berbew | 1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe
Size

194KB
MD5

e5eefa2f4d10c9b71b13a1c1a79546b0
SHA1

c005b736f9888f1f55b50d3fb5539b16f4185a08
SHA256

1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071
SHA512

f195cbf0323d81e46cd2ea0a818f182cbc5eb95033e84e5b56f3d1ca7ae4affbc95e1f8d694c4cd9743567b2c155d25d0a970ed24a92902c757629f4b83f0338
SSDEEP

6144:mwngsEdn7Sck/TdSfUNRbCeKpNYxWlJ7mkD6pNY:tgpw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apddce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podkmgop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimhmkgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apddce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aimhmkgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 38 IoCs

pid	Process
2248	Omcbkl32.exe
4348	Oflfdbip.exe
3936	Podkmgop.exe
2668	Pdqcenmg.exe
2636	Pmhkflnj.exe
3196	Pkklbh32.exe
1520	Pcbdcf32.exe
4060	Pbddobla.exe
4404	Pecpknke.exe
3484	Pmjhlklg.exe
2276	Pkmhgh32.exe
2816	Pcdqhecd.exe
1656	Pfbmdabh.exe
4212	Piaiqlak.exe
5052	Pmmeak32.exe
4968	Pokanf32.exe
3420	Pbimjb32.exe
3296	Pehjfm32.exe
3796	Pmoagk32.exe
3600	Pkabbgol.exe
2644	Pcijce32.exe
1300	Qfgfpp32.exe
1956	Qifbll32.exe
1628	Qmanljfo.exe
3288	Qppkhfec.exe
5000	Qbngeadf.exe
4792	Qelcamcj.exe
4396	Qihoak32.exe
4340	Qkfkng32.exe
3512	Qpbgnecp.exe
2144	Abpcja32.exe
3240	Aeopfl32.exe
4016	Amfhgj32.exe
3560	Apddce32.exe
224	Abcppq32.exe
640	Aealll32.exe
1044	Aimhmkgn.exe
2696	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pdqcenmg.exe	Podkmgop.exe
File created	C:\Windows\SysWOW64\Piaiqlak.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Daliqjnc.dll	Pbimjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Qifbll32.exe	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Aimhmkgn.exe	Aealll32.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Pfbmdabh.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pcijce32.exe
File created	C:\Windows\SysWOW64\Amfhgj32.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Pcdqhecd.exe	Pkmhgh32.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Ihbdmc32.dll	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Qihoak32.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Jkiigchm.dll	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Oenflo32.dll	Qifbll32.exe
File created	C:\Windows\SysWOW64\Abpcja32.exe	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Gkhikf32.dll	Podkmgop.exe
File created	C:\Windows\SysWOW64\Pmhkflnj.exe	Pdqcenmg.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Pkklbh32.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pkklbh32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Piaiqlak.exe
File opened for modification	C:\Windows\SysWOW64\Pehjfm32.exe	Pbimjb32.exe
File opened for modification	C:\Windows\SysWOW64\Qmanljfo.exe	Qifbll32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Qbngeadf.exe	Qppkhfec.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Qpbgnecp.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Hfqgoo32.dll	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Abcppq32.exe	Apddce32.exe
File created	C:\Windows\SysWOW64\Hpacoj32.dll	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Pmmeak32.exe	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Haafdi32.dll	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Apddce32.exe	Amfhgj32.exe
File opened for modification	C:\Windows\SysWOW64\Pokanf32.exe	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Qpbgnecp.exe	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Podkmgop.exe	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Pmjhlklg.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Dqjhif32.dll	Aealll32.exe
File created	C:\Windows\SysWOW64\Pdqcenmg.exe	Podkmgop.exe
File created	C:\Windows\SysWOW64\Pbimjb32.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Pnnggcqk.dll	Pokanf32.exe
File created	C:\Windows\SysWOW64\Qppkhfec.exe	Qmanljfo.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Pbphca32.dll	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Pcbdcf32.exe	Pkklbh32.exe
File opened for modification	C:\Windows\SysWOW64\Pcdqhecd.exe	Pkmhgh32.exe
File created	C:\Windows\SysWOW64\Cjokai32.dll	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Knojng32.dll	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Hblaceei.dll	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Pecpknke.exe	Pbddobla.exe
File opened for modification	C:\Windows\SysWOW64\Pecpknke.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Apddce32.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Bqpqlhmf.dll	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Pehjfm32.exe	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Abpcja32.exe	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Aeopfl32.exe

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnggcqk.dll"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aimhmkgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogcho32.dll"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knojng32.dll"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apddce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcboj32.dll"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pcijce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieonn32.dll"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimhefgb.dll"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkdne32.dll"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Podkmgop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgilmo32.dll"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenflo32.dll"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 2248	4508	1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe	89
PID 4508 wrote to memory of 2248	4508	1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe	89
PID 4508 wrote to memory of 2248	4508	1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe	89
PID 2248 wrote to memory of 4348	2248	Omcbkl32.exe	90
PID 2248 wrote to memory of 4348	2248	Omcbkl32.exe	90
PID 2248 wrote to memory of 4348	2248	Omcbkl32.exe	90
PID 4348 wrote to memory of 3936	4348	Oflfdbip.exe	91
PID 4348 wrote to memory of 3936	4348	Oflfdbip.exe	91
PID 4348 wrote to memory of 3936	4348	Oflfdbip.exe	91
PID 3936 wrote to memory of 2668	3936	Podkmgop.exe	92
PID 3936 wrote to memory of 2668	3936	Podkmgop.exe	92
PID 3936 wrote to memory of 2668	3936	Podkmgop.exe	92
PID 2668 wrote to memory of 2636	2668	Pdqcenmg.exe	93
PID 2668 wrote to memory of 2636	2668	Pdqcenmg.exe	93
PID 2668 wrote to memory of 2636	2668	Pdqcenmg.exe	93
PID 2636 wrote to memory of 3196	2636	Pmhkflnj.exe	94
PID 2636 wrote to memory of 3196	2636	Pmhkflnj.exe	94
PID 2636 wrote to memory of 3196	2636	Pmhkflnj.exe	94
PID 3196 wrote to memory of 1520	3196	Pkklbh32.exe	95
PID 3196 wrote to memory of 1520	3196	Pkklbh32.exe	95
PID 3196 wrote to memory of 1520	3196	Pkklbh32.exe	95
PID 1520 wrote to memory of 4060	1520	Pcbdcf32.exe	96
PID 1520 wrote to memory of 4060	1520	Pcbdcf32.exe	96
PID 1520 wrote to memory of 4060	1520	Pcbdcf32.exe	96
PID 4060 wrote to memory of 4404	4060	Pbddobla.exe	97
PID 4060 wrote to memory of 4404	4060	Pbddobla.exe	97
PID 4060 wrote to memory of 4404	4060	Pbddobla.exe	97
PID 4404 wrote to memory of 3484	4404	Pecpknke.exe	98
PID 4404 wrote to memory of 3484	4404	Pecpknke.exe	98
PID 4404 wrote to memory of 3484	4404	Pecpknke.exe	98
PID 3484 wrote to memory of 2276	3484	Pmjhlklg.exe	99
PID 3484 wrote to memory of 2276	3484	Pmjhlklg.exe	99
PID 3484 wrote to memory of 2276	3484	Pmjhlklg.exe	99
PID 2276 wrote to memory of 2816	2276	Pkmhgh32.exe	100
PID 2276 wrote to memory of 2816	2276	Pkmhgh32.exe	100
PID 2276 wrote to memory of 2816	2276	Pkmhgh32.exe	100
PID 2816 wrote to memory of 1656	2816	Pcdqhecd.exe	101
PID 2816 wrote to memory of 1656	2816	Pcdqhecd.exe	101
PID 2816 wrote to memory of 1656	2816	Pcdqhecd.exe	101
PID 1656 wrote to memory of 4212	1656	Pfbmdabh.exe	102
PID 1656 wrote to memory of 4212	1656	Pfbmdabh.exe	102
PID 1656 wrote to memory of 4212	1656	Pfbmdabh.exe	102
PID 4212 wrote to memory of 5052	4212	Piaiqlak.exe	103
PID 4212 wrote to memory of 5052	4212	Piaiqlak.exe	103
PID 4212 wrote to memory of 5052	4212	Piaiqlak.exe	103
PID 5052 wrote to memory of 4968	5052	Pmmeak32.exe	104
PID 5052 wrote to memory of 4968	5052	Pmmeak32.exe	104
PID 5052 wrote to memory of 4968	5052	Pmmeak32.exe	104
PID 4968 wrote to memory of 3420	4968	Pokanf32.exe	105
PID 4968 wrote to memory of 3420	4968	Pokanf32.exe	105
PID 4968 wrote to memory of 3420	4968	Pokanf32.exe	105
PID 3420 wrote to memory of 3296	3420	Pbimjb32.exe	106
PID 3420 wrote to memory of 3296	3420	Pbimjb32.exe	106
PID 3420 wrote to memory of 3296	3420	Pbimjb32.exe	106
PID 3296 wrote to memory of 3796	3296	Pehjfm32.exe	107
PID 3296 wrote to memory of 3796	3296	Pehjfm32.exe	107
PID 3296 wrote to memory of 3796	3296	Pehjfm32.exe	107
PID 3796 wrote to memory of 3600	3796	Pmoagk32.exe	108
PID 3796 wrote to memory of 3600	3796	Pmoagk32.exe	108
PID 3796 wrote to memory of 3600	3796	Pmoagk32.exe	108
PID 3600 wrote to memory of 2644	3600	Pkabbgol.exe	109
PID 3600 wrote to memory of 2644	3600	Pkabbgol.exe	109
PID 3600 wrote to memory of 2644	3600	Pkabbgol.exe	109
PID 2644 wrote to memory of 1300	2644	Pcijce32.exe	110

C:\Users\Admin\AppData\Local\Temp\1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe
"C:\Users\Admin\AppData\Local\Temp\1199cf4877a8d7f98b392673123354476c24c74b504440951c0b8ab0401ce071N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\SysWOW64\Omcbkl32.exe
  C:\Windows\system32\Omcbkl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\Oflfdbip.exe
    C:\Windows\system32\Oflfdbip.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\Podkmgop.exe
      C:\Windows\system32\Podkmgop.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=3868 /prefetch:8
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcja32.exe

Filesize
194KB

MD5
2101ee3a5c4e2e0d6eab2117a01e71ba

SHA1
42d15877ea56e29921c39f7089c8b6dee720d9a1

SHA256
cd89598f39cb323ebe513a26b74088e04ac0c9878c10dd017fd9883969f5006a

SHA512
01dbf8f6f57dd9a04b1cd7f58860b59e8eed36a07ba4decb44df6c586900cd7f12263503b46cd455b658672ccff4120c281c635572e0e535b22e6b40cbf61604

Download Submit
C:\Windows\SysWOW64\Aeopfl32.exe

Filesize
194KB

MD5
bb2f689a9bda11b9c8d9d5850dc99c27

SHA1
bb16db0655f03ad7f4a5910b63474226daf2c828

SHA256
da1701dd8c4d22218f3d0fd49770a3b474ab6270eec3809e627f50e952618a1a

SHA512
bd407861e3986318d0aa283524a201de60eafbe864fc76a94dfa18565161cffc1801aaaa18ae3a5729a14a0a9442993947a173c62b15be080b58b8e464437800

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
194KB

MD5
edcf6941c961406085a779f355e34404

SHA1
2ea8ce25a9601213727f9381126635c80e9a4a0c

SHA256
f0c6dcedeaff1dd64e556614c0790f99a2939d7ad8bca03dc507dbb491959d34

SHA512
3421f8c824de798abcba52bb9eeccbb5db184a8a28694fdc44f5d9b8365d5882786de9f2ecefa83e25b2469e2e5d62b2f3f9472f48795e85bb96fcec34cc49e6

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
194KB

MD5
82647a45cfa3cf8a70211f20231eb53f

SHA1
cc98af585ccd521d49b7cf768b7eae66dc31b3d7

SHA256
74315768873a15fefc68dbfe5a2bb90319452183c374b130ddeb2180abad771f

SHA512
4d27faae3e0d578792685a42883c131103c12827f82ae3c414775e618c7eee73a273f7e8dcdddffbc5f0d70e4e02136ffe27a226bc235e2c687553df892e1f95

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
194KB

MD5
b7d7e63496d1cc51a01c3b76bd65e788

SHA1
32eabd66bcd7e71e12ac210091b2644d89e3a381

SHA256
f0e2b5f37e9d1df8ba2ee24c5ccd23ff3ad6d57c13f23b3c16f9ba543c8a696d

SHA512
ec16fce780acf58b95ffb2042b738eebf8e5e20b8f68c0027771d5453bca8b7b2c2ba035891d0988c37f2c19c1ff43cb51b46adf20561b7bcd05d0cf782d211c

Download Submit
C:\Windows\SysWOW64\Pbimjb32.exe

Filesize
194KB

MD5
f7e40bd6c5f845dd69b7808c46fa42c5

SHA1
c4341713973af3421c727ea52d159dc21fdc8fb2

SHA256
f04891d82819e75c73f5ebffb05d2a822a1927a7db652c8a8b9b2f38c87c3b85

SHA512
e739bc42c7a46dbaf416d59c38b275d0aee7c3f0fa114f18fc555c37a5ee9fec5649223a377261dd63ce9392bce2bde11fdc96003336fa2c767bdf57ee2ea130

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
194KB

MD5
8121f533fbbd6824fd73d4fbcae3d899

SHA1
5ed578828769e2a93f78ecd066f27fe9cd05679c

SHA256
0efa5105e90cd34bf0b74a34599d6bb5ddd16a3fce8bbebe66e93fdd98a1d334

SHA512
ec319afb0d0d3e9c04ddbf5726e94f28c66749c26d7cd0d4b4a49feb8bb04206661730c534c5b44a2829d7447da63170748dc785c3027675a6bf55739d5034e0

Download Submit
C:\Windows\SysWOW64\Pcdqhecd.exe

Filesize
194KB

MD5
4760cf63e946c63944c3ca0d044f6308

SHA1
66547e239e26a66aa988a255bd149a316e17126a

SHA256
9896ff93580fd526f346f2d036332e21e3333682d61e1488b47618df5419ac4b

SHA512
4a562e974c442370b35dc6b51539c668d430e9403412a21aa9aa91cdec32ae6431082d99e4266a955f307b417226b893d50c5fbe79fcc12cfafae00415d0cadb

Download Submit
C:\Windows\SysWOW64\Pcijce32.exe

Filesize
194KB

MD5
e7c5afea5a1108f522d347e58f22f3a9

SHA1
7daa7a2a3d7ead5b7ac262ff480f761cddd23b0e

SHA256
d255afb7efa1058cd895b083e299860f58cb43f26122e47aba36a0b95169bb74

SHA512
583c92a378b5ad728c5a16ea880292463d71770fddac143bfc3cdbbc8df43683aae3d820fb66f4c005670bd853f63bfb4c221f8dbd4ce3c7887f21da36458fad

Download Submit
C:\Windows\SysWOW64\Pdqcenmg.exe

Filesize
194KB

MD5
019a121b77187397d07b9b25e5e3fff0

SHA1
35b7e500236a0fbd6dfcd60018f9a00c9880cd8a

SHA256
0ca720d84205af674c08bb2f7c7dbf2d211662ea0a05dd9fecf9aff6f6ed9531

SHA512
e0c13d670060f8f543aa1e2e64938935874d44a2a3b6aa86edf7b57c6c4a3353ad643863992210f51ac8e994e97c3b2f93c967c91288cba56af40a7e876a7c88

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
194KB

MD5
a1b5e4d6841e02a2044f2474592f4ecc

SHA1
3159bbcc2338407c9a532e27526adbc2638a00e6

SHA256
f338fb38e607c79a512ac5adbdcaf738cbc91e47de3e682ed7200c4b796b8bde

SHA512
6150ed5bcb9b6df62f196565134809985917249a38524e07e71376f19efa3135e85f1b9a5402d13db56aba657d4f0094cecbba26910a5c3baa197cadd0c95f53

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
194KB

MD5
0ce9bce270b50daf49820713a10661e7

SHA1
2b723dfcbb5cea0300582ca5dfb2a84169f78d4c

SHA256
1a37171192ce3b878a0d81218f3ce5b8172f0384254dd353ad11c0ac6f751cfd

SHA512
1d20d2b96892eafca2372840dc8078367d7ed4f38c2bf5fc59024af609f22c1e9aa1c4c4dd36dfc19545e6a738ef26984f197f4d05c6eb9fd3f0c1e5c779bde4

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
194KB

MD5
a9a12f697e1a08695a4434a8859d3590

SHA1
cb8dd8f92e404c9dbd617cd71c41c90f7af73aaa

SHA256
67755b4522e79f8f74251a08a5d95d012c4ebe8ad13a822e3c8a0edae7f63bb9

SHA512
b5162dd9ec2a7e33168d61e25ca4914185a3b244befa3e1a16089353d5c8c8f0a27bc0f4654edffc12b2790ca73c0e7ac2fb18471060cabc32701728a558d1da

Download Submit
C:\Windows\SysWOW64\Piaiqlak.exe

Filesize
194KB

MD5
6a4d18dd885d1c2418c7f310760ac800

SHA1
4f986c17686d66c6837789cc23f6cf6595e2b889

SHA256
dd6f177519b548bc99153eea356ced2303c6fed1341ab8fdc21ed5bc9f3ec3e0

SHA512
5ffe72f1f611416e18befbf85cb50614ddfcaa498e02eff6d40a99e35589f63698e1c083b388787a9f6603217478b2dbaae829e0d718a17b913422cef1e06c2d

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
194KB

MD5
53889f2fdfaefeb93a8adf5fbea50d2b

SHA1
70d1e393d541ce09e0359a3ba82a315f12a21b9e

SHA256
2684aa167be671853d3195c452afb11abbc70e8f9a86271e9bd2309d548f1173

SHA512
8cd417d0ca0dcd17dece4977007767c8207a15374dba07a48659dbdf02b445cbb977debdf48c4964933b3b8d1d3dc062a649d1af81cdff6221d759d4b80fa154

Download Submit
C:\Windows\SysWOW64\Pkklbh32.exe

Filesize
194KB

MD5
5b3a34caa268e0b131a29ac70d4b2ae6

SHA1
a21c0de47b13ea0bb49057a388edc91dd26da5f8

SHA256
3c96180a1a631a80edf68f9d15bab4a34d7f94c81d2abfc628958f2ac2aaadfb

SHA512
cac7c59e80312e21bec2f308fcea5a98d77c9b838f7558b51899987705e4a5333d89fe9ceb6bbea725c35514b4d12b56b9813a0d94036d3ebb58ca76823b7a2c

Download Submit
C:\Windows\SysWOW64\Pkmhgh32.exe

Filesize
194KB

MD5
0bc82aa8b24fb61e49e7ec6616d09ac1

SHA1
7b765cb9dd1a596659e8374d8a121e7e46e74b14

SHA256
4d8f60b6e4d3f5c28c2484559fa00b2ea4042e1012e269e1b228ccd7d07abe2c

SHA512
eced3054b27db06a11a97a66d3c07af05c08b96431e56039d11916717d63d6b2e721c808a70c5d9c9b5bfbd071f9981b352b038cfc5b817269b53c6ab6d857dc

Download Submit
C:\Windows\SysWOW64\Pmhkflnj.exe

Filesize
194KB

MD5
45ca14ca6cb34d493024d7097d0b4845

SHA1
085c6c4227a2f7046378e994fb1d14e2be24cc3a

SHA256
03f89eb4bc6fe07e84f6483b00493ad8e7da94d422d5ab73bb0499f256577fb2

SHA512
2adfee7c2bc98220fbec8e4df405b1bb0c7d093568b32ac97f8dc2762b13aac2d20e86098f3ace1542fc3b17f8e83366056a82b3ee0225e6278d802167fb04e5

Download Submit
C:\Windows\SysWOW64\Pmjhlklg.exe

Filesize
194KB

MD5
a15322505f493215c6df5e2a6f0337de

SHA1
5e650652351ac177694bb9e64edd1c4d0e8570b8

SHA256
c85f3a3d55d6e13823e5d723b72e9a9ca2763e91c4429081a2e8b51c9a94e6bc

SHA512
cfd094c3170a2b9261568afa91e46340011acd051342848d989076d02b43db79237b37ee146c02d19cfb9cc70d82b26856f25f86794d395f1ba17d33c4794a17

Download Submit
C:\Windows\SysWOW64\Pmmeak32.exe

Filesize
194KB

MD5
f02be54ed99c14419f675949e0110572

SHA1
f3279d8d96cd124c8f49876bc485684acf74dc2c

SHA256
76fcdfe7cc29c686deee4501067e43d7241b6140a2c307ea4d49303c1a3f0dff

SHA512
69056422c869dfb853c25877942e399fcd3602b54f9fb2d769d67935dc69b9956f9593d35f561e88f7930c502c14c07d96003d97e9f1bbfcb42b0bcb1d4175f5

Download Submit
C:\Windows\SysWOW64\Pmoagk32.exe

Filesize
194KB

MD5
d9be41ec0a993c34a1d70632d96d2ee7

SHA1
f734d0628128d1eb5cfe0c4fde09d769aab7699b

SHA256
44a97d9ed9ed10f1ea784f26debf755c545d0fc868bf57be5e94e2356227f8f9

SHA512
e4a06cf469213e8e154a21d46dfb3f17b3e4f1647b1efe095b7635c1ddfc3801517f356d8ed0b7a75849015f3c31b9a47d0e97f3409b1e2c36eb8b46e4be51b6

Download Submit
C:\Windows\SysWOW64\Podkmgop.exe

Filesize
194KB

MD5
295154c9a6b1842f32cfbb71398a074d

SHA1
5d8743c85c650e3a25269372832e477d7fc37bbf

SHA256
b280d6cf46ebc8d36df093fb1860d81f793d1da9e139ee58a6f3d21be65af7f8

SHA512
aeb5b89f04a9eae9cbc89f8c548b847c1ef156dc1edda72375b41cf192c8df73c2058794ccd38d1648f6d758dbdc17dc1a0fbb17e5f00d56649f7a54241651f2

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
194KB

MD5
76a757e3059f4f760edd2b04f65e47bc

SHA1
326151ae4616e254435593901ca1e66424ad13fb

SHA256
344af43d28b76c78db991c41305736bc7f0c93015e2cd33c21cb37852e07fdde

SHA512
3729a793bc5e126cf7ee6e670c1a2c1a7eab0bd7b9f9194ddf53ab60e92b3fc886a791b99039bedb0e12b90b3fac87fe135ade2e356a3ea7dda89f0c6ee01eec

Download Submit
C:\Windows\SysWOW64\Qbngeadf.exe

Filesize
194KB

MD5
df2df3afbda119980614ca97bdfd780e

SHA1
5877211b031a5d6dd72fe5166d08f81a71189aa5

SHA256
abf2fe0ba81e8753cd4aa3fee879f01e9f599a796f26da304503b63540b5e301

SHA512
3e7de59cc32581752018a4dd18876d39269a0ddc493103727ee89057d7f1792bc8f752b733c59c60ad32d4d57e10ca8496f7027710ac31ec9553f480a1ed7a40

Download Submit
C:\Windows\SysWOW64\Qelcamcj.exe

Filesize
194KB

MD5
852f45329827dc66dfdfb8373ced2af6

SHA1
f32dd163aaf640b9735721832b6847b890545538

SHA256
9a0a00c43393f92e3d0368b070c7821f3f609a0a20f74a774c3a0f06a86474f0

SHA512
1f9a706580310a55fb20d9301e58e22a76cb3ca164ef40aa7cc1a68bc37fddad9e4b3c18dab8c490b9793f223ca00256d077d76c2bff0de1a694a0728a6534a1

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
194KB

MD5
e5c3ed7b00a4745779bef9b037006c29

SHA1
d0e406c091ba40a450d5822f072db12010341de0

SHA256
1b1be42dc8370c0fa80385c61d7b87bc094a3d0ce18682ae1349b09091aa8034

SHA512
b86afedb4c01d2c0a55a51c02cba1bf3f07d9f8dbbf20361b7861652e1fd727cc9781c99830b7c850fd3e908b2043a523c13909d35954c9129c9d06413006f9a

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
194KB

MD5
bdb604d8f7ea7d68521dda9f10326a0c

SHA1
f45e6bb79f3516f67ac185362b7cbf013e187899

SHA256
383114ce6fa79f7ed4f39f23d8791d19af9bb87c964d77f324176fc554aa60f3

SHA512
a1826a57cd940207a1b98133c91d029f0ca99d3c651d524ee18e9ca15ad4a7db584bd4deaca8c0a29ccffc196c026d5072d8148c35c83f2987a41e7beee6b41a

Download Submit
C:\Windows\SysWOW64\Qihoak32.exe

Filesize
194KB

MD5
d175442723145c499bb31830d29b9391

SHA1
33b90b4e34d1c83381ca3dbf7d39d0e503f92692

SHA256
5d262ba7bd7b37915d6f98c94b6848982aeaed5a12d7f7dff6e0d20808213eb7

SHA512
5ecc685b0dc5bbc3fe5d41afb74b59f4fae98a005cf18e4eaee7156231a516e8f9f04f3a9ed6169a08a3b6ce153ac437b1b6b521d1cc6f64773d2ccf2391bae4

Download Submit
C:\Windows\SysWOW64\Qkfkng32.exe

Filesize
194KB

MD5
b30d3b7c1703d9cbdb919788e90a469d

SHA1
a0ec294eb537af6f8758ba923a7c764a69f0bacc

SHA256
db73bcb102ee64b19ec90dcc290aff056b329e8149d1fb87515210838498d2c7

SHA512
c0408d733b3734d4c87c3e7d8d3c23223043c8b681fcd6c77b75f40e49cb1d1ddf13ae1c80fc07bf11cfb4fbf804d1eb7775e3f3602786dc3f31691e28b806a5

Download Submit
C:\Windows\SysWOW64\Qmanljfo.exe

Filesize
194KB

MD5
347d2d0532945479296f19a1864dc766

SHA1
7ef0b94e23dfc1850be71d37f45f810efb3d649e

SHA256
ff82c554a6edaacfeee226dc53a7f49114204f30f5466b05ec1195622495fcfc

SHA512
d303a9dfc1b1b4667d44445f5041062279f9c824261dd2f9d67d25b9db5ff88addb1287c53c97b4c4a128a377e5f7e68eddf298dbee2d466582eff26158928c8

Download Submit
C:\Windows\SysWOW64\Qpbgnecp.exe

Filesize
194KB

MD5
73b7f5c7e829985768ff6d49016308f0

SHA1
92ccdf1221a3deb47cba9af91ac6f80076f905b8

SHA256
25963e4493558ac1c40ce2a97e90eacca2bebaa2e44c693159aa14768c3f9f75

SHA512
be441c63fd4dd9a53b24a9fe2366647c314115ce1ff6187bab3b4eb061a0b20a5d7e028ebc91238a6660b5cbb88ccd49950f91d0a3421f18d3df558eccc298d3

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
194KB

MD5
88b13055e19610c3643fbb5451ffd556

SHA1
a5b6905b68d149452bb8efbb2e40b8293e954d02

SHA256
8e080883aaf47c35cec40e87ac7db421cf6f50689aeed8827154c2684ab4fbc3

SHA512
ef91e0264e974dfdc400ce0c7173692a8c71ad941c350837bb57436b33a4d1cc5906f786c136e81885dad07256414cc2e6863c81b13cfd3ab42412acefea424f

Download Submit
memory/224-457-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/640-280-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/640-461-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1044-463-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1044-286-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1300-412-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1300-177-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1520-382-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1520-60-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1628-416-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1628-193-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1656-394-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1656-108-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1956-185-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1956-414-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2144-249-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2144-430-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2248-370-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2248-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-390-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-93-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2636-378-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2636-44-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2644-410-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2644-169-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2668-376-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2668-32-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2696-287-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2696-469-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2816-392-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3196-52-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3196-380-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3240-453-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3240-256-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3288-202-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3288-420-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3296-404-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3420-402-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3420-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3484-85-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3484-388-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3512-241-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3512-428-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3560-268-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3560-459-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3600-408-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3796-406-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3796-154-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3936-374-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3936-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4016-263-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4016-455-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4060-384-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4060-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4212-396-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4212-116-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4340-233-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4340-426-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4348-372-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4348-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4396-424-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4404-76-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4404-386-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4508-368-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4508-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4792-217-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4792-422-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4968-132-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4968-400-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5000-418-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5000-209-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5052-124-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5052-398-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads