berbew | 323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
Size

163KB
MD5

a81980319c9bcec22ecc6bb69effad80
SHA1

31332fd32b4f431341cdd412a3dccd014dfa4402
SHA256

323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9
SHA512

d8508809946ae6f56df7eb2246f7d89aa20766f37c907a82fb66ee24353d83afc9c676837cc9b86eb51b8199d9097a3ff4ab44bde0589f336887107c1e55da26
SSDEEP

1536:PZ5Fcif0OAH0tF3HE1WEv2bxGdI19+jlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:MOZtwv6aI1gjltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acbglq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdnloph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odckfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfiaqgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkfiaqgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbpcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caepdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmomnlne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheppe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhakecld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhakecld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Penjdien.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbpcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjgqcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dijgnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oobiclmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oobiclmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odckfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pniohk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbnnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caepdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmomnlne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjgqcj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjhpcoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjiobnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjiobnbn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijgnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgnhhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndjhpcoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfeibo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbljgpja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgnhhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Penjdien.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbljgpja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheppe32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 26 IoCs

pid	Process
928	Mjgqcj32.exe
2548	Nbbegl32.exe
2100	Nhakecld.exe
2892	Ndjhpcoe.exe
2660	Oobiclmh.exe
2744	Ocdnloph.exe
2708	Odckfb32.exe
2216	Oheppe32.exe
2952	Pkfiaqgk.exe
2988	Penjdien.exe
2020	Pniohk32.exe
2432	Qfimhmlo.exe
1020	Aqanke32.exe
336	Acbglq32.exe
1756	Abgdnm32.exe
2156	Bnbnnm32.exe
1296	Bjiobnbn.exe
972	Bfeibo32.exe
2528	Cbljgpja.exe
956	Cbpcbo32.exe
2040	Caepdk32.exe
936	Dmomnlne.exe
1052	Dkbnhq32.exe
1704	Dijgnm32.exe
2444	Dgnhhq32.exe
2556	Eceimadb.exe

Loads dropped DLL 56 IoCs

pid	Process
1048	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
1048	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
928	Mjgqcj32.exe
928	Mjgqcj32.exe
2548	Nbbegl32.exe
2548	Nbbegl32.exe
2100	Nhakecld.exe
2100	Nhakecld.exe
2892	Ndjhpcoe.exe
2892	Ndjhpcoe.exe
2660	Oobiclmh.exe
2660	Oobiclmh.exe
2744	Ocdnloph.exe
2744	Ocdnloph.exe
2708	Odckfb32.exe
2708	Odckfb32.exe
2216	Oheppe32.exe
2216	Oheppe32.exe
2952	Pkfiaqgk.exe
2952	Pkfiaqgk.exe
2988	Penjdien.exe
2988	Penjdien.exe
2020	Pniohk32.exe
2020	Pniohk32.exe
2432	Qfimhmlo.exe
2432	Qfimhmlo.exe
1020	Aqanke32.exe
1020	Aqanke32.exe
336	Acbglq32.exe
336	Acbglq32.exe
1756	Abgdnm32.exe
1756	Abgdnm32.exe
2156	Bnbnnm32.exe
2156	Bnbnnm32.exe
1296	Bjiobnbn.exe
1296	Bjiobnbn.exe
972	Bfeibo32.exe
972	Bfeibo32.exe
2528	Cbljgpja.exe
2528	Cbljgpja.exe
956	Cbpcbo32.exe
956	Cbpcbo32.exe
2040	Caepdk32.exe
2040	Caepdk32.exe
936	Dmomnlne.exe
936	Dmomnlne.exe
1052	Dkbnhq32.exe
1052	Dkbnhq32.exe
1704	Dijgnm32.exe
1704	Dijgnm32.exe
2444	Dgnhhq32.exe
2444	Dgnhhq32.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fmmjolll.dll	Ndjhpcoe.exe
File created	C:\Windows\SysWOW64\Hgeahj32.dll	Pniohk32.exe
File created	C:\Windows\SysWOW64\Bfkfbm32.dll	Dgnhhq32.exe
File created	C:\Windows\SysWOW64\Dkbnhq32.exe	Dmomnlne.exe
File created	C:\Windows\SysWOW64\Mjgqcj32.exe	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
File created	C:\Windows\SysWOW64\Gmeckg32.dll	Mjgqcj32.exe
File created	C:\Windows\SysWOW64\Oobiclmh.exe	Ndjhpcoe.exe
File created	C:\Windows\SysWOW64\Hoeqmeoo.dll	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Caepdk32.exe	Cbpcbo32.exe
File created	C:\Windows\SysWOW64\Acbglq32.exe	Aqanke32.exe
File opened for modification	C:\Windows\SysWOW64\Dkbnhq32.exe	Dmomnlne.exe
File opened for modification	C:\Windows\SysWOW64\Nhakecld.exe	Nbbegl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndjhpcoe.exe	Nhakecld.exe
File created	C:\Windows\SysWOW64\Gdbcbcgp.dll	Nhakecld.exe
File created	C:\Windows\SysWOW64\Ocdnloph.exe	Oobiclmh.exe
File created	C:\Windows\SysWOW64\Pkfiaqgk.exe	Oheppe32.exe
File opened for modification	C:\Windows\SysWOW64\Bfeibo32.exe	Bjiobnbn.exe
File created	C:\Windows\SysWOW64\Dmomnlne.exe	Caepdk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmomnlne.exe	Caepdk32.exe
File created	C:\Windows\SysWOW64\Nbbegl32.exe	Mjgqcj32.exe
File created	C:\Windows\SysWOW64\Pihjghlh.dll	Nbbegl32.exe
File opened for modification	C:\Windows\SysWOW64\Odckfb32.exe	Ocdnloph.exe
File created	C:\Windows\SysWOW64\Kcfbimjl.dll	Penjdien.exe
File opened for modification	C:\Windows\SysWOW64\Bjiobnbn.exe	Bnbnnm32.exe
File created	C:\Windows\SysWOW64\Qkdhdd32.dll	Bjiobnbn.exe
File opened for modification	C:\Windows\SysWOW64\Caepdk32.exe	Cbpcbo32.exe
File created	C:\Windows\SysWOW64\Dijgnm32.exe	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Omefae32.dll	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
File opened for modification	C:\Windows\SysWOW64\Pkfiaqgk.exe	Oheppe32.exe
File created	C:\Windows\SysWOW64\Qfimhmlo.exe	Pniohk32.exe
File opened for modification	C:\Windows\SysWOW64\Abgdnm32.exe	Acbglq32.exe
File created	C:\Windows\SysWOW64\Bfeibo32.exe	Bjiobnbn.exe
File created	C:\Windows\SysWOW64\Adaflhhb.dll	Dijgnm32.exe
File created	C:\Windows\SysWOW64\Eecpggap.dll	Pkfiaqgk.exe
File created	C:\Windows\SysWOW64\Aqanke32.exe	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Bjiobnbn.exe	Bnbnnm32.exe
File created	C:\Windows\SysWOW64\Pjmgop32.dll	Aqanke32.exe
File created	C:\Windows\SysWOW64\Cbljgpja.exe	Bfeibo32.exe
File created	C:\Windows\SysWOW64\Eceimadb.exe	Dgnhhq32.exe
File created	C:\Windows\SysWOW64\Nhakecld.exe	Nbbegl32.exe
File opened for modification	C:\Windows\SysWOW64\Oobiclmh.exe	Ndjhpcoe.exe
File created	C:\Windows\SysWOW64\Penjdien.exe	Pkfiaqgk.exe
File opened for modification	C:\Windows\SysWOW64\Penjdien.exe	Pkfiaqgk.exe
File created	C:\Windows\SysWOW64\Pniohk32.exe	Penjdien.exe
File created	C:\Windows\SysWOW64\Dgnhhq32.exe	Dijgnm32.exe
File created	C:\Windows\SysWOW64\Odckfb32.exe	Ocdnloph.exe
File opened for modification	C:\Windows\SysWOW64\Aqanke32.exe	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Cdmbfk32.dll	Dmomnlne.exe
File opened for modification	C:\Windows\SysWOW64\Dijgnm32.exe	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Doeljaja.dll	Oobiclmh.exe
File created	C:\Windows\SysWOW64\Cbpcbo32.exe	Cbljgpja.exe
File opened for modification	C:\Windows\SysWOW64\Cbpcbo32.exe	Cbljgpja.exe
File created	C:\Windows\SysWOW64\Eddmalde.dll	Dkbnhq32.exe
File opened for modification	C:\Windows\SysWOW64\Eceimadb.exe	Dgnhhq32.exe
File created	C:\Windows\SysWOW64\Kcipdg32.dll	Ocdnloph.exe
File created	C:\Windows\SysWOW64\Oheppe32.exe	Odckfb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbnnm32.exe	Abgdnm32.exe
File created	C:\Windows\SysWOW64\Denlga32.dll	Acbglq32.exe
File opened for modification	C:\Windows\SysWOW64\Cbljgpja.exe	Bfeibo32.exe
File opened for modification	C:\Windows\SysWOW64\Nbbegl32.exe	Mjgqcj32.exe
File created	C:\Windows\SysWOW64\Fapapi32.dll	Odckfb32.exe
File created	C:\Windows\SysWOW64\Ckfhogfe.dll	Oheppe32.exe
File opened for modification	C:\Windows\SysWOW64\Qfimhmlo.exe	Pniohk32.exe
File opened for modification	C:\Windows\SysWOW64\Acbglq32.exe	Aqanke32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2264	2556	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfimhmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbljgpja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oobiclmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Penjdien.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbnnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dijgnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjhpcoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pniohk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acbglq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgdnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfiaqgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caepdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbnhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmomnlne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjgqcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdnloph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqanke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjiobnbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnhhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhakecld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbegl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odckfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheppe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbpcbo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djammg32.dll"	Bnbnnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjiobnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbljgpja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adaflhhb.dll"	Dijgnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll"	Dgnhhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmjolll.dll"	Ndjhpcoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfimhmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odckfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeahj32.dll"	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpeocnpg.dll"	Bfeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paebkkhn.dll"	Cbpcbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmbfk32.dll"	Dmomnlne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbljgpja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oheppe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmeckg32.dll"	Mjgqcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndjhpcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doeljaja.dll"	Oobiclmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapapi32.dll"	Odckfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapnjioj.dll"	Cbljgpja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caepdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmomnlne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjgqcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndjhpcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdhdd32.dll"	Bjiobnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgnhhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbcbcgp.dll"	Nhakecld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfimhmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlokefce.dll"	Caepdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkfiaqgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecpggap.dll"	Pkfiaqgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfhogfe.dll"	Oheppe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Penjdien.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfbimjl.dll"	Penjdien.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoeqmeoo.dll"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhakecld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oobiclmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbpcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbpcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Penjdien.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqanke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkbnhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcipdg32.dll"	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgnhhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihjghlh.dll"	Nbbegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhakecld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pniohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmgop32.dll"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjiobnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omefae32.dll"	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 928	1048	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe	29
PID 1048 wrote to memory of 928	1048	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe	29
PID 1048 wrote to memory of 928	1048	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe	29
PID 1048 wrote to memory of 928	1048	323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe	29
PID 928 wrote to memory of 2548	928	Mjgqcj32.exe	30
PID 928 wrote to memory of 2548	928	Mjgqcj32.exe	30
PID 928 wrote to memory of 2548	928	Mjgqcj32.exe	30
PID 928 wrote to memory of 2548	928	Mjgqcj32.exe	30
PID 2548 wrote to memory of 2100	2548	Nbbegl32.exe	31
PID 2548 wrote to memory of 2100	2548	Nbbegl32.exe	31
PID 2548 wrote to memory of 2100	2548	Nbbegl32.exe	31
PID 2548 wrote to memory of 2100	2548	Nbbegl32.exe	31
PID 2100 wrote to memory of 2892	2100	Nhakecld.exe	32
PID 2100 wrote to memory of 2892	2100	Nhakecld.exe	32
PID 2100 wrote to memory of 2892	2100	Nhakecld.exe	32
PID 2100 wrote to memory of 2892	2100	Nhakecld.exe	32
PID 2892 wrote to memory of 2660	2892	Ndjhpcoe.exe	33
PID 2892 wrote to memory of 2660	2892	Ndjhpcoe.exe	33
PID 2892 wrote to memory of 2660	2892	Ndjhpcoe.exe	33
PID 2892 wrote to memory of 2660	2892	Ndjhpcoe.exe	33
PID 2660 wrote to memory of 2744	2660	Oobiclmh.exe	34
PID 2660 wrote to memory of 2744	2660	Oobiclmh.exe	34
PID 2660 wrote to memory of 2744	2660	Oobiclmh.exe	34
PID 2660 wrote to memory of 2744	2660	Oobiclmh.exe	34
PID 2744 wrote to memory of 2708	2744	Ocdnloph.exe	35
PID 2744 wrote to memory of 2708	2744	Ocdnloph.exe	35
PID 2744 wrote to memory of 2708	2744	Ocdnloph.exe	35
PID 2744 wrote to memory of 2708	2744	Ocdnloph.exe	35
PID 2708 wrote to memory of 2216	2708	Odckfb32.exe	36
PID 2708 wrote to memory of 2216	2708	Odckfb32.exe	36
PID 2708 wrote to memory of 2216	2708	Odckfb32.exe	36
PID 2708 wrote to memory of 2216	2708	Odckfb32.exe	36
PID 2216 wrote to memory of 2952	2216	Oheppe32.exe	37
PID 2216 wrote to memory of 2952	2216	Oheppe32.exe	37
PID 2216 wrote to memory of 2952	2216	Oheppe32.exe	37
PID 2216 wrote to memory of 2952	2216	Oheppe32.exe	37
PID 2952 wrote to memory of 2988	2952	Pkfiaqgk.exe	38
PID 2952 wrote to memory of 2988	2952	Pkfiaqgk.exe	38
PID 2952 wrote to memory of 2988	2952	Pkfiaqgk.exe	38
PID 2952 wrote to memory of 2988	2952	Pkfiaqgk.exe	38
PID 2988 wrote to memory of 2020	2988	Penjdien.exe	39
PID 2988 wrote to memory of 2020	2988	Penjdien.exe	39
PID 2988 wrote to memory of 2020	2988	Penjdien.exe	39
PID 2988 wrote to memory of 2020	2988	Penjdien.exe	39
PID 2020 wrote to memory of 2432	2020	Pniohk32.exe	40
PID 2020 wrote to memory of 2432	2020	Pniohk32.exe	40
PID 2020 wrote to memory of 2432	2020	Pniohk32.exe	40
PID 2020 wrote to memory of 2432	2020	Pniohk32.exe	40
PID 2432 wrote to memory of 1020	2432	Qfimhmlo.exe	41
PID 2432 wrote to memory of 1020	2432	Qfimhmlo.exe	41
PID 2432 wrote to memory of 1020	2432	Qfimhmlo.exe	41
PID 2432 wrote to memory of 1020	2432	Qfimhmlo.exe	41
PID 1020 wrote to memory of 336	1020	Aqanke32.exe	42
PID 1020 wrote to memory of 336	1020	Aqanke32.exe	42
PID 1020 wrote to memory of 336	1020	Aqanke32.exe	42
PID 1020 wrote to memory of 336	1020	Aqanke32.exe	42
PID 336 wrote to memory of 1756	336	Acbglq32.exe	43
PID 336 wrote to memory of 1756	336	Acbglq32.exe	43
PID 336 wrote to memory of 1756	336	Acbglq32.exe	43
PID 336 wrote to memory of 1756	336	Acbglq32.exe	43
PID 1756 wrote to memory of 2156	1756	Abgdnm32.exe	44
PID 1756 wrote to memory of 2156	1756	Abgdnm32.exe	44
PID 1756 wrote to memory of 2156	1756	Abgdnm32.exe	44
PID 1756 wrote to memory of 2156	1756	Abgdnm32.exe	44

C:\Users\Admin\AppData\Local\Temp\323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe
"C:\Users\Admin\AppData\Local\Temp\323dbfcfcc888572cfd1dd1bb7fbe52bab201e40b248b2ed16b56bbe02615ad9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\Mjgqcj32.exe
  C:\Windows\system32\Mjgqcj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\SysWOW64\Nbbegl32.exe
    C:\Windows\system32\Nbbegl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\Nhakecld.exe
      C:\Windows\system32\Nhakecld.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\Ndjhpcoe.exe
        
        C:\Windows\system32\Ndjhpcoe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\SysWOW64\Oobiclmh.exe
        
        C:\Windows\system32\Oobiclmh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Ocdnloph.exe
        
        C:\Windows\system32\Ocdnloph.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Odckfb32.exe
        
        C:\Windows\system32\Odckfb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Oheppe32.exe
        
        C:\Windows\system32\Oheppe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Pkfiaqgk.exe
        
        C:\Windows\system32\Pkfiaqgk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Penjdien.exe
        
        C:\Windows\system32\Penjdien.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Pniohk32.exe
        
        C:\Windows\system32\Pniohk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Qfimhmlo.exe
        
        C:\Windows\system32\Qfimhmlo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Aqanke32.exe
        
        C:\Windows\system32\Aqanke32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Acbglq32.exe
        
        C:\Windows\system32\Acbglq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Abgdnm32.exe
        
        C:\Windows\system32\Abgdnm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Bnbnnm32.exe
        
        C:\Windows\system32\Bnbnnm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Bjiobnbn.exe
        
        C:\Windows\system32\Bjiobnbn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Bfeibo32.exe
        
        C:\Windows\system32\Bfeibo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Cbljgpja.exe
        
        C:\Windows\system32\Cbljgpja.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Cbpcbo32.exe
        
        C:\Windows\system32\Cbpcbo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Caepdk32.exe
        
        C:\Windows\system32\Caepdk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Dmomnlne.exe
        
        C:\Windows\system32\Dmomnlne.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Dkbnhq32.exe
        
        C:\Windows\system32\Dkbnhq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Dijgnm32.exe
        
        C:\Windows\system32\Dijgnm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Dgnhhq32.exe
        
        C:\Windows\system32\Dgnhhq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acbglq32.exe

Filesize
163KB

MD5
f5eaee1d0af70bfa0a2235570888519d

SHA1
42a2a3fd05ca56924db40ff74e3b81bdf2402498

SHA256
9443bcce45811638667068ce79605aeff30f4de4a06fa2fe8f790b9d7dcda547

SHA512
731316ea105ab486053f8064ed27c5102d4523839538ae54f7cb521b2f9dd68ab90a879799e4521e9697e62b60c94ac6131d23c7464c4aa96bd772a893610646

Download Submit
C:\Windows\SysWOW64\Bfeibo32.exe

Filesize
163KB

MD5
6a53cec9a21c15f43e6a5f1d1150606c

SHA1
aa2baa90cd18cf58df0d0a4f0ccd97e92cab5b59

SHA256
37c879312112b9932006235f303a1e2f1bea762759f6df9089644dc7c354ed5c

SHA512
a1722ae5890397141d72859b65fcc888c99994b5e21e03f7f22659c559f1e1f6213adc1029562101dbc64675fbe9a4b32e4e3de5e7ca3d186094603997ce3b25

Download Submit
C:\Windows\SysWOW64\Bjiobnbn.exe

Filesize
163KB

MD5
7f8429fa79ba14f0fa5de95a99c16dcd

SHA1
16b2af39767dde38f7b8f5d6f65d8cb535ef5523

SHA256
33a6598abc38169190114ce794506d180e393628454575617121b2a85b779ad5

SHA512
2b07f0e8124f6f07a96c625fc5b283a40d53561485d47916be3ac9ff281ff585130d6ce70689e5ffde13d295256d13fed3280c6bbef6f5e0a955771de19914c2

Download Submit
C:\Windows\SysWOW64\Caepdk32.exe

Filesize
163KB

MD5
44c602a6f53072fcbe43b3dc90a24ddb

SHA1
dce9b26bfdba4d30ba10bf1edf3b7b036d7607cb

SHA256
55b3496dc453e820abc9c7f6149cc899badecf49ea96c194e92246ece3238ac7

SHA512
bd8b8c1ecc45b554ffd30b5c7c3d56df6fc7452f442b0ed33727e4097939722aa3661b824164e7ef47b8ad7a39834143280da61a3ae72134825a31690777d440

Download Submit
C:\Windows\SysWOW64\Cbljgpja.exe

Filesize
163KB

MD5
d0284eb64fc0597fd0b8fdccb07b9565

SHA1
5e3410d643a5bff3d7d3fa4a9879f1edbf1d8584

SHA256
17ae7782d2b78e3d613d2bed0a18f8a7436ab4c0885eb668b9edac48d8dd46b9

SHA512
a038dafea911f425fd7d564189d16394a9d6ce9f4ea53ba2be41956e4d4b9d4747237f586a2cb3cdef89db5362ab7e095afcf62099efff08c943de23073feac0

Download Submit
C:\Windows\SysWOW64\Cbpcbo32.exe

Filesize
163KB

MD5
950fe791da95edcff4eb91b0185380c6

SHA1
382ef1053d8de33a421e2da0fe67436306b4857c

SHA256
ee86b78b97411d0baac5833ff54e052a39f644edbd65fecedb9300887657cc61

SHA512
eba075cf73ab13ea48fd66e1afb6a875f9f1f166f056e200ccb379e73d82d665077a229239e1185e842d0004aba810cf9afbc7514d869705550b5d19324b186d

Download Submit
C:\Windows\SysWOW64\Dgnhhq32.exe

Filesize
163KB

MD5
a716e9eac2a7c779bc934e507a2402f5

SHA1
8b3634acd94fafb184475da30a93e8e962942c0d

SHA256
868cbb07d284c573b66be65b0aebda2ada53af6e7031ea75d55cc8a1aab1901c

SHA512
ff1710e15ebc3abc5fdd0421c39d52fc0731f9264438c155e639bf5b8f9655aa67ebc867639d8ea16a983d078807871d986181c12ab68d349c793e1a952a1de9

Download Submit
C:\Windows\SysWOW64\Dijgnm32.exe

Filesize
163KB

MD5
f5574d124be6b75841df927e027ccce8

SHA1
8e8d4ee784a5647269759ee71cf4bc75ab6f98d1

SHA256
c195e58eaaf86f614e31d9061376f5d499061c499fbcfbdac7967871bec4c1b2

SHA512
b6e528db8dca7ae15e49f02c1d96bba828b712472bec3a3ee96ee6cc322b5490733d59fc17ab1caa926618683c92c538b4dbe10b569bffb91d08fd20f5ba3902

Download Submit
C:\Windows\SysWOW64\Dkbnhq32.exe

Filesize
163KB

MD5
074172fabf1c3cbe2377b5d33ff49540

SHA1
6a66f629a499fc88b770869f64d4959594e8c276

SHA256
461dc6aec30228f83ea1d0b350268c3102b5eea26dc5f71e978809e450e1d963

SHA512
bd450509eeed7878e97af327ffb70b74cc57a48ff1831505eccbf0b7460870f62684d0dfeb7a2827369be73f2701ef21cf251632839bcd54a5fadadcd83eb753

Download Submit
C:\Windows\SysWOW64\Dmomnlne.exe

Filesize
163KB

MD5
70984459db367d2bacec72791782551e

SHA1
8fb3d5f5e50fa17fb6c4524c80a3b007fe5cc7bd

SHA256
01a7c298c2139d9531098d4587770dc633a25f6c71aae7b85bd8eb7286e59957

SHA512
8d923e0fcedbd9085078be4b2790cc0ce817bc1a834d7d152e4f37e7c1530ad390aba2aead66a8274ebad093da72785f89ce2d2f1a9912705291f4ffcd0eb1b3

Download Submit
C:\Windows\SysWOW64\Eceimadb.exe

Filesize
163KB

MD5
9d05af9a528b0180d68f57887febe2c3

SHA1
25e5bb93f141be0142ca3477b9dedc61e379c409

SHA256
3c5db3160aa86548a4d45ab79fce2d9d986f681ad3c1645b2b63e31d69edbafc

SHA512
e158a8eef07feefed9c2c3960bcaf4f5312ed24a23d994ca4db1d64f75ea0bf42f447a0affc86f3c8181920aabde9b8d639ff59c8744254455a2f0ccfdea0706

Download Submit
C:\Windows\SysWOW64\Nhakecld.exe

Filesize
163KB

MD5
9c2a5bace5c1edf08c795a48f37c8592

SHA1
f4bbca834ea310e2158801a214799f2886e2a5b0

SHA256
40a9df74eab6c82d194f9a75e2d5fa5e26458f0bc0e6d154426fe41cdd2e377e

SHA512
f064e89308d5e5f545da40ebc60241ab6c3870612cafe76bf863e06624ffa1e250dd9670c1e5c85701fb064f567a9011a14dec7a866645b1dd46a7730aa5b09a

Download Submit
C:\Windows\SysWOW64\Qfimhmlo.exe

Filesize
163KB

MD5
3e1e3424e16a03b14c945ba6f51de9e3

SHA1
6c627365d1221cdd10f3db28a051be916d86e019

SHA256
ae5bd6a450f840c78f36a8b9dc01056abaaf8ba732f21a84722de37c417764ec

SHA512
e450a42779135e151c492c172ef0c62df48fa9be29570fcb0a6b2d641243a079c8f6af5e993d3a767d371a64b7ac34b305390e6fdea475777e01a14bd6675ccc

Download Submit
\Windows\SysWOW64\Abgdnm32.exe

Filesize
163KB

MD5
a5bb2601e862a35af2deddccd94f0bd1

SHA1
374b8eae55c9d57e9f3f5ffa04dfda2ff7d63a2d

SHA256
055f1ae146ea83e86de9614303366dd024e13ce9b1b211e6f4fe51859014d851

SHA512
5c8e497bbc0a56562ddada72cbd61771f256a4167e085e037ed35639c2a70e1f54da4c660d16dccce858537962fba0d80083ce80b6f3fd18816ad499918c48aa

Download Submit
\Windows\SysWOW64\Aqanke32.exe

Filesize
163KB

MD5
1cbcb4d5bf2c31edf65eb20e9d1813da

SHA1
ff2bc9d41238122a3947f7dcf8a94dd810ac016a

SHA256
e336ab523afce8dd426fb710f1070e88de0b4e760bb3ec89954fe560a908b0f8

SHA512
3e587d31d280f3539a6f0c90f11e09919746fde083fc38eda299814bd71f84cd9234d3698e185b76d498ee2563d5c426b376cebf37906ea8d1c14dfe16365cef

Download Submit
\Windows\SysWOW64\Bnbnnm32.exe

Filesize
163KB

MD5
397e09d401e8dc5c970cf482e6471a02

SHA1
97368dfc477f1e3851071932bf327b01de08e01e

SHA256
1f478052809071e703cc26454135316fedc7b890d09af5d1bca2d5bda06e6d07

SHA512
ece0ace8a6aff8dac845379e57b3573e07b95e0ba531f5f3d8640c4eb7455e42b89390340a30e9c3d5d7cf916cdd2f2e143f9f5953cb39bba3c0809e2db9ef81

Download Submit
\Windows\SysWOW64\Mjgqcj32.exe

Filesize
163KB

MD5
69e28f835258ee86ecb005cf4df112f5

SHA1
dc79194386ef06ffc2ce66d77b6ba98a97cdbe7a

SHA256
d44b81e4817d8d443269c6c3554b9926f725abdd4ae8c76252d8b8bfe1a572a0

SHA512
c7ca9aa149e69d3ead53a61858b8619fac89915760f47672bbb784aba515d2132b440c7460fa3668ace77ee2f378c44de83f9b1e3f03fb02e81422542a23dd03

Download Submit
\Windows\SysWOW64\Nbbegl32.exe

Filesize
163KB

MD5
a49c9daa2c99e5792148adfafdc29c25

SHA1
9a9120dc622753f2da6ec2f359903fa1de19ef02

SHA256
546f7ebfd44d419bc0f7a08af16b9232822785334599c85fceee46d009fd872b

SHA512
d58ebe2b520be2a907d9c13f9a8f8cda826cdea3bccf4166178122c6acbf4eef7e44b35bed9ea92530e8bdac2ea1445158cb75cf6025cf29b9561cffdc2765de

Download Submit
\Windows\SysWOW64\Ndjhpcoe.exe

Filesize
163KB

MD5
f6238e063d0f05a279bbb3bf256de554

SHA1
25bf0d3c27cee131fef9a752c6fd44e2a6296020

SHA256
576c8064c5a057b154f5c1d0d168e594d5da9bd9785d812e2b8e896d40e24c59

SHA512
15ffc63f6db3c5518b2676873d6c138284066223e2aee1a7daca589dcf6ac8859532ee2058e11a43c8e93c49de7981c060120fc3199c91ca691836bd65bdff52

Download Submit
\Windows\SysWOW64\Ocdnloph.exe

Filesize
163KB

MD5
820961338ddb6ca2655916ae46251aaf

SHA1
c37dcf1d5480261f64a6261d2b05570d72c36a79

SHA256
471f235705319447e89fd6a4b2d944bbcde7c0ef1262711301f753f25527d193

SHA512
f68c14f9eb033adb1562cabdc8448d1f37bb825d5c11d9201cc37922c359e20e59bb8d65108ced01f9157a449be6be1547110903830be5133544a72c8dd46dc0

Download Submit
\Windows\SysWOW64\Odckfb32.exe

Filesize
163KB

MD5
10833335c5907d7d89d40ab7adfdf956

SHA1
6b5b17978b571e04c1eaf120cd989456743c26e7

SHA256
217e2aa624db428ff1588d7d21c3b2835091ccf241502f5aa30b3a5eaa0c5c86

SHA512
17164fb671dc0fc0613c3d0c4750e3e352f9637dd67e4a8fec19749766e4ad78c3cf62bf2218ea113d1afc0b02fff159aee2256b3f755e539ed5698e24c3231d

Download Submit
\Windows\SysWOW64\Oheppe32.exe

Filesize
163KB

MD5
55ee217e8d10c7fb3b53eb2901e7716e

SHA1
f2f9bde54a1e75ee9f0a8b786c59840fafdd4ad6

SHA256
f8f6939ca88a5c7aef01e7b2d10d1cc66ffe4d7a67a86f4908cfcc952aa49107

SHA512
15e91a10dd5fb250d531e90110ba90dbe5849ee4b62eace63935402c8db682e522a0b221c935913272a76e7015e6e1b8603c77dd31990cff97b4716a81603286

Download Submit
\Windows\SysWOW64\Oobiclmh.exe

Filesize
163KB

MD5
2c34fba98a3bdeae4d3bf52b77623695

SHA1
b6eddf37278372120588d84d876337f49a1baf1d

SHA256
9f6c651635593d8a94bfcbaadabd484c86f62295b81aef5c23a085e30db83b93

SHA512
22fc1ddba430693a86ba3d062aa63e9c3cc649736cbfba4a83c1f42b942d8dd6129e1edad3fa3e2cfdf5fc615d221e631aa303b377e7d580839c63a467bf4d0d

Download Submit
\Windows\SysWOW64\Penjdien.exe

Filesize
163KB

MD5
63d70c5ca23f364ff6ab6238ede3fa77

SHA1
aa5dce52d1b551f11dd17d1df97ea144ba4087e7

SHA256
26ae45189371269f3fbfcaabb20470885b6cc8ff9b9b8a23d0602edb05180bdb

SHA512
52fbe4cc7343a1383d6d292c36fcd00398932b14061bb0cd6625ee767171ff61d88ac0989d1af0037cee91306508cb5a66302c10c5c08c845bd57f2db47ad774

Download Submit
\Windows\SysWOW64\Pkfiaqgk.exe

Filesize
163KB

MD5
c666f2c30f43113aadcafd46731d7775

SHA1
c412b3a4a0a5914dde5fb94067553bef93fb04c8

SHA256
ed3303e83d14be81e481b331691818b5c6790f8c7da5ce8370309f14d4d4eb57

SHA512
abb345e4b2358295e39f2168606d8c318c13108e2aed154c6c56f4a10fc4850786e8b59c381fdf915598f2b5c73ec1d5d9981cc32c22753778a253b668b5485d

Download Submit
\Windows\SysWOW64\Pniohk32.exe

Filesize
163KB

MD5
7f446e4484b23b043b966126481bc121

SHA1
79a3877e2ad6a94c9fd4c7371212169dd3b6f28c

SHA256
f4197805dfe3900a0df7823fa2301ce5e27a74109a2cdef8cb43a36ef72a8a4c

SHA512
887442a1a507c62f53885fdf4c226e42c224a17d28ae89cf4edbecbd74f2f178bc75c0fd33405f5f4b0e3765a3363dbcb79933ef3e4a0f7d0c5ae34133154b2c

Download Submit
memory/336-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/336-199-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/336-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/336-187-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/928-367-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/928-25-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/928-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/928-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/936-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/936-291-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/936-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/936-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/956-270-0x0000000000230000-0x0000000000283000-memory.dmp

Filesize
332KB

Download
memory/956-266-0x0000000000230000-0x0000000000283000-memory.dmp

Filesize
332KB

Download
memory/956-260-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/956-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/956-333-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/972-248-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/972-339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/972-243-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1020-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1020-186-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1020-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1020-180-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1048-12-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1048-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1048-368-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1048-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-375-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-302-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1052-301-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1052-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-237-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/1296-238-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/1296-228-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1704-313-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1704-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1704-312-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1704-332-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1756-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1756-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1756-209-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/1756-219-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2020-351-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2020-146-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2040-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2040-280-0x0000000000270000-0x00000000002C3000-memory.dmp

Filesize
332KB

Download
memory/2040-281-0x0000000000270000-0x00000000002C3000-memory.dmp

Filesize
332KB

Download
memory/2040-271-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2100-361-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2100-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2100-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2100-50-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2100-49-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2156-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2156-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2156-227-0x0000000000230000-0x0000000000283000-memory.dmp

Filesize
332KB

Download
memory/2156-226-0x0000000000230000-0x0000000000283000-memory.dmp

Filesize
332KB

Download
memory/2216-373-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2216-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2216-113-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2216-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-171-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2444-324-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2444-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2444-314-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2444-323-0x0000000000220000-0x0000000000273000-memory.dmp

Filesize
332KB

Download
memory/2528-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2528-338-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2528-255-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2528-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2528-259-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2548-363-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2548-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-326-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2660-66-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2660-357-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2660-360-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-355-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-92-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2744-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2744-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2744-362-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2892-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2892-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-132-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2952-379-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-130-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2952-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads