berbew | 0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a

Analysis

max time kernel
114s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
Size

217KB
MD5

ef2d7a1e4cd42ee5add996214767d1a3
SHA1

87bbd250cf778154e2c5897ee2ace31663897e4a
SHA256

0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a
SHA512

e69588e6f58ec55007f1657284e901dcc13408a482d00feb62d9ac86568485c50e1c0f04537cb81ee39eb4d213323559dbe09c3a84a58530c6e4641ddac138bf
SSDEEP

3072:HKPQEfHjVExK7SOhKaWRXKeS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVDb:HKJzYKdZMGXF5ahdt3b

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmcgmkil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcjoci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajipkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oomjng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfnhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pchbmigj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcjoci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Celpqbon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pchbmigj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmcgmkil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okkddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Almihjlj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajipkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Almihjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okkddd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 15 IoCs

pid	Process
2472	Okkddd32.exe
3064	Oomjng32.exe
2712	Pmcgmkil.exe
2848	Pfnhkq32.exe
2844	Pchbmigj.exe
1128	Qcjoci32.exe
396	Ajipkb32.exe
1412	Almihjlj.exe
3000	Aicfgn32.exe
2224	Baqhapdj.exe
2196	Bfpmog32.exe
1972	Bknfeege.exe
2376	Chhpgn32.exe
2444	Celpqbon.exe
2392	Coindgbi.exe

Loads dropped DLL 30 IoCs

pid	Process
2856	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
2856	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
2472	Okkddd32.exe
2472	Okkddd32.exe
3064	Oomjng32.exe
3064	Oomjng32.exe
2712	Pmcgmkil.exe
2712	Pmcgmkil.exe
2848	Pfnhkq32.exe
2848	Pfnhkq32.exe
2844	Pchbmigj.exe
2844	Pchbmigj.exe
1128	Qcjoci32.exe
1128	Qcjoci32.exe
396	Ajipkb32.exe
396	Ajipkb32.exe
1412	Almihjlj.exe
1412	Almihjlj.exe
3000	Aicfgn32.exe
3000	Aicfgn32.exe
2224	Baqhapdj.exe
2224	Baqhapdj.exe
2196	Bfpmog32.exe
2196	Bfpmog32.exe
1972	Bknfeege.exe
1972	Bknfeege.exe
2376	Chhpgn32.exe
2376	Chhpgn32.exe
2444	Celpqbon.exe
2444	Celpqbon.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eajkip32.dll	Bknfeege.exe
File opened for modification	C:\Windows\SysWOW64\Almihjlj.exe	Ajipkb32.exe
File created	C:\Windows\SysWOW64\Hmecge32.dll	Almihjlj.exe
File created	C:\Windows\SysWOW64\Bfpmog32.exe	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Flhbop32.dll	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Baqhapdj.exe	Aicfgn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfpmog32.exe	Baqhapdj.exe
File opened for modification	C:\Windows\SysWOW64\Celpqbon.exe	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Okkddd32.exe	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
File opened for modification	C:\Windows\SysWOW64\Oomjng32.exe	Okkddd32.exe
File opened for modification	C:\Windows\SysWOW64\Qcjoci32.exe	Pchbmigj.exe
File created	C:\Windows\SysWOW64\Bchmahjj.dll	Pchbmigj.exe
File opened for modification	C:\Windows\SysWOW64\Aicfgn32.exe	Almihjlj.exe
File created	C:\Windows\SysWOW64\Idcnlffk.dll	Bfpmog32.exe
File opened for modification	C:\Windows\SysWOW64\Chhpgn32.exe	Bknfeege.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Celpqbon.exe
File created	C:\Windows\SysWOW64\Eglhaeef.dll	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
File created	C:\Windows\SysWOW64\Oomjng32.exe	Okkddd32.exe
File created	C:\Windows\SysWOW64\Enihha32.dll	Oomjng32.exe
File created	C:\Windows\SysWOW64\Jcfddmhe.dll	Pmcgmkil.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Celpqbon.exe
File created	C:\Windows\SysWOW64\Chhpgn32.exe	Bknfeege.exe
File opened for modification	C:\Windows\SysWOW64\Okkddd32.exe	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
File created	C:\Windows\SysWOW64\Pmcgmkil.exe	Oomjng32.exe
File created	C:\Windows\SysWOW64\Pchbmigj.exe	Pfnhkq32.exe
File created	C:\Windows\SysWOW64\Aicfgn32.exe	Almihjlj.exe
File created	C:\Windows\SysWOW64\Ajipkb32.exe	Qcjoci32.exe
File created	C:\Windows\SysWOW64\Acdodo32.dll	Qcjoci32.exe
File created	C:\Windows\SysWOW64\Almihjlj.exe	Ajipkb32.exe
File created	C:\Windows\SysWOW64\Lflppehm.dll	Ajipkb32.exe
File created	C:\Windows\SysWOW64\Cpaeljha.dll	Okkddd32.exe
File created	C:\Windows\SysWOW64\Pfnhkq32.exe	Pmcgmkil.exe
File opened for modification	C:\Windows\SysWOW64\Pfnhkq32.exe	Pmcgmkil.exe
File opened for modification	C:\Windows\SysWOW64\Pchbmigj.exe	Pfnhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Bknfeege.exe	Bfpmog32.exe
File created	C:\Windows\SysWOW64\Celpqbon.exe	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Pfapgnji.dll	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Jpopml32.dll	Pfnhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Ajipkb32.exe	Qcjoci32.exe
File opened for modification	C:\Windows\SysWOW64\Baqhapdj.exe	Aicfgn32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Celpqbon.exe
File opened for modification	C:\Windows\SysWOW64\Pmcgmkil.exe	Oomjng32.exe
File created	C:\Windows\SysWOW64\Qcjoci32.exe	Pchbmigj.exe
File created	C:\Windows\SysWOW64\Anfdhfiq.dll	Aicfgn32.exe
File created	C:\Windows\SysWOW64\Bknfeege.exe	Bfpmog32.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicfgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celpqbon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmcgmkil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfnhkq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknfeege.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pchbmigj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcjoci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajipkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Almihjlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baqhapdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpmog32.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdodo32.dll"	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmecge32.dll"	Almihjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll"	Bfpmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglhaeef.dll"	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oomjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pchbmigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfdhfiq.dll"	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfnhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pchbmigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfpmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bknfeege.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchmahjj.dll"	Pchbmigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Almihjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmcgmkil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmcgmkil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okkddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpopml32.dll"	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okkddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfddmhe.dll"	Pmcgmkil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lflppehm.dll"	Ajipkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhbop32.dll"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajkip32.dll"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfapgnji.dll"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaeljha.dll"	Okkddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enihha32.dll"	Oomjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Celpqbon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajipkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajipkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oomjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Celpqbon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Almihjlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2472	2856	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe	30
PID 2856 wrote to memory of 2472	2856	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe	30
PID 2856 wrote to memory of 2472	2856	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe	30
PID 2856 wrote to memory of 2472	2856	0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe	30
PID 2472 wrote to memory of 3064	2472	Okkddd32.exe	31
PID 2472 wrote to memory of 3064	2472	Okkddd32.exe	31
PID 2472 wrote to memory of 3064	2472	Okkddd32.exe	31
PID 2472 wrote to memory of 3064	2472	Okkddd32.exe	31
PID 3064 wrote to memory of 2712	3064	Oomjng32.exe	32
PID 3064 wrote to memory of 2712	3064	Oomjng32.exe	32
PID 3064 wrote to memory of 2712	3064	Oomjng32.exe	32
PID 3064 wrote to memory of 2712	3064	Oomjng32.exe	32
PID 2712 wrote to memory of 2848	2712	Pmcgmkil.exe	33
PID 2712 wrote to memory of 2848	2712	Pmcgmkil.exe	33
PID 2712 wrote to memory of 2848	2712	Pmcgmkil.exe	33
PID 2712 wrote to memory of 2848	2712	Pmcgmkil.exe	33
PID 2848 wrote to memory of 2844	2848	Pfnhkq32.exe	34
PID 2848 wrote to memory of 2844	2848	Pfnhkq32.exe	34
PID 2848 wrote to memory of 2844	2848	Pfnhkq32.exe	34
PID 2848 wrote to memory of 2844	2848	Pfnhkq32.exe	34
PID 2844 wrote to memory of 1128	2844	Pchbmigj.exe	35
PID 2844 wrote to memory of 1128	2844	Pchbmigj.exe	35
PID 2844 wrote to memory of 1128	2844	Pchbmigj.exe	35
PID 2844 wrote to memory of 1128	2844	Pchbmigj.exe	35
PID 1128 wrote to memory of 396	1128	Qcjoci32.exe	36
PID 1128 wrote to memory of 396	1128	Qcjoci32.exe	36
PID 1128 wrote to memory of 396	1128	Qcjoci32.exe	36
PID 1128 wrote to memory of 396	1128	Qcjoci32.exe	36
PID 396 wrote to memory of 1412	396	Ajipkb32.exe	37
PID 396 wrote to memory of 1412	396	Ajipkb32.exe	37
PID 396 wrote to memory of 1412	396	Ajipkb32.exe	37
PID 396 wrote to memory of 1412	396	Ajipkb32.exe	37
PID 1412 wrote to memory of 3000	1412	Almihjlj.exe	38
PID 1412 wrote to memory of 3000	1412	Almihjlj.exe	38
PID 1412 wrote to memory of 3000	1412	Almihjlj.exe	38
PID 1412 wrote to memory of 3000	1412	Almihjlj.exe	38
PID 3000 wrote to memory of 2224	3000	Aicfgn32.exe	39
PID 3000 wrote to memory of 2224	3000	Aicfgn32.exe	39
PID 3000 wrote to memory of 2224	3000	Aicfgn32.exe	39
PID 3000 wrote to memory of 2224	3000	Aicfgn32.exe	39
PID 2224 wrote to memory of 2196	2224	Baqhapdj.exe	40
PID 2224 wrote to memory of 2196	2224	Baqhapdj.exe	40
PID 2224 wrote to memory of 2196	2224	Baqhapdj.exe	40
PID 2224 wrote to memory of 2196	2224	Baqhapdj.exe	40
PID 2196 wrote to memory of 1972	2196	Bfpmog32.exe	41
PID 2196 wrote to memory of 1972	2196	Bfpmog32.exe	41
PID 2196 wrote to memory of 1972	2196	Bfpmog32.exe	41
PID 2196 wrote to memory of 1972	2196	Bfpmog32.exe	41
PID 1972 wrote to memory of 2376	1972	Bknfeege.exe	42
PID 1972 wrote to memory of 2376	1972	Bknfeege.exe	42
PID 1972 wrote to memory of 2376	1972	Bknfeege.exe	42
PID 1972 wrote to memory of 2376	1972	Bknfeege.exe	42
PID 2376 wrote to memory of 2444	2376	Chhpgn32.exe	43
PID 2376 wrote to memory of 2444	2376	Chhpgn32.exe	43
PID 2376 wrote to memory of 2444	2376	Chhpgn32.exe	43
PID 2376 wrote to memory of 2444	2376	Chhpgn32.exe	43
PID 2444 wrote to memory of 2392	2444	Celpqbon.exe	44
PID 2444 wrote to memory of 2392	2444	Celpqbon.exe	44
PID 2444 wrote to memory of 2392	2444	Celpqbon.exe	44
PID 2444 wrote to memory of 2392	2444	Celpqbon.exe	44

C:\Users\Admin\AppData\Local\Temp\0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe
"C:\Users\Admin\AppData\Local\Temp\0cb7fe7b1327715f04434a694bcf18d5b7701ef177d3703a07965df56466651a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Okkddd32.exe
  C:\Windows\system32\Okkddd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\Oomjng32.exe
    C:\Windows\system32\Oomjng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\Pmcgmkil.exe
      C:\Windows\system32\Pmcgmkil.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\Pfnhkq32.exe
        
        C:\Windows\system32\Pfnhkq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\Pchbmigj.exe
        
        C:\Windows\system32\Pchbmigj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Qcjoci32.exe
        
        C:\Windows\system32\Qcjoci32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Ajipkb32.exe
        
        C:\Windows\system32\Ajipkb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Almihjlj.exe
        
        C:\Windows\system32\Almihjlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Aicfgn32.exe
        
        C:\Windows\system32\Aicfgn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Baqhapdj.exe
        
        C:\Windows\system32\Baqhapdj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Bfpmog32.exe
        
        C:\Windows\system32\Bfpmog32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Bknfeege.exe
        
        C:\Windows\system32\Bknfeege.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Chhpgn32.exe
        
        C:\Windows\system32\Chhpgn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Celpqbon.exe
        
        C:\Windows\system32\Celpqbon.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Almihjlj.exe

Filesize
217KB

MD5
7c2800ab81115019decf5b19986c7925

SHA1
9d88c00e4cc5384904bb0774e010d22904e233dc

SHA256
2761acd4bd014816c0b7d0231fe1f658e75233c049847a7428b612f398c602bb

SHA512
1220b6c32b7989d8076cd0213db1eeafa6d500137f5e2cb4f53bf6b03265990af450e406642a8c4da95d3b85210bf10bf5198f74c9a20fe2296102a6f6da6d3c

Download Submit
C:\Windows\SysWOW64\Celpqbon.exe

Filesize
217KB

MD5
e9af57c4b1e9e1714dd367eb2a1f7863

SHA1
df6caae7cb728e35d18708a50f0b448b9fb1d996

SHA256
e5cd4cc22ca6a37561bf1b4eaab1f8396b33eb1c137ad2d6e310fbe78ea28db4

SHA512
6c000e3f7c736a948ba524c37701773e69b4d1162bb273a24f71dc8da86a7f6140325be1ed1ca6e7bb546a9213434cb0885ddc71b41c2c81b0a1c51e53b7b797

Download Submit
C:\Windows\SysWOW64\Jpopml32.dll

Filesize
7KB

MD5
ad840f3b94c043d897b618d4886c7fec

SHA1
0cd15542874bb90870ce204a87550b916ba202bc

SHA256
88202dbafafc442f51a4ff7b1ffeda227e11f3d589e10b71c6a1c91579d6b589

SHA512
13bd4529cafde6fe29e9a19aae8963d3b0e3a3dbe48744f6796a8182018e708e144b68d64b436df7bf3c6bd35ef8ec255806dc8e7eb4499a09908f8a58acdf9a

Download Submit
C:\Windows\SysWOW64\Qcjoci32.exe

Filesize
217KB

MD5
ba823332a94262760f3690ec8d958599

SHA1
e2e6f9a4a252641f205933043e5bbd2210492355

SHA256
ee6085f1c709e584a877dc55bc6ffcda098d7ff7fa69cae4eedee4a20cd2a35d

SHA512
e63ea579c4d90aab9eca85d23ba6b1ff4b22eefb0748b177ca4e19ad004a76b6947018c5ee8776d819436cdbdc52538024ae88ed1678d49b15565f06289462d5

Download Submit
\Windows\SysWOW64\Aicfgn32.exe

Filesize
217KB

MD5
9498a88317fc8e25a5336f65d4f69200

SHA1
87567a3f2a104fe6f9e02494bd8398a3e81d730b

SHA256
4b26f526a5a53965e4153e0385650f38722c32dc59b106895674153aa958cce6

SHA512
4e90a61b8699f850f387d5623d1930b1a00457f1ff949ba9c5a7bfe1aed57cb64fbeb77f2bb811b14ad7d2b03380df353f4fecd122340625ecf47a9009983cd9

Download Submit
\Windows\SysWOW64\Ajipkb32.exe

Filesize
217KB

MD5
ac8f0b2bb49f4252983d51d79dd45cae

SHA1
facf3ada633ead7ec807ff54004f826c2309fca0

SHA256
9c70546eae285f3b349d01ff72defa58e043595ff9b4be9ef428ca0b5f004d1e

SHA512
14750c6661380df37ff9dbdbfad85451cff695ca4bdec9a473be0924d75fe75e894faffd3a11123e5b6f70e7317c051455b9a6b73ad5b921a77fa1775fe5c5a9

Download Submit
\Windows\SysWOW64\Baqhapdj.exe

Filesize
217KB

MD5
fc7a1862346b44b9322ab4a51ede310b

SHA1
e6011378eb3a3d85e0a79b352d6eab6d0e7c2cbe

SHA256
3b5d14ee0166cee7a119ab88bbfa028fc594dc13ec58109897427556ad5882ce

SHA512
e3a34b1c5c62bca668755ed771cfbacec09782315554ed2ab8b59045d73730198a4c71501124d31f3d0b67d6946ce273d987662c4b97a536aed2bc4626a946f8

Download Submit
\Windows\SysWOW64\Bfpmog32.exe

Filesize
217KB

MD5
1354a15198c18337a03922f1e7b9607f

SHA1
81fefb7927954311fd249e044fcad1311dcb5839

SHA256
72fd6ba963fe9dce64ab069b6f57c700d88e82ed2b68608cbac697ab03f9c85b

SHA512
75b6143462cd967d529f1118ed8f4ba8f7f599c7e2ea86668deed6bd758a147b88e066695c60597ec5ba612b205e20d64a83c07a9ef4a9be9f898925b703ba92

Download Submit
\Windows\SysWOW64\Bknfeege.exe

Filesize
217KB

MD5
7b4b30d6739ce9e64f1136c6327cd3ac

SHA1
668846a64b4c7a1a17e14914f9ca8e44c890f6ef

SHA256
8979353aec90c7537bd33ae970d65d4f150998a1bd5ac61f261a927e69ef88de

SHA512
8b6dac28110aa1bea739ee4c3ad1df086491a8972db7562d1805c384d34ccf151280190565e122d03396617e89efa2642a6f1a2a24d8cd3cf9255b62d458703f

Download Submit
\Windows\SysWOW64\Chhpgn32.exe

Filesize
217KB

MD5
34c609dfa4f0e3beb883483033b2c35c

SHA1
ece6f8fcc1f7936c2f560e7b6b401aadd148339d

SHA256
17791ae19606a56e60812119b009b422d8b146182b173a8b16200cd63c536130

SHA512
9a1ad6c531000a376343597f5bef1d31d65504fb62462612116c112629e5340dc0f919636f2790d4eba90cba76c4ea45df2113e88a6cc01ca5c98a883bc9e09f

Download Submit
\Windows\SysWOW64\Coindgbi.exe

Filesize
217KB

MD5
b2543baba9ca0e3b9fb90abe8fcfb883

SHA1
01a36a7e1694b51a806cac03571fec1faffc9f08

SHA256
4e6bdc614068eb2023bd4bb124d0504a0d321338e12ea6e91888f23b3ca7bef7

SHA512
31d5d5b92083ad55922c4cf1bff71de721c7c18acfda8fd8f5244e89c4365f17aad3203971a1198959d5f1ae566cf414c22c6b7a228d5d82aee45a1ba4996141

Download Submit
\Windows\SysWOW64\Okkddd32.exe

Filesize
217KB

MD5
20f89a55fea3a6ae500d1855938a0a31

SHA1
65be6e76bd01359d04a820d4d17cbacff9c11687

SHA256
619738929a54084a60bc276a66a61a20f016aa48cf606f93c722ec332972b3f6

SHA512
3c99235a5f88d8020faf17941776e0d2a862de24f9c7ea20792539f9c6e79997e9719f3982f7c6c44c803a932f31fa95b82d85638b0c9778d93ad5b1f8b90edf

Download Submit
\Windows\SysWOW64\Oomjng32.exe

Filesize
217KB

MD5
bd90c88d5249b245e189dc72d819ec7c

SHA1
eb44a133e924d02e63aa08699829f06175b71968

SHA256
e772f1a0d4b201260476721badea2083de7cb0b931049538cd21e3e2df1f6d1d

SHA512
3117278cc3a3944db5a68ee1b2f872234c39df4494b274573fd991164188e15d268600350c6a1fb5bac5fdf5aa2ed32f4e004ef47ba043a4b08adf164bcef469

Download Submit
\Windows\SysWOW64\Pchbmigj.exe

Filesize
217KB

MD5
d18802df3509f89eb46f48483e57b296

SHA1
72a445ac80f1db01538ec752467aff22fbe1e6f4

SHA256
d766dbe040df58cd79ff9836340958b5cd142216aee0393e5075db4ae51f97d6

SHA512
17ba92de6b553d874eb1b60da363d2bd4930bb89ee2062d16205de92dc5164fd35d1ef35c4cf9c3ce08fcd18387111a1dd1e31e01cbf083266cc3b26d7a80352

Download Submit
\Windows\SysWOW64\Pfnhkq32.exe

Filesize
217KB

MD5
19f772ace43cea252cff696bd664dcd3

SHA1
27b779bbb4bee1fb504a4da6e676d3b48c3aafd0

SHA256
21020dd453829d7084a990c825d02eb21f8604d23eac16845319210c06e8a20f

SHA512
3b32406f9d7546a2206f8b23fe127fbde92371c841f742a8627dd75bbdba64435d8434cf9f25e82cfdcedf8cf2a78e27dc0d47aa3ef0f086070cfd3d0815a0a1

Download Submit
\Windows\SysWOW64\Pmcgmkil.exe

Filesize
217KB

MD5
b25dedd46c5510518f8004d2feb805e0

SHA1
1928f3e9221f10f8dd9265f384d844a177f8c70d

SHA256
3eedc96e39737e13cf7e08aabf5da5e6d417bdbbd1e138eee81bcacd034bc240

SHA512
cf06a41e12d88fff711eb048d1a78a27b8d1bc2bb4ccc2064a64811b0bc4f40c241257734ed6f70e2e94c694ca3fda5b0106f51d22c482ba33db380875d01ff3

Download Submit
memory/396-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-108-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/396-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-90-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1128-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-118-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/1412-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-178-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1972-173-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1972-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-163-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2196-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-145-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2376-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-205-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/2444-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-49-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2844-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-80-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2848-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-62-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2856-11-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2856-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3000-135-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/3000-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-35-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads