berbew | c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9

Analysis

max time kernel
26s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Size

245KB
MD5

945849ea8f8feb995f855f2ae2ac8370
SHA1

0b9d178b16d9954657ccc973940e3c238b38c498
SHA256

c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9
SHA512

7d92d91978a1d7145adfab7eeb42621a33faa4e7c9981eff69946ab6c7298e11af1c00343c580ce7512f246c864a0799e062dc081dc51b62d8a60abd252ff165
SSDEEP

1536:Bz6+rVZyPt8Ul8yiYijKst1kRzARx36xf/4cXeXvubKrFEwMEwKhbArEwKhQL4co:Bz6oVZyeJJRjl1YuKxfwago+bAr+Qka

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poapfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdnko32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 26 IoCs

pid	Process
2596	Pmjqcc32.exe
2236	Pdaheq32.exe
2632	Pfdabino.exe
2652	Pbkbgjcc.exe
1344	Pbnoliap.exe
584	Poapfn32.exe
2504	Qkhpkoen.exe
2532	Qqeicede.exe
3036	Aaheie32.exe
2676	Aganeoip.exe
2960	Afgkfl32.exe
2092	Aaloddnn.exe
552	Aaolidlk.exe
2244	Acmhepko.exe
3060	Abbeflpf.exe
2324	Bilmcf32.exe
2160	Becnhgmg.exe
1524	Bjbcfn32.exe
1260	Bjdplm32.exe
616	Baohhgnf.exe
2120	Bkglameg.exe
2800	Bmeimhdj.exe
1964	Cpfaocal.exe
2832	Cbdnko32.exe
2740	Cklfll32.exe
2788	Ceegmj32.exe

Loads dropped DLL 56 IoCs

pid	Process
2884	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
2884	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
2596	Pmjqcc32.exe
2596	Pmjqcc32.exe
2236	Pdaheq32.exe
2236	Pdaheq32.exe
2632	Pfdabino.exe
2632	Pfdabino.exe
2652	Pbkbgjcc.exe
2652	Pbkbgjcc.exe
1344	Pbnoliap.exe
1344	Pbnoliap.exe
584	Poapfn32.exe
584	Poapfn32.exe
2504	Qkhpkoen.exe
2504	Qkhpkoen.exe
2532	Qqeicede.exe
2532	Qqeicede.exe
3036	Aaheie32.exe
3036	Aaheie32.exe
2676	Aganeoip.exe
2676	Aganeoip.exe
2960	Afgkfl32.exe
2960	Afgkfl32.exe
2092	Aaloddnn.exe
2092	Aaloddnn.exe
552	Aaolidlk.exe
552	Aaolidlk.exe
2244	Acmhepko.exe
2244	Acmhepko.exe
3060	Abbeflpf.exe
3060	Abbeflpf.exe
2324	Bilmcf32.exe
2324	Bilmcf32.exe
2160	Becnhgmg.exe
2160	Becnhgmg.exe
1524	Bjbcfn32.exe
1524	Bjbcfn32.exe
1260	Bjdplm32.exe
1260	Bjdplm32.exe
616	Baohhgnf.exe
616	Baohhgnf.exe
2120	Bkglameg.exe
2120	Bkglameg.exe
2800	Bmeimhdj.exe
2800	Bmeimhdj.exe
1964	Cpfaocal.exe
1964	Cpfaocal.exe
2832	Cbdnko32.exe
2832	Cbdnko32.exe
2740	Cklfll32.exe
2740	Cklfll32.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Afgkfl32.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Acmhepko.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Poapfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Cklfll32.exe	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Aaolidlk.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Dhbkakib.dll	Pdaheq32.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Poapfn32.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Ocdneocc.dll	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Pmjqcc32.exe	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
File opened for modification	C:\Windows\SysWOW64\Poapfn32.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Cklfll32.exe	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Pfdabino.exe	Pdaheq32.exe
File created	C:\Windows\SysWOW64\Igciil32.dll	Pfdabino.exe
File created	C:\Windows\SysWOW64\Pbnoliap.exe	Pbkbgjcc.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Pmjqcc32.exe	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
File created	C:\Windows\SysWOW64\Qkhpkoen.exe	Poapfn32.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pfdabino.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	Pbkbgjcc.exe
File created	C:\Windows\SysWOW64\Lbbjgn32.dll	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Lclclfdi.dll	Pbkbgjcc.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Qqeicede.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cklfll32.exe
File opened for modification	C:\Windows\SysWOW64\Pdaheq32.exe	Pmjqcc32.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Aaolidlk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2712	2788	WerFault.exe	55

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igciil32.dll"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll"	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdneocc.dll"	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Becnhgmg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2596	2884	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe	30
PID 2884 wrote to memory of 2596	2884	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe	30
PID 2884 wrote to memory of 2596	2884	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe	30
PID 2884 wrote to memory of 2596	2884	c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe	30
PID 2596 wrote to memory of 2236	2596	Pmjqcc32.exe	31
PID 2596 wrote to memory of 2236	2596	Pmjqcc32.exe	31
PID 2596 wrote to memory of 2236	2596	Pmjqcc32.exe	31
PID 2596 wrote to memory of 2236	2596	Pmjqcc32.exe	31
PID 2236 wrote to memory of 2632	2236	Pdaheq32.exe	32
PID 2236 wrote to memory of 2632	2236	Pdaheq32.exe	32
PID 2236 wrote to memory of 2632	2236	Pdaheq32.exe	32
PID 2236 wrote to memory of 2632	2236	Pdaheq32.exe	32
PID 2632 wrote to memory of 2652	2632	Pfdabino.exe	33
PID 2632 wrote to memory of 2652	2632	Pfdabino.exe	33
PID 2632 wrote to memory of 2652	2632	Pfdabino.exe	33
PID 2632 wrote to memory of 2652	2632	Pfdabino.exe	33
PID 2652 wrote to memory of 1344	2652	Pbkbgjcc.exe	34
PID 2652 wrote to memory of 1344	2652	Pbkbgjcc.exe	34
PID 2652 wrote to memory of 1344	2652	Pbkbgjcc.exe	34
PID 2652 wrote to memory of 1344	2652	Pbkbgjcc.exe	34
PID 1344 wrote to memory of 584	1344	Pbnoliap.exe	35
PID 1344 wrote to memory of 584	1344	Pbnoliap.exe	35
PID 1344 wrote to memory of 584	1344	Pbnoliap.exe	35
PID 1344 wrote to memory of 584	1344	Pbnoliap.exe	35
PID 584 wrote to memory of 2504	584	Poapfn32.exe	36
PID 584 wrote to memory of 2504	584	Poapfn32.exe	36
PID 584 wrote to memory of 2504	584	Poapfn32.exe	36
PID 584 wrote to memory of 2504	584	Poapfn32.exe	36
PID 2504 wrote to memory of 2532	2504	Qkhpkoen.exe	37
PID 2504 wrote to memory of 2532	2504	Qkhpkoen.exe	37
PID 2504 wrote to memory of 2532	2504	Qkhpkoen.exe	37
PID 2504 wrote to memory of 2532	2504	Qkhpkoen.exe	37
PID 2532 wrote to memory of 3036	2532	Qqeicede.exe	38
PID 2532 wrote to memory of 3036	2532	Qqeicede.exe	38
PID 2532 wrote to memory of 3036	2532	Qqeicede.exe	38
PID 2532 wrote to memory of 3036	2532	Qqeicede.exe	38
PID 3036 wrote to memory of 2676	3036	Aaheie32.exe	39
PID 3036 wrote to memory of 2676	3036	Aaheie32.exe	39
PID 3036 wrote to memory of 2676	3036	Aaheie32.exe	39
PID 3036 wrote to memory of 2676	3036	Aaheie32.exe	39
PID 2676 wrote to memory of 2960	2676	Aganeoip.exe	40
PID 2676 wrote to memory of 2960	2676	Aganeoip.exe	40
PID 2676 wrote to memory of 2960	2676	Aganeoip.exe	40
PID 2676 wrote to memory of 2960	2676	Aganeoip.exe	40
PID 2960 wrote to memory of 2092	2960	Afgkfl32.exe	41
PID 2960 wrote to memory of 2092	2960	Afgkfl32.exe	41
PID 2960 wrote to memory of 2092	2960	Afgkfl32.exe	41
PID 2960 wrote to memory of 2092	2960	Afgkfl32.exe	41
PID 2092 wrote to memory of 552	2092	Aaloddnn.exe	42
PID 2092 wrote to memory of 552	2092	Aaloddnn.exe	42
PID 2092 wrote to memory of 552	2092	Aaloddnn.exe	42
PID 2092 wrote to memory of 552	2092	Aaloddnn.exe	42
PID 552 wrote to memory of 2244	552	Aaolidlk.exe	43
PID 552 wrote to memory of 2244	552	Aaolidlk.exe	43
PID 552 wrote to memory of 2244	552	Aaolidlk.exe	43
PID 552 wrote to memory of 2244	552	Aaolidlk.exe	43
PID 2244 wrote to memory of 3060	2244	Acmhepko.exe	44
PID 2244 wrote to memory of 3060	2244	Acmhepko.exe	44
PID 2244 wrote to memory of 3060	2244	Acmhepko.exe	44
PID 2244 wrote to memory of 3060	2244	Acmhepko.exe	44
PID 3060 wrote to memory of 2324	3060	Abbeflpf.exe	45
PID 3060 wrote to memory of 2324	3060	Abbeflpf.exe	45
PID 3060 wrote to memory of 2324	3060	Abbeflpf.exe	45
PID 3060 wrote to memory of 2324	3060	Abbeflpf.exe	45

C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
"C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Pmjqcc32.exe
  C:\Windows\system32\Pmjqcc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\Pdaheq32.exe
    C:\Windows\system32\Pdaheq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Pfdabino.exe
      C:\Windows\system32\Pfdabino.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
245KB

MD5
845124e395d8956b975a33f943e504f7

SHA1
dccc3cf95c39f682f6ae153c960d20baaca7e0a8

SHA256
8e848b058a7e603aa69ab1b0e3dcc93c8a10c1098cadc7b0baa32e3621546929

SHA512
ad9cab28e584a992345e9ced1e254c1c75dca339d75c32d70e6d5d1cfb2b01d9632a29051281c38f4eba8b8a7ce5af02317e70c749df1e423a8496a21d1a0fcf

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
245KB

MD5
683ff554604113a7aa784589ecd590ca

SHA1
fe6dbffad72ee92c912f886426edf2231ebaaa70

SHA256
56e78ffc0dd6d8017ad38433f47d516e17f5747413f7d4c08e55c65110d9db93

SHA512
68a89547c0178626cf13b9ff42ac5b880d45ac405206055afe0f3cea3a81ca6a9c2325ae79ae87d6fed3cafc76a310a577ad0bebadde6bc67255315a50df5b51

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
245KB

MD5
39e523f6a7ab989bcbebe151b864658c

SHA1
f633e62e84722fc4d24eb88ce76e7cb50eee2985

SHA256
00466205a22af9f0e7f51db43a19131ae2f7fa5e0732efcd2f2aa8209bf9fd19

SHA512
fbd2e3ef0a2df04040ee6e501f946ba07ed563d37a87cfaaee20735c8facefdce5f58458fdb428e94f8ff7dedbaa4d848909b3c9d9dab26f8281cb2a760bf047

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
245KB

MD5
4c00a1972131735dab25ce0a1c3a938f

SHA1
9ad03b6a7e5d2d1ddce456a1f0dbad5374290b0c

SHA256
3c576b7c75d58eb95eeb726730ef839b3b7e0ae64aada649cef20cd3fa720472

SHA512
d05d6a275777d80684857e33aeea6b55e8406b1511e83ee9d24a2a94eeea6c4adc67c35d8ee697c4d592747fcbc1609ae05e2c719b84837ceeb1ed9126e34862

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
245KB

MD5
3a60dbdd354f4be25a6073d7cb2cced2

SHA1
bfcae50661a32b1eddbb936c78a86a4bef006230

SHA256
d46566d5676a1b0a80c313edee14c0484583a1eadaea85f6eca3fc5c7f8c4181

SHA512
7fa2a47254b29b5cb642ae64573345156500221b1fbc0dfbcff0a55079a13e92e75700dff6fe75b892fd762f6e43f6ec38750c0404da66db940b983fc6c77186

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
245KB

MD5
da9e257c226e7bbfaffff5ad891eb517

SHA1
3cd49509a3ece7ad2d5228ca23a61fed3c83b071

SHA256
8945f58c6d51094e6d9396f91e51c9cd0a52f523fde010d5d988018ab3475b8c

SHA512
ad7f104da036c0c89dc0f80f5f80d913c11a73d4222966c5196bc1ce0e6e4e26e48db8976fe22dc83faf375a37404981d0fd52257c25303422ec837c39837ea8

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
245KB

MD5
4279b7899bc154ed181dfae1e30e1dc3

SHA1
3849d31bd575849d1b1ffb32d7aef64a4dd25cb0

SHA256
bfffdc2ffe105b5df0481de16ccd9b203ccc5f6d69954ba08a92b81c14f76479

SHA512
d9b2130169fcf41ad0dd2a8b588b512946ef8f755c717235a6220dc28abbcd7749dccd02376646124e9d26dad3e2fc2e99f2b31e082fb0a2b8fc81b043cb2e49

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
245KB

MD5
5e0e6becc29ccb3a1a0b96c19589fca1

SHA1
d2da4c9acf1b2b4198a6dc38dd81603a6c50c895

SHA256
4e15441b09d9783026fa842f8b0dfd0c8491d5264f72c78039e8e0edaf62a40d

SHA512
e8981ee1d0c652461b67295df4bd625cfd72e60332a10e7bdcb7f4c3e70f26dcc81c572c95046402066191158d83bf1c26310e341f48b4dfd3a2804a085170d8

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
245KB

MD5
f8bf45f99e1d1009ff33abe534cec94e

SHA1
d006d32d9a3e0b92f84042b9776e85211867e833

SHA256
db1d39244cc172fa261319e1f32f23cacce7548360420e9baa0958b0dde470f2

SHA512
7cc02dad12f026a0d743c32a643f39650ed75d7ea02f841113b4feb88f61f842da0a6b077f9980783d1f625baee9cc24b76f4da26a81c7d8935d1f21847414ad

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
245KB

MD5
42e80748ea54750e55ae9d41e3c6b817

SHA1
acba568d5f2ed3caaa8f3a4e40538587239cddb1

SHA256
14e19c51fb74c0b7ad98b621d0359ff5828f8c7554b33f92dcc0925f7e1f16dd

SHA512
fc3c727d826be98de995f1bdc02cffe26d8d3dac73904784b4abc3199ebd4c98f7f82a6fd34ddd3e10e70d5fe0b65712698225e3da6dce325c37efdd30035958

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
245KB

MD5
cf71c69f4dfed4404b58461072f11d6b

SHA1
943b5b4040eab9a3dff0d0aa34f7c30c9fdf7816

SHA256
3df25a56541fb2236d5037b15a297f2c19916a7acae3e59ee73619da44b05477

SHA512
117c5402e23158b888c250e04f3522bb42f98c1d7b2bc8808ca752e9b797647ffedbd032724ff448512adc64c6c20ad87eb0e0dfb44a6050898ebe05ae38f1ab

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
245KB

MD5
dccf4400af71c9033a4b09a58343ee19

SHA1
cc732df12413ef7111ef8ef067cdf480d190454e

SHA256
09325efa4ab4fc56e9d85cd0b4cbf31b20e22221f88191ef5f217d26f5c06b7f

SHA512
b7dd63179605cb77700981c4de9da1dd30825e8932e51a3a3dadd1031b9062316d4694b59c5c24a789af011b656d9961da8a42c543ea5cad3193159bfba62d5f

Download Submit
C:\Windows\SysWOW64\Cklfll32.exe

Filesize
245KB

MD5
a30f0db239a19bd06a8ed33d0ade701f

SHA1
169d627169bb7bccd6a180958dfaa62e1ddf68b4

SHA256
4b53f9b265a33849722f53773242e157f9bb13112b3e9eb1f965d812e9af070f

SHA512
c23614cfd8d7c19c5039d189d329df096e1e168e94f795e404cfcbe9005c239883c25d82bdbfcd5e71fadc96a807d1c8738e995e6b9de1aef6c1971a4ecc73bb

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
245KB

MD5
f5909d2a27f3a3012e50490ef9fb5dc9

SHA1
137e011613ca2864e23304f6959d2a28a4a486f3

SHA256
916a7d9ae3db2c9163164f5cd2e1c1bb06654e041662177c1d57dffc85757534

SHA512
95583806b1c621e98b5d0710056cbed2aa54615b6ea341e2be8744de2fa104004c4737038578f0879c44d8853d0df1f967ccec2a84dbb49ba040f6b86bf7ee50

Download Submit
C:\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
245KB

MD5
ff5c9dbc12adc768dfa34487523c764d

SHA1
3bdea1e4a105d927694d1a3b38910e533b5f621a

SHA256
5d0ae160d5aa196453bd4055da97dee7b7277bfe55eafffa02fde75b6cf8b1c7

SHA512
a301cfdc4d15757ee9de99b78046fb9e03f8b36191b707a1ff03c8c090f3b020b2a16185f02f6eaedbae8467fbd4cb7deed0ef6785bb1de806c8fd1afd3d1cf6

Download Submit
C:\Windows\SysWOW64\Pdaheq32.exe

Filesize
245KB

MD5
2bf55f68a6af26dbb372057fb7563605

SHA1
f0a61088462ff8b9fc1baed419f1ad04904bca02

SHA256
98351bf64f19f0bb09284a1ff99859a9e8705788d06ab87009986766070a2f39

SHA512
92a14624b3bf950794f3f2aabd59be3dcc7bebc70a0a8b9fa84213a4173f72793d6bc359434c73455615ae588a555f4a7cb794f5196b520215e38bb60422cd3b

Download Submit
C:\Windows\SysWOW64\Pmjqcc32.exe

Filesize
245KB

MD5
87c79364cf9863646dd78722ce4b111b

SHA1
3bd4fdb4e6d54cc1c7e0ea695a901b3a22a546c1

SHA256
c93ee1a1198cfd35a3fd175343ecb4a5bc05c41677f1b963a08e976d4677603b

SHA512
94002cbcdc2aa32391db42870d7bb2cd13a93d6e656619ec85e74f54195ebfd1950a3f09e9d1efaeaf8bc8187d9c7666c997d496bac22f7118ce7338666c97a6

Download Submit
\Windows\SysWOW64\Aaheie32.exe

Filesize
245KB

MD5
d5fba8583c545b4ba2d2a153c9a2b5de

SHA1
72a55914a26b559c4381189cd83980e9a4ca90e5

SHA256
cb2f350479fc35174ac65ee5ee027bbef5e86c221455827dded7fb43915b62b6

SHA512
8d3e14df32c3c82759934fb34570922a605fcd515a9700f4327e15c0fb5b902111cb70ce8ae68e38bc804804e75989679d11eaac0bef52e66597a03f9077b28a

Download Submit
\Windows\SysWOW64\Aaloddnn.exe

Filesize
245KB

MD5
e0e3d3bcdb70417c5ef0f6331315dd01

SHA1
4bc3515247e97e1506d5b80c983b027a00bdb542

SHA256
a379cc7e92acbd92e6cab108fabfcb601378f9d66f9312198260d9be5d501b58

SHA512
1b983c6f36de95b215daa6f6633e34fd84b8078baf4fa885ae56b69c6810b70d30ab1cf6d89d5d15143c4cce81c4141bf5148676176d3be4f054a19c190f2146

Download Submit
\Windows\SysWOW64\Afgkfl32.exe

Filesize
245KB

MD5
3aea35428da56d73af20a4ee906ddbda

SHA1
511ab078f5e5b00adb39e918676a7031cd98cdf0

SHA256
1d1f137ae1348cc19fee435d1f23ad3a83ad2500ae0b9b137d68875cd4a4f0ea

SHA512
e5cf403adf1a6d7418e9587caa469635586c1f903a32856d68097b5ae333dbf27e2f684f6edf8afee3ca05faa98b14486aab9e3db4c6228f3e7cbb51d40a3318

Download Submit
\Windows\SysWOW64\Bilmcf32.exe

Filesize
245KB

MD5
ee8f4b0351ca8f3942dac4f7260d04ac

SHA1
0e510295b592096cf7aeb2c6bf262ad32dee4246

SHA256
9e07e010d20ca4f5d28200359f52da0e5d6893981c905e6b463d7924f47655a6

SHA512
2a8f4fa2b7da9f6f2ce399e7ffb91672ad3ef1261f96e0c1addbeccefce9daa8b08d5d5c10a5c9633f86250a46df6ab8d2cbc85a76d0aa4c2d730ac8fda0ab5f

Download Submit
\Windows\SysWOW64\Pbnoliap.exe

Filesize
245KB

MD5
1ba3ce30ef34cdb7258ff3b0c3981be6

SHA1
710f2990145d5a66a736c5b149d4b5a657fa34a6

SHA256
6eb507fecf813d532461fac329e11e472fba6804678e44319b3b43c1216377aa

SHA512
4de9b5e0ad32f02ed7bf3b1963f5c2d1b06d58272cd12a5085e4aa593998dae36045c1b097580cf310b19e61f22d2bc287715168984a3efac148fed99a87a396

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
245KB

MD5
22290b74a7e6aaa31dce6936b23823a7

SHA1
7432b083790b63197845c02169ef5cec1b5f8cc9

SHA256
84e6678c4f6daa01632e65d4ca729703c2665579a50b6a09fb16d28d5edd4d04

SHA512
1c1f1cd28b2b428071ec926a903869e9d5feee402eab7c937469f6d9e5e8e8ba04efe05088c5d2d1aaaad8ca78edf934f281a12e05654395613bef9abb6ff0ae

Download Submit
\Windows\SysWOW64\Poapfn32.exe

Filesize
245KB

MD5
4b1616a3a4ee9d452a949474f7375396

SHA1
7cb411a7e2b0d27f96690bde05f3e5e7bdd8c752

SHA256
63baaf240e7d94f2d78c227baf19c608e4f3c47ad4e9891e2c8210edbff798d1

SHA512
db2e80c710e65c5673486a6816c82156d0bfbf5383a55bd70c0f795d2d0dc5d78293e19032bdcf0a080ee6f2f8a065c9117ac16891b8e14fb1a8d13f69c9a21a

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
245KB

MD5
932b6f2da1a72b3204b4868e6f23a25b

SHA1
0c9951149e44e508d4ad4ba38b0057c28e68adfa

SHA256
df34956890017af6ef04dff8d72601723f023ff892f887c9ae2bd9081f5453d2

SHA512
4ccc10dd44c98af83f264b7f4ccc9ec41b8df064c907cc6b292833b7d7fab21daaba2c940c8df67663e926dc8a866a0847460b0d3763b2d565bc64e336de4a44

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
245KB

MD5
d734abbcd50cc0dec2e06cab3e543bfb

SHA1
23f0daa69aecede276ffce60b43e255df41c3ca4

SHA256
5244d22e7e5cbf02c6452e65fd2707dc18ff67c2b970fae9e410f4a0b3d337e6

SHA512
c4d0077a043e3153bb505525ff9ef31434ed10d28fa05bbbfad8a93033d0dbcbf78de54819eb440bd5d9d1f639a57420b0d309475cb43d0ca5f82ab7abf981d0

Download Submit
memory/552-348-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/552-192-0x0000000002040000-0x00000000020A8000-memory.dmp

Filesize
416KB

Download
memory/552-350-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/552-184-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/552-185-0x0000000002040000-0x00000000020A8000-memory.dmp

Filesize
416KB

Download
memory/584-373-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/584-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/584-86-0x0000000000250000-0x00000000002B8000-memory.dmp

Filesize
416KB

Download
memory/616-274-0x0000000001F90000-0x0000000001FF8000-memory.dmp

Filesize
416KB

Download
memory/616-334-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/616-275-0x0000000001F90000-0x0000000001FF8000-memory.dmp

Filesize
416KB

Download
memory/616-261-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1260-335-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1260-251-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1260-260-0x0000000000300000-0x0000000000368000-memory.dmp

Filesize
416KB

Download
memory/1344-368-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1524-249-0x0000000000330000-0x0000000000398000-memory.dmp

Filesize
416KB

Download
memory/1524-250-0x0000000000330000-0x0000000000398000-memory.dmp

Filesize
416KB

Download
memory/1524-240-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1964-346-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1964-303-0x0000000000390000-0x00000000003F8000-memory.dmp

Filesize
416KB

Download
memory/1964-297-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1964-302-0x0000000000390000-0x00000000003F8000-memory.dmp

Filesize
416KB

Download
memory/2092-170-0x0000000000250000-0x00000000002B8000-memory.dmp

Filesize
416KB

Download
memory/2092-157-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2092-356-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2092-169-0x0000000000250000-0x00000000002B8000-memory.dmp

Filesize
416KB

Download
memory/2120-281-0x0000000000280000-0x00000000002E8000-memory.dmp

Filesize
416KB

Download
memory/2120-280-0x0000000000280000-0x00000000002E8000-memory.dmp

Filesize
416KB

Download
memory/2120-329-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2120-331-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2160-232-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2160-239-0x00000000002E0000-0x0000000000348000-memory.dmp

Filesize
416KB

Download
memory/2160-339-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2160-337-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2160-235-0x00000000002E0000-0x0000000000348000-memory.dmp

Filesize
416KB

Download
memory/2236-26-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2236-367-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2244-186-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2244-200-0x00000000002D0000-0x0000000000338000-memory.dmp

Filesize
416KB

Download
memory/2244-199-0x00000000002D0000-0x0000000000338000-memory.dmp

Filesize
416KB

Download
memory/2244-343-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2324-347-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2324-227-0x00000000002D0000-0x0000000000338000-memory.dmp

Filesize
416KB

Download
memory/2324-217-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2324-228-0x00000000002D0000-0x0000000000338000-memory.dmp

Filesize
416KB

Download
memory/2504-378-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2504-379-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2532-376-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2532-104-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2532-377-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2596-371-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2596-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2632-364-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2632-39-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2652-361-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2652-59-0x0000000000250000-0x00000000002B8000-memory.dmp

Filesize
416KB

Download
memory/2652-370-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2652-52-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2676-354-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2676-129-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2676-137-0x0000000000250000-0x00000000002B8000-memory.dmp

Filesize
416KB

Download
memory/2740-319-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2740-372-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2740-325-0x0000000000260000-0x00000000002C8000-memory.dmp

Filesize
416KB

Download
memory/2740-324-0x0000000000260000-0x00000000002C8000-memory.dmp

Filesize
416KB

Download
memory/2740-359-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2788-344-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2788-326-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2788-338-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2800-291-0x0000000000300000-0x0000000000368000-memory.dmp

Filesize
416KB

Download
memory/2800-360-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2800-282-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2800-292-0x0000000000300000-0x0000000000368000-memory.dmp

Filesize
416KB

Download
memory/2800-357-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2832-330-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2832-313-0x00000000002D0000-0x0000000000338000-memory.dmp

Filesize
416KB

Download
memory/2832-314-0x00000000002D0000-0x0000000000338000-memory.dmp

Filesize
416KB

Download
memory/2832-308-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2884-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2884-17-0x0000000000330000-0x0000000000398000-memory.dmp

Filesize
416KB

Download
memory/2884-374-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2884-375-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2960-155-0x0000000000250000-0x00000000002B8000-memory.dmp

Filesize
416KB

Download
memory/2960-154-0x0000000000250000-0x00000000002B8000-memory.dmp

Filesize
416KB

Download
memory/2960-355-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2960-358-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3036-353-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3060-342-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3060-207-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3060-216-0x0000000001FD0000-0x0000000002038000-memory.dmp

Filesize
416KB

Download
memory/3060-214-0x0000000001FD0000-0x0000000002038000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads