c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5

Analysis

max time kernel
142s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
Size

81KB
MD5

3bc7825dcd48780cb44bd3bf361b9a18
SHA1

3b3c69356383b0a35071478a5115b39c1c8e1f00
SHA256

c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5
SHA512

92def9b4d7286327fe33c4dd5508693d494e74ca4db8007b69b61c2f09d70eb3c239565583ff5f9da377706b9ff359f747db5e99430fb01e8ff1415f2b9e7873
SSDEEP

1536:Bz7ICocyZlAbkf5ueYwMtNbGUyp3DFthZ/f7m4LO++/+1m6KadhYxU33HX0L:N1o9ebaywnp3DvX/LrCimBaH8UH30L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acppddig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbljoafi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peempn32.exe

Executes dropped EXE 20 IoCs

pid	Process
1912	Pbddobla.exe
1428	Pmjhlklg.exe
3916	Pcdqhecd.exe
1096	Peempn32.exe
1788	Pmmeak32.exe
2296	Pcfmneaa.exe
4244	Pfeijqqe.exe
4896	Pmoagk32.exe
4424	Pomncfge.exe
1056	Pbljoafi.exe
2536	Qifbll32.exe
3956	Qkdohg32.exe
1564	Qckfid32.exe
3144	Qihoak32.exe
2096	Qkfkng32.exe
4524	Qcncodki.exe
2504	Amfhgj32.exe
1588	Acppddig.exe
4316	Afnlpohj.exe
3948	Amhdmi32.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pbljoafi.exe	Pomncfge.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Pbddobla.exe	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
File created	C:\Windows\SysWOW64\Cmnegipj.dll	Pmjhlklg.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File opened for modification	C:\Windows\SysWOW64\Qcncodki.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Cojaijla.dll	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Ofaqkhem.dll	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Peempn32.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Odlpkg32.dll	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Ihbdmc32.dll	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Amfhgj32.exe	Qcncodki.exe
File opened for modification	C:\Windows\SysWOW64\Peempn32.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Aknmjgje.dll	Acppddig.exe
File created	C:\Windows\SysWOW64\Pcfmneaa.exe	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Kannaq32.dll	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Qkdohg32.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Pcdqhecd.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Qcncodki.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Pomncfge.exe	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Pcdqhecd.exe	Pmjhlklg.exe
File opened for modification	C:\Windows\SysWOW64\Pmoagk32.exe	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Qcncodki.exe
File created	C:\Windows\SysWOW64\Hpacoj32.dll	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Pbljoafi.exe
File opened for modification	C:\Windows\SysWOW64\Acppddig.exe	Amfhgj32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfmneaa.exe	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Pfeijqqe.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Qihoak32.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qihoak32.exe
File created	C:\Windows\SysWOW64\Amfhgj32.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Pbddobla.exe
File opened for modification	C:\Windows\SysWOW64\Pmjhlklg.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Cogcho32.dll	Pbddobla.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Qifbll32.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
File opened for modification	C:\Windows\SysWOW64\Pfeijqqe.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Qifbll32.exe	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Bgcboj32.dll	Peempn32.exe
File created	C:\Windows\SysWOW64\Pmoagk32.exe	Pfeijqqe.exe
File opened for modification	C:\Windows\SysWOW64\Qckfid32.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Qckfid32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qihoak32.exe
File created	C:\Windows\SysWOW64\Acppddig.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Edkamckh.dll	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Hblaceei.dll	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Pomncfge.exe	Pmoagk32.exe
File opened for modification	C:\Windows\SysWOW64\Qkdohg32.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Dbooabbb.dll	Qifbll32.exe
File created	C:\Windows\SysWOW64\Pmmeak32.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Pbljoafi.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Jknmpb32.dll	Pomncfge.exe
File created	C:\Windows\SysWOW64\Fldqdebb.dll	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Peempn32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kannaq32.dll"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll"	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qckfid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcncodki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogcho32.dll"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Peempn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnegipj.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmpb32.dll"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pomncfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcboj32.dll"	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlpkg32.dll"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknmjgje.dll"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkamckh.dll"	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaqkhem.dll"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbljoafi.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1912	1704	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe	91
PID 1704 wrote to memory of 1912	1704	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe	91
PID 1704 wrote to memory of 1912	1704	c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe	91
PID 1912 wrote to memory of 1428	1912	Pbddobla.exe	92
PID 1912 wrote to memory of 1428	1912	Pbddobla.exe	92
PID 1912 wrote to memory of 1428	1912	Pbddobla.exe	92
PID 1428 wrote to memory of 3916	1428	Pmjhlklg.exe	93
PID 1428 wrote to memory of 3916	1428	Pmjhlklg.exe	93
PID 1428 wrote to memory of 3916	1428	Pmjhlklg.exe	93
PID 3916 wrote to memory of 1096	3916	Pcdqhecd.exe	94
PID 3916 wrote to memory of 1096	3916	Pcdqhecd.exe	94
PID 3916 wrote to memory of 1096	3916	Pcdqhecd.exe	94
PID 1096 wrote to memory of 1788	1096	Peempn32.exe	95
PID 1096 wrote to memory of 1788	1096	Peempn32.exe	95
PID 1096 wrote to memory of 1788	1096	Peempn32.exe	95
PID 1788 wrote to memory of 2296	1788	Pmmeak32.exe	96
PID 1788 wrote to memory of 2296	1788	Pmmeak32.exe	96
PID 1788 wrote to memory of 2296	1788	Pmmeak32.exe	96
PID 2296 wrote to memory of 4244	2296	Pcfmneaa.exe	98
PID 2296 wrote to memory of 4244	2296	Pcfmneaa.exe	98
PID 2296 wrote to memory of 4244	2296	Pcfmneaa.exe	98
PID 4244 wrote to memory of 4896	4244	Pfeijqqe.exe	99
PID 4244 wrote to memory of 4896	4244	Pfeijqqe.exe	99
PID 4244 wrote to memory of 4896	4244	Pfeijqqe.exe	99
PID 4896 wrote to memory of 4424	4896	Pmoagk32.exe	100
PID 4896 wrote to memory of 4424	4896	Pmoagk32.exe	100
PID 4896 wrote to memory of 4424	4896	Pmoagk32.exe	100
PID 4424 wrote to memory of 1056	4424	Pomncfge.exe	101
PID 4424 wrote to memory of 1056	4424	Pomncfge.exe	101
PID 4424 wrote to memory of 1056	4424	Pomncfge.exe	101
PID 1056 wrote to memory of 2536	1056	Pbljoafi.exe	102
PID 1056 wrote to memory of 2536	1056	Pbljoafi.exe	102
PID 1056 wrote to memory of 2536	1056	Pbljoafi.exe	102
PID 2536 wrote to memory of 3956	2536	Qifbll32.exe	103
PID 2536 wrote to memory of 3956	2536	Qifbll32.exe	103
PID 2536 wrote to memory of 3956	2536	Qifbll32.exe	103
PID 3956 wrote to memory of 1564	3956	Qkdohg32.exe	104
PID 3956 wrote to memory of 1564	3956	Qkdohg32.exe	104
PID 3956 wrote to memory of 1564	3956	Qkdohg32.exe	104
PID 1564 wrote to memory of 3144	1564	Qckfid32.exe	105
PID 1564 wrote to memory of 3144	1564	Qckfid32.exe	105
PID 1564 wrote to memory of 3144	1564	Qckfid32.exe	105
PID 3144 wrote to memory of 2096	3144	Qihoak32.exe	106
PID 3144 wrote to memory of 2096	3144	Qihoak32.exe	106
PID 3144 wrote to memory of 2096	3144	Qihoak32.exe	106
PID 2096 wrote to memory of 4524	2096	Qkfkng32.exe	107
PID 2096 wrote to memory of 4524	2096	Qkfkng32.exe	107
PID 2096 wrote to memory of 4524	2096	Qkfkng32.exe	107
PID 4524 wrote to memory of 2504	4524	Qcncodki.exe	108
PID 4524 wrote to memory of 2504	4524	Qcncodki.exe	108
PID 4524 wrote to memory of 2504	4524	Qcncodki.exe	108
PID 2504 wrote to memory of 1588	2504	Amfhgj32.exe	109
PID 2504 wrote to memory of 1588	2504	Amfhgj32.exe	109
PID 2504 wrote to memory of 1588	2504	Amfhgj32.exe	109
PID 1588 wrote to memory of 4316	1588	Acppddig.exe	110
PID 1588 wrote to memory of 4316	1588	Acppddig.exe	110
PID 1588 wrote to memory of 4316	1588	Acppddig.exe	110
PID 4316 wrote to memory of 3948	4316	Afnlpohj.exe	111
PID 4316 wrote to memory of 3948	4316	Afnlpohj.exe	111
PID 4316 wrote to memory of 3948	4316	Afnlpohj.exe	111

C:\Users\Admin\AppData\Local\Temp\c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe
"C:\Users\Admin\AppData\Local\Temp\c4ff95475196d9ef352500ccf678508584cff1d36b446711b0c82551612d62a5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\Pbddobla.exe
  C:\Windows\system32\Pbddobla.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\Pmjhlklg.exe
    C:\Windows\system32\Pmjhlklg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\Pcdqhecd.exe
      C:\Windows\system32\Pcdqhecd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        21⤵
        Executes dropped EXE
        
        PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3796,i,1468394940417093286,13535766203427582426,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:8
1⤵
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acppddig.exe

Filesize
81KB

MD5
4ea5b00b6e4c8f03e182f50fcab7bf2a

SHA1
76c9b3aed58c93a1dc13d49bb83c65344cbcc292

SHA256
b1e1c08bb91bbace2d38b80b88666773feb3de4d0e8b0c280f9ee1c6e64b6e59

SHA512
2ad2e1f3281b37a66333eb6dd83e9c5c947e7a2e8f02c337cf21d2252b731b41282c9ad80db9454fe6c01f92066318740262eb4ef05fa96ee73b36022ae8dd6e

Download Submit
C:\Windows\SysWOW64\Afnlpohj.exe

Filesize
81KB

MD5
35d3e2821c088769e95e3587c0a40a93

SHA1
9c5740e1cfe8c00ffdc56dbdc649540f34eb2443

SHA256
bd80e6f3defa2a2ab3a683fffcdca2c0a1142b39da22c6ab431de6b4179b7fc4

SHA512
d61c41cfc76b333d3e96a6ff9191cd59ba74be1f9f2a543bbcd84f89507dc4616235de02eed9a429ba146773d56d9d7fbda3d8538b254c186425e9dccdcd11b4

Download Submit
C:\Windows\SysWOW64\Amfhgj32.exe

Filesize
81KB

MD5
b371ac9bd407e34368dbd95712e3ea4d

SHA1
db35c80ee91f066285023a5445758d47643620c9

SHA256
7d53ee608e19061451a99d238a8aa225395162e5265289a170af1b68b7c2a0f9

SHA512
821e637c851e153932053d73d79ee7185e8e9d11c8c5db4d30c33777948f69d3de08ddfcf9b7994a9612f2071e30f3ae13aec2d617cd5e6b4f8fb29253bd9340

Download Submit
C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
81KB

MD5
7764160b05adab8131473b397bbefcfb

SHA1
2463d029c5f4bc32ab71718135eedfd2c61c6c6e

SHA256
c3c112dd433e6d4536c3f88b5c049de3fb968db3a34f63927e0c3bf72fc0fb02

SHA512
19420594430890b7e867211c89eb4e2fc7eeb1fd5e7909562a568676ec94967cc9602ac4b8b667c544932e5d0703d2a2b7419e4843000f60a80ce039a7f16b89

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
81KB

MD5
d5a8eb7012e30e654f236393a467b711

SHA1
84e94c7ab28fc094ab879f386e0feb6c0100a87c

SHA256
fd4f04e6ed7425046062d7c9c10ccf9feba793a45232ce33074b9b4d92a9da99

SHA512
07ed76c9612dd6ae12883609c591661d8b08d5681ca6d1b6718a69486a81a42f6c6427ae058c0a132ba835bd7a2c7b57374f650c8cbda36ea8a8b105319bc5c6

Download Submit
C:\Windows\SysWOW64\Pbljoafi.exe

Filesize
81KB

MD5
c82ac05267b21e634b62836b12338af5

SHA1
ceba3f0d90971101e9f1572343772decf66607cc

SHA256
04b460478de5b65ec78a581a572f7b97821cd7f61b637ccfdd4aaeac6b215574

SHA512
06d9b6ab8ba8b2faae67d56cb076ad8b36e96b3265fa039034704cdb39e1be18c9a954a113db336e5b9b1ba207fa859b43e7c8eaafdaa7f7d4b41934ee632cd3

Download Submit
C:\Windows\SysWOW64\Pcdqhecd.exe

Filesize
81KB

MD5
60c2bc8c3690475c58a6f31c3690e2ff

SHA1
42840a531b96c58605eab8ac38124660a1829028

SHA256
36bd6cf31998defd73e128a2b163ad704a073032e89fa08019ebf65e730567e2

SHA512
d6ca8da3e955ad9e59c0695d98dcc2addcc716ef910f6a13a0237c276376c9458847b80fde951b278a437a26ca2641a7107e7ea2423caaabd062b57ea0dd8f1a

Download Submit
C:\Windows\SysWOW64\Pcfmneaa.exe

Filesize
81KB

MD5
668239e954f385d0956fd4b822e791fe

SHA1
62da97f459846f0832b63a41dec8b81755bddb78

SHA256
353e9ba06102facd80807af741ef7da68cd36b0a9acbd0fb5466d78a571fd954

SHA512
cfc5c22fef217b433bf261f3e68991a5994bf5c3cba917c310590067ad64a4cc8f3aaeb39e882b264d92292887cce3ce6885f95ef1c7165d1482f58de070b6cc

Download Submit
C:\Windows\SysWOW64\Peempn32.exe

Filesize
81KB

MD5
91031449c3d62a94e33b44c8eea11932

SHA1
4b4c83c4d81de31bff7a3c533b4fd51fbb11a65c

SHA256
76e006debece1a942dbd15f047f993f0609a6131c34468f8f203a23fc14df2f6

SHA512
d4058cd3e7c35083c8acffcd87ba0a0a1e736d7335fd0155713b2d109e762cedbfb02e7a334aaf674450d6faeae938286a5ff1978784067f2e3be0a5ebcb7d81

Download Submit
C:\Windows\SysWOW64\Pfeijqqe.exe

Filesize
81KB

MD5
159c2a75429de46fb32ed57104f35e12

SHA1
ab7ba159d023dc803ae193c80867fa539c88b3bc

SHA256
b47f9ae08cc6189d3f806951c135ff508fa3a508d2e7bfd4e1f56edaa6ebde96

SHA512
38f64aa8a723ae74c615b96933da88c446385ebb0ec8f5fb78848515374ecaf48f785de3c8a6a4ba24f4915efc179943c4f4f469faefc62cdf6ba04a2929af3a

Download Submit
C:\Windows\SysWOW64\Pmjhlklg.exe

Filesize
81KB

MD5
78db8a61fedf647660b5c0d7ccdc5e1e

SHA1
de98b2f7ac383cd0fecb038e5994e66d73011396

SHA256
113a810cfa909f06c39e92f0b589f1b828880bfb68bc15941e33beb45003aeac

SHA512
4685ef8f00cf42d9ac71bdd99def753225cb86b36d54a6f1f9554086e46461114093efbc03ee69b79648f54915e3707cca6cca3c63955b1ec4c68d2ef2003f2c

Download Submit
C:\Windows\SysWOW64\Pmmeak32.exe

Filesize
81KB

MD5
32292651b082e22d2d6cf595dbac3413

SHA1
fd2ad97bf924b47850f45bba21432c78d5f7699d

SHA256
d0a68fa07e657bd88cd3e2fc0198e9acb812d68a1822c1592bf4ec5116e78b4e

SHA512
e1d049c442bdf2371e7056225e1e3472789568c4eb7e8eb2cc9180400e8c72eeb99e762a3629718c231feca11997aa981eb3d905c2bda6a1ac7d7d546bc535e6

Download Submit
C:\Windows\SysWOW64\Pmoagk32.exe

Filesize
81KB

MD5
c0a4dc173b54014ea5a1b75a6fd6cf71

SHA1
cf47154ffe017fda32a032766ed5693dbac92119

SHA256
3b1259ea019274dc2dffa31aaf80b23e085a97343f988a59a7d42c1fae646411

SHA512
16bae4d02e5592f68dcc81a62638ce93f9d365a038c1cce2b572fe45ce9184557336f94ac52e412d70ed8f9b466142139d09722518a4fe9587f8fcbbbc9a2355

Download Submit
C:\Windows\SysWOW64\Pomncfge.exe

Filesize
81KB

MD5
c722790983c4b14da54198d35c81dbd7

SHA1
cd589c26fbb435bccb712ed4ece114970f9b0bf7

SHA256
6c004eca5e46c2152fb9bcfc633528a6fbde53f24a65a3d64424a10f33f6893b

SHA512
5e9cfea0f14bdcc14086718d465db936ad7c255aaa8fc12cf66f87bf7356250381584596125c386c0240957dc7bcdfe669a6c2a9b9a36d33651943b2ed7712b5

Download Submit
C:\Windows\SysWOW64\Qckfid32.exe

Filesize
81KB

MD5
1fcedf163ee45556d4ed1de580b76a4a

SHA1
64f8234869eb550ff302cdc88db5ce3f6a587ae3

SHA256
e24493cbcc03806ef68a4b80d6a99b3f04aa1a71edec2600f6fb950f41ab70e3

SHA512
879b03b3c21d98b4dad245c7a73d406950fe2e4d0e1806d7dcb79fee71e40e335a28ace5e049cdda55e3197e74405b76afb88cf96c6e2fa61a3db32d1b7ad94d

Download Submit
C:\Windows\SysWOW64\Qcncodki.exe

Filesize
81KB

MD5
22dbdab302bde8c7d2b13f73cbacf948

SHA1
87700c023848bacb9aec911d0419c76271811561

SHA256
94c8cb10a8233ef1a85c7079c2e342c26500ed6a007a3c8bff121ad66164b87f

SHA512
26b8b2b37ffcc30c25563bf21996fc66227a5c08ed019c4e528215da9c7f0919a30da420f6ae6f8fe44e98682956e965cf5087a6ad02dabfde6e5099f7bca904

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
81KB

MD5
4ababece34092bdc16bfc93b1bf475b9

SHA1
35b4a9d75af23a1c0cac8f4e410d05df81db5d4f

SHA256
0045ab90109a14fd432c612991ee6ef831004a6c004a4612e2c6fe6fd025e4ca

SHA512
c2d0e3d5a204bd8d9928182fdecc3f922a295149e7f2e1d3f830160575c4efcba9ce4bb78c5b89ea7fa5d5f5e9c71f27eb1cd3885dccba2092450ae2a196e372

Download Submit
C:\Windows\SysWOW64\Qihoak32.exe

Filesize
81KB

MD5
223011be1e9d351566883178f03b12f4

SHA1
37901fffc0fbc5658f2c35722349e3ff5798cd3f

SHA256
ab478aee23c2094d633018b16c04502f2b79e8d38e5556ec0eee9b9e6a2f09d4

SHA512
a9d2d596ad744a84174157118300aea978431819c88f454ffc2956af4ea2e778e9e67f1ae0bd1ad0e6292b9b01265e4607e41ff79910fea3d802d65a040ec21f

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
81KB

MD5
3b91ae007b044c36c1d2b846352cb5e4

SHA1
0806366b500bfe07266fa8af9a01ede2afcea730

SHA256
5115437e5d42e6602141b90e70280e304cddbe0c4eb46a5df3648a28ce5bc73e

SHA512
445850f4c59676213cce1fe10f1a06c3dfd13992b5bd5128b329f3adeb3f27ea928cd697924642a75f2208ff3eac2a2b4f6305f8ed8a6223fd2ded01e951fb72

Download Submit
C:\Windows\SysWOW64\Qkfkng32.exe

Filesize
81KB

MD5
6ebe6a765953b36a83724c15792c863a

SHA1
864664e6e15b4ae08382427ca40c3c7946d07f01

SHA256
aa3c8a814e29b92ea4e4a1f99b5bfb0a4f193147726dfb7f507130b4aa65bfe8

SHA512
b2729e684065cf4115e2fad4bb9cc3f8a7c55016112558f6374bd697fefd3c2c4fb9944fdcd1b3253d17f45383218241703783241ebe8ccbd97e7b368ad408ba

Download Submit
memory/1056-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1704-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads