Analysis
-
max time kernel
113s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:47
Static task
static1
Behavioral task
behavioral1
Sample
4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe
Resource
win10v2004-20241007-en
General
-
Target
4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe
-
Size
64KB
-
MD5
4e208f7bf107ac59c1eb6705e64cfce0
-
SHA1
3a321b63c790441660d93a2a455be826c9fe66e0
-
SHA256
4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6
-
SHA512
7b3de9ed19fb61bac21701d08cf07ba2a6a11878a0f10e535d1c655f7987976165ec53764726cb22ff741b399e878f0cd2c1a880bfc9355cab583269aa7955ef
-
SSDEEP
1536:LTfp9Jb4gSjKbbLGJz/QYRqkcx5iZuYDPf:3RXn4zQY8kOiZuY7f
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs
Processes:
Chmibmlo.exeOchenfdn.exeQcjoci32.exeAljmbknm.exeCggcofkf.exeOckbdebl.exeBeggec32.exeCpohhk32.exeQijdqp32.exeAfndjdpe.exeCniajdkg.exeAbgaeddg.exeAicfgn32.exePcmoie32.exePnimpcke.exeAdmgglep.exeBodhjdcc.exeBinikb32.exeBknfeege.exe4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exeQanolm32.exePbgefa32.exeChjmmnnb.exePfnhkq32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmibmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochenfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcjoci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljmbknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggcofkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ochenfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockbdebl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockbdebl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qijdqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afndjdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cniajdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcjoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beggec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qijdqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljmbknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgaeddg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicfgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cggcofkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnimpcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cniajdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admgglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Admgglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bodhjdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknfeege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qanolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aicfgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnimpcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgefa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodhjdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknfeege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjmmnnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfnhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qanolm32.exe -
Berbew family
-
Executes dropped EXE 24 IoCs
Processes:
Ochenfdn.exeOckbdebl.exePcmoie32.exePfnhkq32.exePnimpcke.exePbgefa32.exeQcjoci32.exeQanolm32.exeQijdqp32.exeAfndjdpe.exeAljmbknm.exeAbgaeddg.exeAicfgn32.exeAdmgglep.exeBodhjdcc.exeBinikb32.exeBknfeege.exeBeggec32.exeCggcofkf.exeCpohhk32.exeChjmmnnb.exeChmibmlo.exeCniajdkg.exeCoindgbi.exepid process 2456 Ochenfdn.exe 2912 Ockbdebl.exe 2836 Pcmoie32.exe 2884 Pfnhkq32.exe 2588 Pnimpcke.exe 1240 Pbgefa32.exe 1652 Qcjoci32.exe 1936 Qanolm32.exe 2664 Qijdqp32.exe 2372 Afndjdpe.exe 368 Aljmbknm.exe 2192 Abgaeddg.exe 1680 Aicfgn32.exe 2600 Admgglep.exe 2360 Bodhjdcc.exe 1920 Binikb32.exe 960 Bknfeege.exe 1656 Beggec32.exe 2084 Cggcofkf.exe 1744 Cpohhk32.exe 2072 Chjmmnnb.exe 2236 Chmibmlo.exe 1048 Cniajdkg.exe 2004 Coindgbi.exe -
Loads dropped DLL 48 IoCs
Processes:
4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exeOchenfdn.exeOckbdebl.exePcmoie32.exePfnhkq32.exePnimpcke.exePbgefa32.exeQcjoci32.exeQanolm32.exeQijdqp32.exeAfndjdpe.exeAljmbknm.exeAbgaeddg.exeAicfgn32.exeAdmgglep.exeBodhjdcc.exeBinikb32.exeBknfeege.exeBeggec32.exeCggcofkf.exeCpohhk32.exeChjmmnnb.exeChmibmlo.exeCniajdkg.exepid process 2900 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe 2900 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe 2456 Ochenfdn.exe 2456 Ochenfdn.exe 2912 Ockbdebl.exe 2912 Ockbdebl.exe 2836 Pcmoie32.exe 2836 Pcmoie32.exe 2884 Pfnhkq32.exe 2884 Pfnhkq32.exe 2588 Pnimpcke.exe 2588 Pnimpcke.exe 1240 Pbgefa32.exe 1240 Pbgefa32.exe 1652 Qcjoci32.exe 1652 Qcjoci32.exe 1936 Qanolm32.exe 1936 Qanolm32.exe 2664 Qijdqp32.exe 2664 Qijdqp32.exe 2372 Afndjdpe.exe 2372 Afndjdpe.exe 368 Aljmbknm.exe 368 Aljmbknm.exe 2192 Abgaeddg.exe 2192 Abgaeddg.exe 1680 Aicfgn32.exe 1680 Aicfgn32.exe 2600 Admgglep.exe 2600 Admgglep.exe 2360 Bodhjdcc.exe 2360 Bodhjdcc.exe 1920 Binikb32.exe 1920 Binikb32.exe 960 Bknfeege.exe 960 Bknfeege.exe 1656 Beggec32.exe 1656 Beggec32.exe 2084 Cggcofkf.exe 2084 Cggcofkf.exe 1744 Cpohhk32.exe 1744 Cpohhk32.exe 2072 Chjmmnnb.exe 2072 Chjmmnnb.exe 2236 Chmibmlo.exe 2236 Chmibmlo.exe 1048 Cniajdkg.exe 1048 Cniajdkg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Abgaeddg.exeBeggec32.exeChjmmnnb.exeChmibmlo.exeOchenfdn.exeOckbdebl.exePcmoie32.exeBinikb32.exeCpohhk32.exeQanolm32.exeQijdqp32.exeAljmbknm.exeAicfgn32.exe4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exeAdmgglep.exeCggcofkf.exeCniajdkg.exePfnhkq32.exeBknfeege.exeBodhjdcc.exePnimpcke.exeQcjoci32.exeAfndjdpe.exePbgefa32.exedescription ioc process File created C:\Windows\SysWOW64\Aicfgn32.exe Abgaeddg.exe File opened for modification C:\Windows\SysWOW64\Cggcofkf.exe Beggec32.exe File created C:\Windows\SysWOW64\Mpgoaiep.dll Chjmmnnb.exe File opened for modification C:\Windows\SysWOW64\Cniajdkg.exe Chmibmlo.exe File created C:\Windows\SysWOW64\Ockbdebl.exe Ochenfdn.exe File created C:\Windows\SysWOW64\Pcmoie32.exe Ockbdebl.exe File opened for modification C:\Windows\SysWOW64\Pcmoie32.exe Ockbdebl.exe File opened for modification C:\Windows\SysWOW64\Pfnhkq32.exe Pcmoie32.exe File created C:\Windows\SysWOW64\Bknfeege.exe Binikb32.exe File created C:\Windows\SysWOW64\Fbjhhm32.dll Ochenfdn.exe File opened for modification C:\Windows\SysWOW64\Chjmmnnb.exe Cpohhk32.exe File opened for modification C:\Windows\SysWOW64\Ockbdebl.exe Ochenfdn.exe File created C:\Windows\SysWOW64\Jcfddmhe.dll Pcmoie32.exe File opened for modification C:\Windows\SysWOW64\Qijdqp32.exe Qanolm32.exe File created C:\Windows\SysWOW64\Afndjdpe.exe Qijdqp32.exe File opened for modification C:\Windows\SysWOW64\Abgaeddg.exe Aljmbknm.exe File created C:\Windows\SysWOW64\Eobohl32.dll Aicfgn32.exe File created C:\Windows\SysWOW64\Ochenfdn.exe 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe File created C:\Windows\SysWOW64\Admgglep.exe Aicfgn32.exe File created C:\Windows\SysWOW64\Bodhjdcc.exe Admgglep.exe File created C:\Windows\SysWOW64\Cpohhk32.exe Cggcofkf.exe File created C:\Windows\SysWOW64\Clmkgm32.dll Cpohhk32.exe File opened for modification C:\Windows\SysWOW64\Coindgbi.exe Cniajdkg.exe File created C:\Windows\SysWOW64\Hmecge32.dll Abgaeddg.exe File opened for modification C:\Windows\SysWOW64\Bknfeege.exe Binikb32.exe File created C:\Windows\SysWOW64\Pnimpcke.exe Pfnhkq32.exe File opened for modification C:\Windows\SysWOW64\Admgglep.exe Aicfgn32.exe File created C:\Windows\SysWOW64\Acdlnnal.dll Admgglep.exe File created C:\Windows\SysWOW64\Beggec32.exe Bknfeege.exe File created C:\Windows\SysWOW64\Peapkpkj.dll Beggec32.exe File opened for modification C:\Windows\SysWOW64\Cpohhk32.exe Cggcofkf.exe File created C:\Windows\SysWOW64\Qijdqp32.exe Qanolm32.exe File created C:\Windows\SysWOW64\Lecaooal.dll Aljmbknm.exe File opened for modification C:\Windows\SysWOW64\Aicfgn32.exe Abgaeddg.exe File created C:\Windows\SysWOW64\Binikb32.exe Bodhjdcc.exe File opened for modification C:\Windows\SysWOW64\Binikb32.exe Bodhjdcc.exe File created C:\Windows\SysWOW64\Idcnlffk.dll Binikb32.exe File opened for modification C:\Windows\SysWOW64\Chmibmlo.exe Chjmmnnb.exe File created C:\Windows\SysWOW64\Pilkle32.dll 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe File opened for modification C:\Windows\SysWOW64\Afndjdpe.exe Qijdqp32.exe File opened for modification C:\Windows\SysWOW64\Ochenfdn.exe 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe File created C:\Windows\SysWOW64\Pbgefa32.exe Pnimpcke.exe File opened for modification C:\Windows\SysWOW64\Qanolm32.exe Qcjoci32.exe File created C:\Windows\SysWOW64\Aljmbknm.exe Afndjdpe.exe File created C:\Windows\SysWOW64\Chmibmlo.exe Chjmmnnb.exe File created C:\Windows\SysWOW64\Ohodgb32.dll Cniajdkg.exe File opened for modification C:\Windows\SysWOW64\Pnimpcke.exe Pfnhkq32.exe File opened for modification C:\Windows\SysWOW64\Pbgefa32.exe Pnimpcke.exe File created C:\Windows\SysWOW64\Anpmohcl.dll Pnimpcke.exe File created C:\Windows\SysWOW64\Lnfbic32.dll Qcjoci32.exe File opened for modification C:\Windows\SysWOW64\Aljmbknm.exe Afndjdpe.exe File created C:\Windows\SysWOW64\Cnfnahkp.dll Cggcofkf.exe File created C:\Windows\SysWOW64\Cniajdkg.exe Chmibmlo.exe File created C:\Windows\SysWOW64\Kpfdhgca.dll Bodhjdcc.exe File created C:\Windows\SysWOW64\Cggcofkf.exe Beggec32.exe File created C:\Windows\SysWOW64\Coindgbi.exe Cniajdkg.exe File created C:\Windows\SysWOW64\Pfnhkq32.exe Pcmoie32.exe File created C:\Windows\SysWOW64\Khpbbn32.dll Chmibmlo.exe File created C:\Windows\SysWOW64\Bchmahjj.dll Pbgefa32.exe File created C:\Windows\SysWOW64\Fmdkki32.dll Afndjdpe.exe File created C:\Windows\SysWOW64\Abgaeddg.exe Aljmbknm.exe File created C:\Windows\SysWOW64\Qanolm32.exe Qcjoci32.exe File created C:\Windows\SysWOW64\Gaklhb32.dll Qanolm32.exe File created C:\Windows\SysWOW64\Djiiddfd.dll Qijdqp32.exe -
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pbgefa32.exeAdmgglep.exeBinikb32.exeAljmbknm.exeCggcofkf.exeCniajdkg.exeCoindgbi.exe4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exeOchenfdn.exeOckbdebl.exePcmoie32.exeCpohhk32.exePfnhkq32.exePnimpcke.exeAfndjdpe.exeBknfeege.exeAicfgn32.exeBodhjdcc.exeBeggec32.exeChjmmnnb.exeQcjoci32.exeQanolm32.exeQijdqp32.exeAbgaeddg.exeChmibmlo.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admgglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Binikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljmbknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggcofkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cniajdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coindgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ochenfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockbdebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpohhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnhkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimpcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afndjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknfeege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodhjdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beggec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjmmnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcjoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qanolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qijdqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgaeddg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmibmlo.exe -
Modifies registry class 64 IoCs
Processes:
Aljmbknm.exeBinikb32.exePbgefa32.exeQijdqp32.exeChjmmnnb.exeChmibmlo.exeOckbdebl.exeQanolm32.exeAfndjdpe.exe4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exePfnhkq32.exeAbgaeddg.exeCpohhk32.exeCggcofkf.exeAicfgn32.exeBodhjdcc.exeOchenfdn.exeAdmgglep.exeBeggec32.exePcmoie32.exePnimpcke.exeBknfeege.exeQcjoci32.exeCniajdkg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljmbknm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchmahjj.dll" Pbgefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qijdqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ockbdebl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qanolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiiddfd.dll" Qijdqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afndjdpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmlooqi.dll" Pfnhkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abgaeddg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecaooal.dll" Aljmbknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cggcofkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aicfgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfdhgca.dll" Bodhjdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggcofkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ochenfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdlnnal.dll" Admgglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peapkpkj.dll" Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbcekpd.dll" Ockbdebl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjhhm32.dll" Ochenfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfddmhe.dll" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anpmohcl.dll" Pnimpcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qanolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qijdqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdkki32.dll" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pilkle32.dll" 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beggec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll" Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Admgglep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bodhjdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmamh32.dll" Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bodhjdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfbic32.dll" Qcjoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aljmbknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll" Chmibmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ochenfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aicfgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cniajdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ockbdebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcjoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnahkp.dll" Cggcofkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaklhb32.dll" Qanolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beggec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnimpcke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll" Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Binikb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exeOchenfdn.exeOckbdebl.exePcmoie32.exePfnhkq32.exePnimpcke.exePbgefa32.exeQcjoci32.exeQanolm32.exeQijdqp32.exeAfndjdpe.exeAljmbknm.exeAbgaeddg.exeAicfgn32.exeAdmgglep.exeBodhjdcc.exedescription pid process target process PID 2900 wrote to memory of 2456 2900 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Ochenfdn.exe PID 2900 wrote to memory of 2456 2900 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Ochenfdn.exe PID 2900 wrote to memory of 2456 2900 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Ochenfdn.exe PID 2900 wrote to memory of 2456 2900 4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe Ochenfdn.exe PID 2456 wrote to memory of 2912 2456 Ochenfdn.exe Ockbdebl.exe PID 2456 wrote to memory of 2912 2456 Ochenfdn.exe Ockbdebl.exe PID 2456 wrote to memory of 2912 2456 Ochenfdn.exe Ockbdebl.exe PID 2456 wrote to memory of 2912 2456 Ochenfdn.exe Ockbdebl.exe PID 2912 wrote to memory of 2836 2912 Ockbdebl.exe Pcmoie32.exe PID 2912 wrote to memory of 2836 2912 Ockbdebl.exe Pcmoie32.exe PID 2912 wrote to memory of 2836 2912 Ockbdebl.exe Pcmoie32.exe PID 2912 wrote to memory of 2836 2912 Ockbdebl.exe Pcmoie32.exe PID 2836 wrote to memory of 2884 2836 Pcmoie32.exe Pfnhkq32.exe PID 2836 wrote to memory of 2884 2836 Pcmoie32.exe Pfnhkq32.exe PID 2836 wrote to memory of 2884 2836 Pcmoie32.exe Pfnhkq32.exe PID 2836 wrote to memory of 2884 2836 Pcmoie32.exe Pfnhkq32.exe PID 2884 wrote to memory of 2588 2884 Pfnhkq32.exe Pnimpcke.exe PID 2884 wrote to memory of 2588 2884 Pfnhkq32.exe Pnimpcke.exe PID 2884 wrote to memory of 2588 2884 Pfnhkq32.exe Pnimpcke.exe PID 2884 wrote to memory of 2588 2884 Pfnhkq32.exe Pnimpcke.exe PID 2588 wrote to memory of 1240 2588 Pnimpcke.exe Pbgefa32.exe PID 2588 wrote to memory of 1240 2588 Pnimpcke.exe Pbgefa32.exe PID 2588 wrote to memory of 1240 2588 Pnimpcke.exe Pbgefa32.exe PID 2588 wrote to memory of 1240 2588 Pnimpcke.exe Pbgefa32.exe PID 1240 wrote to memory of 1652 1240 Pbgefa32.exe Qcjoci32.exe PID 1240 wrote to memory of 1652 1240 Pbgefa32.exe Qcjoci32.exe PID 1240 wrote to memory of 1652 1240 Pbgefa32.exe Qcjoci32.exe PID 1240 wrote to memory of 1652 1240 Pbgefa32.exe Qcjoci32.exe PID 1652 wrote to memory of 1936 1652 Qcjoci32.exe Qanolm32.exe PID 1652 wrote to memory of 1936 1652 Qcjoci32.exe Qanolm32.exe PID 1652 wrote to memory of 1936 1652 Qcjoci32.exe Qanolm32.exe PID 1652 wrote to memory of 1936 1652 Qcjoci32.exe Qanolm32.exe PID 1936 wrote to memory of 2664 1936 Qanolm32.exe Qijdqp32.exe PID 1936 wrote to memory of 2664 1936 Qanolm32.exe Qijdqp32.exe PID 1936 wrote to memory of 2664 1936 Qanolm32.exe Qijdqp32.exe PID 1936 wrote to memory of 2664 1936 Qanolm32.exe Qijdqp32.exe PID 2664 wrote to memory of 2372 2664 Qijdqp32.exe Afndjdpe.exe PID 2664 wrote to memory of 2372 2664 Qijdqp32.exe Afndjdpe.exe PID 2664 wrote to memory of 2372 2664 Qijdqp32.exe Afndjdpe.exe PID 2664 wrote to memory of 2372 2664 Qijdqp32.exe Afndjdpe.exe PID 2372 wrote to memory of 368 2372 Afndjdpe.exe Aljmbknm.exe PID 2372 wrote to memory of 368 2372 Afndjdpe.exe Aljmbknm.exe PID 2372 wrote to memory of 368 2372 Afndjdpe.exe Aljmbknm.exe PID 2372 wrote to memory of 368 2372 Afndjdpe.exe Aljmbknm.exe PID 368 wrote to memory of 2192 368 Aljmbknm.exe Abgaeddg.exe PID 368 wrote to memory of 2192 368 Aljmbknm.exe Abgaeddg.exe PID 368 wrote to memory of 2192 368 Aljmbknm.exe Abgaeddg.exe PID 368 wrote to memory of 2192 368 Aljmbknm.exe Abgaeddg.exe PID 2192 wrote to memory of 1680 2192 Abgaeddg.exe Aicfgn32.exe PID 2192 wrote to memory of 1680 2192 Abgaeddg.exe Aicfgn32.exe PID 2192 wrote to memory of 1680 2192 Abgaeddg.exe Aicfgn32.exe PID 2192 wrote to memory of 1680 2192 Abgaeddg.exe Aicfgn32.exe PID 1680 wrote to memory of 2600 1680 Aicfgn32.exe Admgglep.exe PID 1680 wrote to memory of 2600 1680 Aicfgn32.exe Admgglep.exe PID 1680 wrote to memory of 2600 1680 Aicfgn32.exe Admgglep.exe PID 1680 wrote to memory of 2600 1680 Aicfgn32.exe Admgglep.exe PID 2600 wrote to memory of 2360 2600 Admgglep.exe Bodhjdcc.exe PID 2600 wrote to memory of 2360 2600 Admgglep.exe Bodhjdcc.exe PID 2600 wrote to memory of 2360 2600 Admgglep.exe Bodhjdcc.exe PID 2600 wrote to memory of 2360 2600 Admgglep.exe Bodhjdcc.exe PID 2360 wrote to memory of 1920 2360 Bodhjdcc.exe Binikb32.exe PID 2360 wrote to memory of 1920 2360 Bodhjdcc.exe Binikb32.exe PID 2360 wrote to memory of 1920 2360 Bodhjdcc.exe Binikb32.exe PID 2360 wrote to memory of 1920 2360 Bodhjdcc.exe Binikb32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe"C:\Users\Admin\AppData\Local\Temp\4f1923fee8c26eac382c6ca4db3239fb6721860e8621e4ee03215c52d7ea08d6N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Pnimpcke.exeC:\Windows\system32\Pnimpcke.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Pbgefa32.exeC:\Windows\system32\Pbgefa32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Qcjoci32.exeC:\Windows\system32\Qcjoci32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Qanolm32.exeC:\Windows\system32\Qanolm32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Aljmbknm.exeC:\Windows\system32\Aljmbknm.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Aicfgn32.exeC:\Windows\system32\Aicfgn32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Admgglep.exeC:\Windows\system32\Admgglep.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Binikb32.exeC:\Windows\system32\Binikb32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Cpohhk32.exeC:\Windows\system32\Cpohhk32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Chjmmnnb.exeC:\Windows\system32\Chjmmnnb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Coindgbi.exeC:\Windows\system32\Coindgbi.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5f6c751cbf9dd9c7714a3463861e9c312
SHA16a7d7a4831ff68f25355f4a36310d61621a9f3c6
SHA2563f78b945482a986f584e7f5059c562e5df2be9ffa51139fdd72fd35f644ff055
SHA5128ca5c756d20735eccd94acd6638c3a01d6a41b7c08848348e4c68d00d86c1f7e8d2dfe3d3c7a5347081437e08687dd69d6753285d2326acea72147e9a8152ea5
-
Filesize
64KB
MD5ba322e25373208a8bf0c284f667207d6
SHA1ce6d0a11ef89cf53aaac40cfef7c047df7dd7f55
SHA2565211890508228cac2262c7d1cde29ce36bb0fefc0d61da5ec106f1ca0a2248b9
SHA512e5d5206ab2f9fa8962903c858d0c0472943619a449b886954ad06518b020606e562446e21fcd5728554b6b99520fdd8032f61299cda128828a9098c65e05cd64
-
Filesize
64KB
MD5a6c5ed31ac5d1fcfc5b9de52697fd43b
SHA10656600c1eb0802d241fc2943e18c2fa21e4fd7a
SHA256f1e6380cf8ea9c2e9b4353650c815c1b7b0e0cd551e31ad253ba1b4e3b450a62
SHA51231f7879fd7792d54ff3d12bc131a8024c02861b35e424f8e5bb4d192547dea2acfcd559572b2de2108d42d3a229b376e49d3da57201de7d1a8656e75a1530331
-
Filesize
64KB
MD5a2998eeef62d25d01143961848e07b88
SHA101ff55925e780cd068a63ccfc53ffd5e321199ed
SHA25641e0aa1af9fb6f8c142f3998b7279decc799784557573ab41a89db511abbbcf5
SHA5122a0427fb8a8fd8599651c0fff9018cf16ad9df517ea258245d2de5912b12e10078b89e4bab53929e8abbbecd5b174294b722a097656c18e2b371b18f47bec759
-
Filesize
64KB
MD5a432cc17bc9293fe2e64ce0c5f6134ec
SHA1fb265f867347ba60afbaf0db88de5d7c99dfc044
SHA2562a91645c0792d969eedec62307a8649a37e21acde15d11c2f512016b14c68ea1
SHA512da93979ac0497195e76adb74747814dace36df7a225911b88c8536cc2cbf08c8216a63ca0e57d454c15730f09e693b55975f6ce07ac9c11076749158e0dddd57
-
Filesize
64KB
MD56a0fb61f0aebee27bbd789a9ee4451a6
SHA1007ddf6685d71bcfd0a7f276d41be73c2fa839e7
SHA256203e7969b09a14d8dd5870093241d970120c4f3679ed704ad08ef93bfcecf819
SHA5126d9d021010e708d4cd9de7ade27641dc15e968633a4ddb791c028c22a0d3761a8f98c43bd3fac942bf7cd6344f16cb6fec5c94a6162601bb97cd4c4d26b3373d
-
Filesize
64KB
MD5d96df6101049919739bc134852177cea
SHA1b00a28bb9d354042b6947006c395b463a709d8f9
SHA2564bc438d14463eca28ddbfaa692bb9dc44ac07b1b5d1f2eecf5e02f764f3059f5
SHA5122b9c88b6073fa5c8ed73819546bbc117853f3a943b98f2ca4288c95ab3bc750f18e953fb5b049e35fa899cc8faf906491966ed5e2348e4ddd9ac4340b8184d88
-
Filesize
64KB
MD521fa09b0776321c44806f957f3bdb7bb
SHA13f0b24c398959d4e72c3d36fd4a5756bfe0a5c89
SHA2566d43b21c2d64710d97301602607f9d25da03df2fa85c336d07a2c3a4bb4747fa
SHA512a16a55cf0f5919c48079b94da66ae0c362711f0c18baf396388a65299acb663aa022594177206316963a4919b38c3c34803e75c0baf3766465de05c15ca20083
-
Filesize
64KB
MD5c17c1249658a13def2d4fe7c1bcee779
SHA1360f27b4242f9b2dd48ca9d6de34a6578dce5a24
SHA25687b1bed1adcceef29f1273aa9c2cc088b62dc67b14d7e29690ecd18e478029df
SHA512b213937bf95553a42bf23255b453a19c32ce3388446448596884710881d974725e2e2fdeef5e15ea1aaa1b53ad9c624d10959b0edadd34ed0404af6dec0a2512
-
Filesize
64KB
MD5b6d456b2f009044db932b0d18feb49c4
SHA156d554889ddeae94993f775de1bd5b95aee6f540
SHA2567cfc84dd29da47ebf0e1b5258923e530a8676a8ed9fdd07ac9d72445be7aaea2
SHA512f34c203f59e9943d2686812859044d5599689bf773b8550a34df4b3881c4f6ab12847a1cf352cf69e4af60f1d69c37f9070f97e3aa1c81d927b0480380354878
-
Filesize
64KB
MD58cbb1c163c15428340f820e7bc7eecd0
SHA18f112f412a2f9a6aa29d647a9959e37768120b82
SHA2565d24d8a2ef7ff6302a083781f7ec069032454b69dad229fdc878b919ee0497d1
SHA51204534135ea2d931c8793299b7eefd7af13282fcf17d2d75b2cf138b71863a48559d7f6092e8f1acbfdcdf4aad4fbfc20a0285de8a4b7c9972b2b813370171924
-
Filesize
64KB
MD576bf8393b63d05aeb0c877a7f6e7348d
SHA12734c930211aa97ccbef74dc462c5a870953a2c8
SHA256de4893b99c8f6fd84b81ed7d43a2eff94742cad17ce19a4694024814e093f8f5
SHA51247f9a23a928ec07e5e12c49b168ca2c332e8f224e345620e881b5e14bd2b12bb408cadcf9a0e0e42f6185c57783d3b8e0cbca3b15563aca2c8493d3d7dcec3e4
-
Filesize
64KB
MD5d5a992027b4b2a0f06e00134c330a63a
SHA15b0ed24811c4a36e956f315ad2e2b9145b3c7a52
SHA2564188bc343bf32ea89d6e9f4a4850d616518cc4eb47343e12c478f0efeeb9b5e7
SHA512ab61f1dfa7a3782c3313e4a9ff25df11df0041e332bc681fbb61c611cdbbc3a98fa41557621dbc54facf0c0ebc69d56c580dea37d87e46c02f6014ef9ec7b715
-
Filesize
64KB
MD5995e43c99d15bb96683b33459b387571
SHA134b753ae25df7dabdb52f06cc2168de832fed465
SHA25673d4f8951b20d1df4a0f0dfc5dab10cb15b50d228ebe0668ade025721f32e190
SHA5128bd4089fdf70264f7637454364fe993fa4167d44b3d2b1a71c71e7eb2e165b7801b7b18fa7e9e73061ac551df9a324b837662682f5d2a251db19e20706127dc3
-
Filesize
64KB
MD568edda3b8081219f2245dabe256d9770
SHA1bb093b82d4a947536104260162b3d259e06b0cd7
SHA256431f342191090afcaf94871109dd815daaa468a36efb193a926ba21e32aa7160
SHA5120f3c9a18f7703d3597b781ecf546e2078cf901f5a7ef36e29683fb351ad0f27c6ea7c0f11db81b3bc979cd1ee645f2638721b07aca9d0a5836370ea144dfcca0
-
Filesize
64KB
MD5a61d6b186b2e529651316c1d9310d2ca
SHA1b55690a9bde04110c7ba4ea783e5fc5dd50f04f2
SHA256bb00531c6d81bc748efd158dd45b2b483dff6052cc3145155100ce1c15f79309
SHA5128b60e02ad0f2944a8f8ce921733769ac876594629bbcc29abbd289e54938f4df173b76866cfde54a163f97ac81740dfb6b77dcfc58e6355c82a6bdea4253d031
-
Filesize
64KB
MD5d0d739408bf16ebeb801ca4e2c96ca1f
SHA1da456857da0e761b7d4b5cd693e61fe2b46cdf9a
SHA256c9b98690af311f4eff130cd1a09cad2355c9f617256300904f96a05ee1bf62cb
SHA512d6d13a707dacf6852c01a86ffc986396dcb69cbc25d49bdcb0e22afc9de50ac84fd44a8a4d8cc970c3db455bd73ba242647557c9b2b6b4c035779dd7816b4d46
-
Filesize
64KB
MD5d3e399829efd10c1f0a3866a60d75989
SHA1fe080546e5d285d3b77fac6b6149642a9b2efe88
SHA25644e60fc55d600ce58081fa374d6af92ad3eb22ae60489880c77af0a56be5512d
SHA5129ba903a16bbd8368a07a9d738d846ad703cf3a91fd5b8d8bddf4e380d5d25d03fd8af242ea603086ae2a5330aaff699b19e806051bea2c547fbc7c960b5ac0b7
-
Filesize
64KB
MD538a0978cfd2b21d8658e2e99aa207d4c
SHA1b35ef896a45b97232944794a65ec4b949348e680
SHA2563155171e5e9af9054d50c3a6b05208120e8ed8f20ebc4654e7e900a59f3f74f0
SHA512747c804355b70ead965331eb178000c5b3e0c27def524e37e8c21f69010cffd0c0eae4b208985a5ba3591fc879ed8275fc50d4c7b6f82929ad88cd61d38ac122
-
Filesize
64KB
MD5502e9acf480ebbc527dca82bd55572e0
SHA19217151820bb9302305d27a146953138ca13c28c
SHA256889ede326be783dee558d2228758160258ccacf75e96751bfc156f680e075c16
SHA512a46e05025dc51efdc62f9eea77ffafe761179285000ee1a1c09ecc315171e05c0197c73193dde691c056798f4431ea813b113674387e049775a6f31d3ea2a1c7
-
Filesize
64KB
MD57d4d010c65f78a9e77c7ca00cabf6fec
SHA1b9ba4e63444f30e685494220dea9849077c5eb4d
SHA256958474dded00dc30b08db6656d2b6db6119986d3ce44231d3ccfa044db1f940c
SHA512f5f59eb71f66ac2fa36c17621422ec46ea702a5f85b4db8723e14aac27b19f1311dca3bdaaab5853a51b42974484a624faa21c9cf0510e117c3ebeac2fd2b33f
-
Filesize
64KB
MD5acc555de8b67b77efc5ed75f580edef8
SHA1b1d73b35265ae10a4e2ab96c8bf61f45401a0906
SHA256c21a43f4e4402ec6459a48222aa307f727200f7d47e68c07937f14cbf82efab7
SHA5120b6034fd21fee3f383a7535ff2d07f0cfae49b32b5b9014bee6d4ba921e6ebcbab668844a77a78dc481990cc6d0de2457dedaa315c74596ba40f4b6545a9e1bb
-
Filesize
64KB
MD51374796b8f78ceda4a5177ce7d570a39
SHA1d84416e436e8b910c329e1a8e3a3a5c3acebad17
SHA25691e198240957881cff359472dc1a9c04137d728210e002e68bd697288367f5ba
SHA5120b9c79efbe786ffaa9f79f45cf39fe0ada40158555564a94ba6e6a66439fdc5cc763e59594cd3f147cfe1cbea30e40a0131c3de5566a3369683532f59b2a1958
-
Filesize
64KB
MD5f26a9a1dc0ad7abe0fb3b84922ca6d9a
SHA1647ccb6b894170dad0a587ae71a4de14c3fcde56
SHA256e50212ed0f4ad7206e5e80ae0e27d8e00dc583e413bc42d11cf17bd28f09adc8
SHA512c9a7c10cff62bcfc56a6d0286cfc14c4497d998058451b196d8d3c72837f9aedcbab530a5c8a876d6c2cbe56f9b4b13f1b5629246294250bccea2b31585ab968