln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjiln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmelpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobmm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfkkeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckkenikc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfkkeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgaahh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcnnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnpcpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhhominh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohjkcile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojkhjabc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogaeieoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohjkcile.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abinjdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjpnj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 31 IoCs

pid	Process
2844	Nhhominh.exe
2808	Ohjkcile.exe
3052	Ojkhjabc.exe
1076	Okkddd32.exe
2652	Ogaeieoj.exe
1056	Pigklmqc.exe
2712	Pfkkeq32.exe
884	Pnfpjc32.exe
3020	Pbdipa32.exe
1964	Pgaahh32.exe
1800	Pgcnnh32.exe
756	Qnpcpa32.exe
1360	Qcmkhi32.exe
604	Qijdqp32.exe
952	Ailqfooi.exe
1124	Amjiln32.exe
1036	Ahcjmkbo.exe
1316	Abinjdad.exe
1128	Anpooe32.exe
1080	Admgglep.exe
2092	Bmelpa32.exe
1628	Bhjpnj32.exe
2252	Bdaabk32.exe
1460	Blobmm32.exe
2276	Bgdfjfmi.exe
2940	Blaobmkq.exe
1760	Ceickb32.exe
2900	Capdpcge.exe
2432	Ckiiiine.exe
2136	Ckkenikc.exe
2664	Coindgbi.exe

Loads dropped DLL 62 IoCs

pid	Process
2208	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
2208	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
2844	Nhhominh.exe
2844	Nhhominh.exe
2808	Ohjkcile.exe
2808	Ohjkcile.exe
3052	Ojkhjabc.exe
3052	Ojkhjabc.exe
1076	Okkddd32.exe
1076	Okkddd32.exe
2652	Ogaeieoj.exe
2652	Ogaeieoj.exe
1056	Pigklmqc.exe
1056	Pigklmqc.exe
2712	Pfkkeq32.exe
2712	Pfkkeq32.exe
884	Pnfpjc32.exe
884	Pnfpjc32.exe
3020	Pbdipa32.exe
3020	Pbdipa32.exe
1964	Pgaahh32.exe
1964	Pgaahh32.exe
1800	Pgcnnh32.exe
1800	Pgcnnh32.exe
756	Qnpcpa32.exe
756	Qnpcpa32.exe
1360	Qcmkhi32.exe
1360	Qcmkhi32.exe
604	Qijdqp32.exe
604	Qijdqp32.exe
952	Ailqfooi.exe
952	Ailqfooi.exe
1124	Amjiln32.exe
1124	Amjiln32.exe
1036	Ahcjmkbo.exe
1036	Ahcjmkbo.exe
1316	Abinjdad.exe
1316	Abinjdad.exe
1128	Anpooe32.exe
1128	Anpooe32.exe
1080	Admgglep.exe
1080	Admgglep.exe
2092	Bmelpa32.exe
2092	Bmelpa32.exe
1628	Bhjpnj32.exe
1628	Bhjpnj32.exe
2252	Bdaabk32.exe
2252	Bdaabk32.exe
1460	Blobmm32.exe
1460	Blobmm32.exe
2276	Bgdfjfmi.exe
2276	Bgdfjfmi.exe
2940	Blaobmkq.exe
2940	Blaobmkq.exe
1760	Ceickb32.exe
1760	Ceickb32.exe
2900	Capdpcge.exe
2900	Capdpcge.exe
2432	Ckiiiine.exe
2432	Ckiiiine.exe
2136	Ckkenikc.exe
2136	Ckkenikc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Comjjjlc.dll	Abinjdad.exe
File created	C:\Windows\SysWOW64\Hdjgff32.dll	Bmelpa32.exe
File created	C:\Windows\SysWOW64\Cmfjgc32.dll	Ceickb32.exe
File opened for modification	C:\Windows\SysWOW64\Nhhominh.exe	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
File created	C:\Windows\SysWOW64\Ohjkcile.exe	Nhhominh.exe
File created	C:\Windows\SysWOW64\Ahcjmkbo.exe	Amjiln32.exe
File created	C:\Windows\SysWOW64\Admgglep.exe	Anpooe32.exe
File opened for modification	C:\Windows\SysWOW64\Capdpcge.exe	Ceickb32.exe
File created	C:\Windows\SysWOW64\Okkddd32.exe	Ojkhjabc.exe
File created	C:\Windows\SysWOW64\Qcmkhi32.exe	Qnpcpa32.exe
File opened for modification	C:\Windows\SysWOW64\Qcmkhi32.exe	Qnpcpa32.exe
File created	C:\Windows\SysWOW64\Eobohl32.dll	Anpooe32.exe
File created	C:\Windows\SysWOW64\Ggkben32.dll	Nhhominh.exe
File created	C:\Windows\SysWOW64\Heobhfnp.dll	Ogaeieoj.exe
File created	C:\Windows\SysWOW64\Eejanc32.dll	Qnpcpa32.exe
File opened for modification	C:\Windows\SysWOW64\Amjiln32.exe	Ailqfooi.exe
File created	C:\Windows\SysWOW64\Blaobmkq.exe	Bgdfjfmi.exe
File opened for modification	C:\Windows\SysWOW64\Ojkhjabc.exe	Ohjkcile.exe
File opened for modification	C:\Windows\SysWOW64\Qnpcpa32.exe	Pgcnnh32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdqp32.exe	Qcmkhi32.exe
File created	C:\Windows\SysWOW64\Nckopjfk.dll	Pgaahh32.exe
File created	C:\Windows\SysWOW64\Gpfecckm.dll	Qijdqp32.exe
File created	C:\Windows\SysWOW64\Bijpeihq.dll	Bhjpnj32.exe
File opened for modification	C:\Windows\SysWOW64\Ceickb32.exe	Blaobmkq.exe
File created	C:\Windows\SysWOW64\Eglhaeef.dll	Ojkhjabc.exe
File opened for modification	C:\Windows\SysWOW64\Pnfpjc32.exe	Pfkkeq32.exe
File created	C:\Windows\SysWOW64\Eoadpbdp.dll	Pnfpjc32.exe
File created	C:\Windows\SysWOW64\Mncmib32.dll	Amjiln32.exe
File created	C:\Windows\SysWOW64\Jchbfbij.dll	Capdpcge.exe
File created	C:\Windows\SysWOW64\Ogaeieoj.exe	Okkddd32.exe
File created	C:\Windows\SysWOW64\Pgcnnh32.exe	Pgaahh32.exe
File created	C:\Windows\SysWOW64\Oeficpoq.dll	Ailqfooi.exe
File opened for modification	C:\Windows\SysWOW64\Bhjpnj32.exe	Bmelpa32.exe
File opened for modification	C:\Windows\SysWOW64\Blaobmkq.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Pnfpjc32.exe	Pfkkeq32.exe
File opened for modification	C:\Windows\SysWOW64\Pgaahh32.exe	Pbdipa32.exe
File created	C:\Windows\SysWOW64\Anpooe32.exe	Abinjdad.exe
File created	C:\Windows\SysWOW64\Ailqfooi.exe	Qijdqp32.exe
File opened for modification	C:\Windows\SysWOW64\Bdaabk32.exe	Bhjpnj32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Ckkenikc.exe
File opened for modification	C:\Windows\SysWOW64\Ogaeieoj.exe	Okkddd32.exe
File created	C:\Windows\SysWOW64\Pgaahh32.exe	Pbdipa32.exe
File created	C:\Windows\SysWOW64\Ihjfjc32.dll	Pgcnnh32.exe
File created	C:\Windows\SysWOW64\Qnpcpa32.exe	Pgcnnh32.exe
File created	C:\Windows\SysWOW64\Blobmm32.exe	Bdaabk32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdfjfmi.exe	Blobmm32.exe
File created	C:\Windows\SysWOW64\Bongfjgo.dll	Blaobmkq.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Capdpcge.exe
File created	C:\Windows\SysWOW64\Ojkhjabc.exe	Ohjkcile.exe
File created	C:\Windows\SysWOW64\Nnbaaioa.dll	Pigklmqc.exe
File created	C:\Windows\SysWOW64\Pbdipa32.exe	Pnfpjc32.exe
File opened for modification	C:\Windows\SysWOW64\Ckkenikc.exe	Ckiiiine.exe
File opened for modification	C:\Windows\SysWOW64\Pigklmqc.exe	Ogaeieoj.exe
File created	C:\Windows\SysWOW64\Ljkaejba.dll	Bdaabk32.exe
File created	C:\Windows\SysWOW64\Kacclb32.dll	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Ckkenikc.exe
File created	C:\Windows\SysWOW64\Amjiln32.exe	Ailqfooi.exe
File created	C:\Windows\SysWOW64\Bmelpa32.exe	Admgglep.exe
File created	C:\Windows\SysWOW64\Bhhjdb32.dll	Admgglep.exe
File opened for modification	C:\Windows\SysWOW64\Blobmm32.exe	Bdaabk32.exe
File created	C:\Windows\SysWOW64\Gaklhb32.dll	Qcmkhi32.exe
File created	C:\Windows\SysWOW64\Abinjdad.exe	Ahcjmkbo.exe
File opened for modification	C:\Windows\SysWOW64\Admgglep.exe	Anpooe32.exe
File opened for modification	C:\Windows\SysWOW64\Bmelpa32.exe	Admgglep.exe

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anpooe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdaabk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohjkcile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbdipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgaahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnpcpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abinjdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmelpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjpnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojkhjabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pigklmqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfpjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaobmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcnnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckkenikc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailqfooi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahcjmkbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjiln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capdpcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhominh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogaeieoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcmkhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceickb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfkkeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admgglep.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglhaeef.dll"	Ojkhjabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikicmc32.dll"	Pbdipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ailqfooi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bongfjgo.dll"	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckkenikc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojkhjabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfkkeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcigjjli.dll"	Ahcjmkbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anpooe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll"	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Ckkenikc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkndgbj.dll"	Okkddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnpcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjdb32.dll"	Admgglep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pigklmqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amjiln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgff32.dll"	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogaeieoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhhominh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbaaioa.dll"	Pigklmqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfpjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbdipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amjiln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diggcodj.dll"	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okkddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogaeieoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfkkeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbdipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nckopjfk.dll"	Pgaahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcmkhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anpooe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjpnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comjjjlc.dll"	Abinjdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfjgc32.dll"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgcnnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egikbd32.dll"	Pfkkeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoadpbdp.dll"	Pnfpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjfjc32.dll"	Pgcnnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaklhb32.dll"	Qcmkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncmib32.dll"	Amjiln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacclb32.dll"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhhominh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohjkcile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojkhjabc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okkddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pigklmqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgaahh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgcnnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnpcpa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2844	2208	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe	30
PID 2208 wrote to memory of 2844	2208	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe	30
PID 2208 wrote to memory of 2844	2208	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe	30
PID 2208 wrote to memory of 2844	2208	54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe	30
PID 2844 wrote to memory of 2808	2844	Nhhominh.exe	31
PID 2844 wrote to memory of 2808	2844	Nhhominh.exe	31
PID 2844 wrote to memory of 2808	2844	Nhhominh.exe	31
PID 2844 wrote to memory of 2808	2844	Nhhominh.exe	31
PID 2808 wrote to memory of 3052	2808	Ohjkcile.exe	32
PID 2808 wrote to memory of 3052	2808	Ohjkcile.exe	32
PID 2808 wrote to memory of 3052	2808	Ohjkcile.exe	32
PID 2808 wrote to memory of 3052	2808	Ohjkcile.exe	32
PID 3052 wrote to memory of 1076	3052	Ojkhjabc.exe	33
PID 3052 wrote to memory of 1076	3052	Ojkhjabc.exe	33
PID 3052 wrote to memory of 1076	3052	Ojkhjabc.exe	33
PID 3052 wrote to memory of 1076	3052	Ojkhjabc.exe	33
PID 1076 wrote to memory of 2652	1076	Okkddd32.exe	34
PID 1076 wrote to memory of 2652	1076	Okkddd32.exe	34
PID 1076 wrote to memory of 2652	1076	Okkddd32.exe	34
PID 1076 wrote to memory of 2652	1076	Okkddd32.exe	34
PID 2652 wrote to memory of 1056	2652	Ogaeieoj.exe	35
PID 2652 wrote to memory of 1056	2652	Ogaeieoj.exe	35
PID 2652 wrote to memory of 1056	2652	Ogaeieoj.exe	35
PID 2652 wrote to memory of 1056	2652	Ogaeieoj.exe	35
PID 1056 wrote to memory of 2712	1056	Pigklmqc.exe	36
PID 1056 wrote to memory of 2712	1056	Pigklmqc.exe	36
PID 1056 wrote to memory of 2712	1056	Pigklmqc.exe	36
PID 1056 wrote to memory of 2712	1056	Pigklmqc.exe	36
PID 2712 wrote to memory of 884	2712	Pfkkeq32.exe	37
PID 2712 wrote to memory of 884	2712	Pfkkeq32.exe	37
PID 2712 wrote to memory of 884	2712	Pfkkeq32.exe	37
PID 2712 wrote to memory of 884	2712	Pfkkeq32.exe	37
PID 884 wrote to memory of 3020	884	Pnfpjc32.exe	38
PID 884 wrote to memory of 3020	884	Pnfpjc32.exe	38
PID 884 wrote to memory of 3020	884	Pnfpjc32.exe	38
PID 884 wrote to memory of 3020	884	Pnfpjc32.exe	38
PID 3020 wrote to memory of 1964	3020	Pbdipa32.exe	39
PID 3020 wrote to memory of 1964	3020	Pbdipa32.exe	39
PID 3020 wrote to memory of 1964	3020	Pbdipa32.exe	39
PID 3020 wrote to memory of 1964	3020	Pbdipa32.exe	39
PID 1964 wrote to memory of 1800	1964	Pgaahh32.exe	40
PID 1964 wrote to memory of 1800	1964	Pgaahh32.exe	40
PID 1964 wrote to memory of 1800	1964	Pgaahh32.exe	40
PID 1964 wrote to memory of 1800	1964	Pgaahh32.exe	40
PID 1800 wrote to memory of 756	1800	Pgcnnh32.exe	41
PID 1800 wrote to memory of 756	1800	Pgcnnh32.exe	41
PID 1800 wrote to memory of 756	1800	Pgcnnh32.exe	41
PID 1800 wrote to memory of 756	1800	Pgcnnh32.exe	41
PID 756 wrote to memory of 1360	756	Qnpcpa32.exe	42
PID 756 wrote to memory of 1360	756	Qnpcpa32.exe	42
PID 756 wrote to memory of 1360	756	Qnpcpa32.exe	42
PID 756 wrote to memory of 1360	756	Qnpcpa32.exe	42
PID 1360 wrote to memory of 604	1360	Qcmkhi32.exe	43
PID 1360 wrote to memory of 604	1360	Qcmkhi32.exe	43
PID 1360 wrote to memory of 604	1360	Qcmkhi32.exe	43
PID 1360 wrote to memory of 604	1360	Qcmkhi32.exe	43
PID 604 wrote to memory of 952	604	Qijdqp32.exe	44
PID 604 wrote to memory of 952	604	Qijdqp32.exe	44
PID 604 wrote to memory of 952	604	Qijdqp32.exe	44
PID 604 wrote to memory of 952	604	Qijdqp32.exe	44
PID 952 wrote to memory of 1124	952	Ailqfooi.exe	45
PID 952 wrote to memory of 1124	952	Ailqfooi.exe	45
PID 952 wrote to memory of 1124	952	Ailqfooi.exe	45
PID 952 wrote to memory of 1124	952	Ailqfooi.exe	45

C:\Users\Admin\AppData\Local\Temp\54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe
"C:\Users\Admin\AppData\Local\Temp\54abd40777b0d82818423d504ff61f5735fa08118dff18578b2a710f7025901d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\Nhhominh.exe
  C:\Windows\system32\Nhhominh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\Ohjkcile.exe
    C:\Windows\system32\Ohjkcile.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\Ojkhjabc.exe
      C:\Windows\system32\Ojkhjabc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\Okkddd32.exe
        
        C:\Windows\system32\Okkddd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\Windows\SysWOW64\Ogaeieoj.exe
        
        C:\Windows\system32\Ogaeieoj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Pigklmqc.exe
        
        C:\Windows\system32\Pigklmqc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Pfkkeq32.exe
        
        C:\Windows\system32\Pfkkeq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Pnfpjc32.exe
        
        C:\Windows\system32\Pnfpjc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Pbdipa32.exe
        
        C:\Windows\system32\Pbdipa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Pgaahh32.exe
        
        C:\Windows\system32\Pgaahh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Pgcnnh32.exe
        
        C:\Windows\system32\Pgcnnh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Qnpcpa32.exe
        
        C:\Windows\system32\Qnpcpa32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Qcmkhi32.exe
        
        C:\Windows\system32\Qcmkhi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Qijdqp32.exe
        
        C:\Windows\system32\Qijdqp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\SysWOW64\Ailqfooi.exe
        
        C:\Windows\system32\Ailqfooi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Amjiln32.exe
        
        C:\Windows\system32\Amjiln32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Ahcjmkbo.exe
        
        C:\Windows\system32\Ahcjmkbo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Abinjdad.exe
        
        C:\Windows\system32\Abinjdad.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Anpooe32.exe
        
        C:\Windows\system32\Anpooe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Admgglep.exe
        
        C:\Windows\system32\Admgglep.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Bmelpa32.exe
        
        C:\Windows\system32\Bmelpa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Bhjpnj32.exe
        
        C:\Windows\system32\Bhjpnj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Bdaabk32.exe
        
        C:\Windows\system32\Bdaabk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Blobmm32.exe
        
        C:\Windows\system32\Blobmm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Blaobmkq.exe
        
        C:\Windows\system32\Blaobmkq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Ceickb32.exe
        
        C:\Windows\system32\Ceickb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Capdpcge.exe
        
        C:\Windows\system32\Capdpcge.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ckkenikc.exe
        
        C:\Windows\system32\Ckkenikc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abinjdad.exe

Filesize
45KB

MD5
0387897db8f3d1682f46955470e682c3

SHA1
bdb2d103306f36c20ff960b01c3d24feffb3bd6b

SHA256
2c0f3303b8e895d704bc4bb4deae9a9a07e98b1504ab0081017be3d4d6dade7c

SHA512
fedaef2edaa62d75177b69bac00d8184f87c14dbc6b4e81e6779f1238e159b8e1156d78d9fc47b0809c2503073173dc2b275c8a226cc22fac2ef57ab066f8a54

Download Submit
C:\Windows\SysWOW64\Admgglep.exe

Filesize
45KB

MD5
405a455c349a81eb94e68774e2fa941a

SHA1
ddd35dd695611e23397b78b59444add5da865f29

SHA256
fa5866dca515f6bf0dd248671fda0d72630e1288ad304b4a0a0ad0a66a4fb927

SHA512
37fc5f0df72529b4da796752bd68fd66b5d54a553ea5868f7bdb9281f2c76861172925e4bb3e2521f7df9138435915b74063cc26556cc11fe945749dd6081eef

Download Submit
C:\Windows\SysWOW64\Ahcjmkbo.exe

Filesize
45KB

MD5
87d0bee59513dc7c74d36dcf233cbd29

SHA1
b7f6a99db60eb04e7b0f95eacb425a02095dc42b

SHA256
94e7b9773826c2d11f3a7d4777ba4b76c0c48ca013c6ee385c066d634c31c3b8

SHA512
420fba90da723a6bd371bc9b65c9163bd598f0de859b0c4d810dac0163e40d05c78eeb244a0e386f09693d45fbd4d9a19a423e51932841d9348359430546263d

Download Submit
C:\Windows\SysWOW64\Amjiln32.exe

Filesize
45KB

MD5
f97c1890ea1313d4eeb829153549278b

SHA1
25acec02104cfae26f376add5a7a377e76056124

SHA256
1ff450061237b7c8e21de98cee1ea9eed21b5b1514aa06fa9eb8ad38a59c5173

SHA512
73cde2be8a6c770278c5305cc5dc973b6e30462acc92d71ef03c78b0cbd7967946d1d3f0404420657d51b9123804adbcdf09d84d0c357ded4d002949ce481184

Download Submit
C:\Windows\SysWOW64\Anpooe32.exe

Filesize
45KB

MD5
4c31b840b62025bbfad78400b66b8ee6

SHA1
117160841187f95164734287c050073384f5bb9d

SHA256
e2ea88c921ff07856c87a53fdce3e33d1a07d21e494a443f7f2a64d3c029388d

SHA512
75daf98f932fbb71f3a284194adf6d0ba63cea8644dcfed4ef5e20cfb173d3cdfc6b4e51bcd2e5ba5303934a238b257ce7c24ba540ee4025f237de4f2a1f1b5e

Download Submit
C:\Windows\SysWOW64\Bdaabk32.exe

Filesize
45KB

MD5
899592f17093f4cf5569e418c82129be

SHA1
75255f835857c80e9114edaaee57c25c60f6fe54

SHA256
4cddcca1c2da59805250573c44d4986465dec70fc27fa21c28f95ea2dc53e62c

SHA512
de746171bfc8fbec6ace8db70609489a36141f291c8fe68b1d3322d18fbd1dd3689c2117c3e3c1a91f86dae9f37b509006aec18cbcdf4b091025109926a78765

Download Submit
C:\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
45KB

MD5
53f0c726799c78d675c3253d7d6fbf87

SHA1
e70bfae616916cb96e85a62fb3391c24799d5707

SHA256
f36f0c0e7419cfff762f91db48bd64346ad550afbfc2d8441a7744aff9c5c5cb

SHA512
2eecb525fb850ff05157d957e2bc926a812e68fa19ec2bc7684fa5582ab0c7867ac3a0c9e8ac6c1ea5febdfe34ee61930774f2abab871abc22df8dd791774ef0

Download Submit
C:\Windows\SysWOW64\Bhjpnj32.exe

Filesize
45KB

MD5
f1c677d97f0aae6903ae2baa36aa2346

SHA1
cfa28e25f7c810291bd96b782475c8b4b270a860

SHA256
f91908d6a8fccc285b988e69bef19fb7c1dbb6a97ca3b7d5ec7502d5eaf2659a

SHA512
128cef8f0b5d646d83b57260af12dfd3e1adae8f3543d372eebde6df299fb79371ee3ecc217bd31bcafa290666d19fbe068f9c75bc19a544f934896670c72497

Download Submit
C:\Windows\SysWOW64\Blaobmkq.exe

Filesize
45KB

MD5
3266c91282e406c5235865b39bc6fc60

SHA1
259d144d933294704d21f71078decbafbcd0d0c4

SHA256
7dd45fc1dd32d7c28fc19b68ce8c724b2dfd1ddf00971f8ad849a8732580f096

SHA512
18e3d32d5868f24bf90a025aebd864c810da23d193ce398abfa122c8b771be85867ab21c3c9f114a69b9b231d3cb7ae4a2a525d97f63804fd910712588fc592e

Download Submit
C:\Windows\SysWOW64\Blobmm32.exe

Filesize
45KB

MD5
43d6d018b031c09eb3d0194894372c34

SHA1
7fc7762a1a43b4229f9223a7c8542a650fe5bfa2

SHA256
fc525654c72f09c872fd5d69b3a9bc63684671597993f67e5214936c9117fba0

SHA512
5826db2b7d91e1dd127a04943502281bd7bdff27158417b909d38d09fb88e1214fcb1690d8983bc2cb5552a08bc505f2706f492ba1abb4536734c7cd6348de88

Download Submit
C:\Windows\SysWOW64\Bmelpa32.exe

Filesize
45KB

MD5
14d7c481f108d4e1840af61e7d065180

SHA1
83afdf69420b261fc844a1e36620c311ac3a9b16

SHA256
08dcd213f2258b17d13121a1324a05463f4b237a5c9662089c24d2934bb983e3

SHA512
d6bbb384b5867177006ced457396ec0efb9c699177894f995b4e9aa9cb3c6a894351d3996fde140c832baa8f5e6c738e85b2b1ce5aa5bc351f7ddab564b2fa11

Download Submit
C:\Windows\SysWOW64\Capdpcge.exe

Filesize
45KB

MD5
c3ac13e11fa3db4ecbee9c0c4b1e4839

SHA1
4657a9a5c21da6355c730785d27e51c5ba32dd7f

SHA256
9519050acb0d68ce50ceb7e9fb5f43b369524be79c3e74e470ec47478c0f8ecb

SHA512
0518d2054682b3df0915eb3792d764e6869dc2b31e8fea81fbc094c4c83dbece186f31c7ae6bf568411e7b9567d4b8cdfed9a6a56d663234cea034750f0ab2b5

Download Submit
C:\Windows\SysWOW64\Ceickb32.exe

Filesize
45KB

MD5
85bef001dbee397140087f5775607d4b

SHA1
c00175f8f2bc98b08186c3865b3803762ff8612e

SHA256
a9c2384aae8db4159d429d31ffc2dab02633a0731f8cf97f96fd85a9482ba084

SHA512
04950d9b0ae69347ba1194a810d6b7845daeb646a21082b5e29d8ca2af8a0c3ee6c61e2b8dd23a22f63d605d260cd073f57dffaaf75b63a48cabdc4c3d414685

Download Submit
C:\Windows\SysWOW64\Ckiiiine.exe

Filesize
45KB

MD5
5a923caf45c1778cada95d2d43ea9201

SHA1
85e722685577bfd6e457af7f9c2716f7273076b1

SHA256
6c271e20c04f45706bc237bac044602ed0efa7ca484a1ad02150578bf46e46e2

SHA512
ca3ebca38bd4f5b578ed1733d45a592bfb177c2d0281c4e7b2d29553863f5bb3f3e78c499ead102f1e0a2ddc8361bd22e49bfdec45ce95e6a6c1348b6ac516ea

Download Submit
C:\Windows\SysWOW64\Ckkenikc.exe

Filesize
45KB

MD5
857b58a9f86ba2e4d54f35a05fd0ffc2

SHA1
d5ca62789b96f01f07f5ea0901bbae325256901a

SHA256
5a7d41b21944559c066e9707f3299b8f36c1d909d10e674da9b2952e2b7a8f5c

SHA512
0294fcc298de5bf86c92e90228bfaec620ab18cb463c3bcd77b6dc958c7eafd9e0534d70b2e4c7b6ece68147e914f381f019ee5cfe81889b2bd4fe588693af2e

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
45KB

MD5
4412a3dd982c152e66cca333a501d08e

SHA1
1f6e1335e1621b90e17d1c01f8d84118a4e832c5

SHA256
c78b23e000028127be997698e106dab229f89154066887e854a7f8ea03913f42

SHA512
b5705c904650644f943616e8d1d9090293cf3ae137cacc63677ed8dc30a23acb84fbcb6a01f5a79a861ef0df899d3b900d3e9d7cd4e8bd2adfe36fe40a562666

Download Submit
C:\Windows\SysWOW64\Nhhominh.exe

Filesize
45KB

MD5
df2f80dd7975752e17f2b4af6c22ba8a

SHA1
7431fa04e6f26ee86da9bb4483a16484376356ed

SHA256
f1925e31f8495166b322af393d15637d2678977cc23d8fa352028a3cbb104b0e

SHA512
163350401544f5884cf94040e7a2cf1686043a00636857eba9ff94614d46427f2e3c0a8468a0334b3c7609ac75e494fdc8bc8644513aa906d732ffb6a55c2f24

Download Submit
C:\Windows\SysWOW64\Pgcnnh32.exe

Filesize
45KB

MD5
c44f7cf4f6b71cc38a1ef20f068288d4

SHA1
3abba20c4870e3dbe502b717a806b7164a70f1fe

SHA256
d7b6cdb53715f8a8eafa4d4e86953350bee08cb6fa75061d8fd1ff09f607261d

SHA512
cd1b873f3696d964734e009e48ad1a82623529ca967c15dd7fe5402013ca59ac49781985b466b4acece6efcc50745df01e600d9f47154716d4d5f7348d8d90ea

Download Submit
\Windows\SysWOW64\Ailqfooi.exe

Filesize
45KB

MD5
5a22d6c379e1d722fe6ca092dd904c7d

SHA1
71c7e755728b43351f10fad01e3c69f8d34593d3

SHA256
d8115871fa20f30d15479c8336a230d857ad6a4b5cbf60ca8893bc634e852d72

SHA512
098c4aa10873692a3e781faaab5e4245575889c29a597ec041b027aee7c1f2c99f0936a354194a6c08279826ba66684e4ef5a9fbb504cf006543dfec923233a8

Download Submit
\Windows\SysWOW64\Ogaeieoj.exe

Filesize
45KB

MD5
9a88e58d8c794a42b909197f21f591e8

SHA1
4f68946855ac991c51deefc0499b3e6c67eb083a

SHA256
cfa03856c86a0bdbe709abc07beaa63a8fbbab9ae018013c3e90855258c1e0b8

SHA512
9e53d7eadce8e611cf2fe0fafcd0dde33cb3ffda63e9bac25b9fc07f90e0f0577627d7f0d6f50559b02db4bf5ab98b024b30f1835a83845d56741ed83b8e3a32

Download Submit
\Windows\SysWOW64\Ohjkcile.exe

Filesize
45KB

MD5
1bc2279f1abdd0d8d08b9824bc5e6ba2

SHA1
7070f2d48a19d185e6b1e1765a57229af401c11c

SHA256
2305169ea40968a24462910e05808abf464a0bd8302592b5a0a98ddd7241ab2b

SHA512
906daeb61bf4df69b958f826ea52f2512db075e0622b75485df5a69d3f2eada52202b616e04d5a8d278dd4ec1ebe8a209f09eae316464e8e6dc31256c762d830

Download Submit
\Windows\SysWOW64\Ojkhjabc.exe

Filesize
45KB

MD5
6a4239f58da4df933d5f5a455e8a24bc

SHA1
aade517ce90dad43311eca262a2cb55f244e23b9

SHA256
d029d9efc26c807dc3ad931755be215e8bda6a42c3559be791287475d9c9048a

SHA512
b9c625652ef095175a9c1e343d04ccaea37f7136f2a907abf859b5f7639e37b6658b306e2ffafb3c32981e8bf2b730b7360b09416e5aa59ff0b6bd9495a91d9b

Download Submit
\Windows\SysWOW64\Okkddd32.exe

Filesize
45KB

MD5
086a26adfd166b1f03ddf0db29a763ab

SHA1
46477ddbea2073f15011ec05517e0cabc6ec5acf

SHA256
e71c4b915e1981ee21c63c8ef693e7523417bfd87649692c47dde5ee30850f34

SHA512
1b46a4b6e07728a5108dced9b7366f244191d48a11af983f8565c3d6b0699b4b6e4cb0cb741320db9061e0e8264da6b9cfae51383945c750dd226fa08b43f625

Download Submit
\Windows\SysWOW64\Pbdipa32.exe

Filesize
45KB

MD5
8241362d107e4a1c4522eb8c145fd30e

SHA1
00ad6da3863a713f28775f2833f73b5801db7283

SHA256
87fc0c8320c30ae857bcb011a14ecc8e9a695c44fb08c4308c49183ac575b0b5

SHA512
9954365bdd098094f7fbebd887068479be3531bc6bbf7053a1df6c58914015dec35a329a6b75c57f381e21284e81f4c6c3d9ed675e5b7682a184f0fa1dfd289e

Download Submit
\Windows\SysWOW64\Pfkkeq32.exe

Filesize
45KB

MD5
5f76130417f9d1b8ac4e9d9a758046e5

SHA1
5741afeaaf70f79cf630dad2b80b5213cb021c49

SHA256
6134b33e6270ae6b49ceff0b999ea1449e0ca2fc7f438d07380ce54801fb3851

SHA512
c779c1c37ba6dcd72591cd65a8bc7a4f93a9e78c2a946e0072c5a1129377dd9b1f76bb701418cd2ec532d0f4390ea4e3cfd5e6c52ac441ce6128a0ebefafaa17

Download Submit
\Windows\SysWOW64\Pgaahh32.exe

Filesize
45KB

MD5
ba68142a9f91c99cf85832d1d2c688ea

SHA1
08124ed923e0bcf36a019d6a8329312b28a069f1

SHA256
ed854fc0ad089d0beba16ba030d4810c15b04e5c0cd7c68464c080383d467dfc

SHA512
b4df07f1b2a1d009026686f711ce8b2acb4c8baf3ddcab8058e57378c4ef11103b4682456c277181aa703650e9a948ff93a6f2d907e9b65bbe16a13b0cf78b50

Download Submit
\Windows\SysWOW64\Pigklmqc.exe

Filesize
45KB

MD5
347d34b8e0475e25387011e8d1554d3e

SHA1
4267732f91c29aebb22ad9ab28598446cc4a88fe

SHA256
8f1327414a6ad73b53ae633543b84967fc5392ba5c0688a14186116f7bb50f31

SHA512
e15c6449adef50fe5637cfb9367ce8921146fd521392622829aa006419c9f287b0961e5d5504f1ecbbe41238102b86ad5a3b16c6ff2cb6cc23fb0babdee8087d

Download Submit
\Windows\SysWOW64\Pnfpjc32.exe

Filesize
45KB

MD5
05dad252183835063436fde2b93347fa

SHA1
35d435622375d523f017cef0b7de6f2afbd20f6b

SHA256
cabd764faf50666a6649481fbfc111ae282cc3a934483119ba8462325598a8ef

SHA512
854bac80c462026fa2ab03a9a8015d2631f3534df2a54c4f29d50d93c3c2624687a426dd40511bc95971924e292d84dc348e823baa9727d3b85188d7a4d63b1c

Download Submit
\Windows\SysWOW64\Qcmkhi32.exe

Filesize
45KB

MD5
9b6c60219b7d7077415591af2810a411

SHA1
c7c0c05db119673202d76ed9a09d6b4d5ab51f2e

SHA256
aef8ffd70c1f5da8765cd85d2ab3de5f154d2595166cfdf59f690fb0546108d6

SHA512
a1e5d481ba19038503bbbab65d639ac415b916bea90ac20ce8b28d891b8a87d3334166939b50f1345574ec07d78fc089faf532ef809d9e26b05e5f8ffae6ddbe

Download Submit
\Windows\SysWOW64\Qijdqp32.exe

Filesize
45KB

MD5
e9817ddca83aa1a736d05bf833a82df3

SHA1
fdeecee52835453b7cf9756a2ec6dac9bc7d68e3

SHA256
f1323e5666e5ec6500fd48d29f17747df9a90ca43e02022fcf54c0759093d153

SHA512
e4bf4daed2a8bce6d02c74b444e9b8bb7284bc789d5630b120d472bd8db4d9326c6739515d655a9849a08ec32173e5fde150cc03efed5cbffb6d81d884afdfb5

Download Submit
\Windows\SysWOW64\Qnpcpa32.exe

Filesize
45KB

MD5
56a2ca71d52f67b318ef44eab474dfc8

SHA1
5afd8f406c80d144d1556486ab3644794b54539f

SHA256
4dcc5909e1c9da46fa96c9bae42b2959f9a8c5d8b3192f4941033cd117aeae13

SHA512
56eb2499e9c647330af8bb262982c2fb173ed44f064757c213ea7af2fb4b45fd48f3eeaf95e55b2abf9c08517bc44d213b49277689e2568cbfa6e75b1db18be4

Download Submit
memory/604-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/604-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/604-204-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/756-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-122-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/884-443-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/884-121-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/884-113-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-266-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1080-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-229-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1124-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-191-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1360-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-184-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1460-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-302-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1460-306-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1460-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-338-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1760-337-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1760-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-158-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1964-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-276-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2136-372-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2136-373-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2136-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-12-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2208-11-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2208-364-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2252-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-295-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2252-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-307-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-317-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2276-316-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2432-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-360-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2432-359-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2652-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-410-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2652-76-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2664-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-101-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2712-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-35-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2844-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-348-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2900-349-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2900-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-324-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2940-331-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2940-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-135-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3020-444-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3020-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-48-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/3052-409-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/3052-54-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/3052-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads