6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321

Analysis

max time kernel
125s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe
Size

465KB
MD5

c9ae0ddd684be1cef776b9fb5502ee6c
SHA1

9df81b569475866449a05d24e33c7cfa531447d0
SHA256

6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321
SHA512

136342cfc1833f6af2f41f7fefd6e66b07a1b77ca307c8707e734de8819ce7681e4b9989546dcb14717ddcda9360d1c860dc4d1aa53d20528b4d315f6f858a87
SSDEEP

6144:2qgF7K0qOILKpn/a5/VF5V4lKjIbvBhRJfzSf9x7N/I7b9M:RgF0O8S/WNLKlUmpRe94a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okailj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omaeem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpcdfll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpifeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cekhihig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmmgof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooangh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bflham32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abjfqpji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcbeqaia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcbeqaia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpcdfll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cekhihig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpemkcck.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acbmjcgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bflham32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clijablo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbcignbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe

Executes dropped EXE 36 IoCs

pid	Process
2068	Okailj32.exe
3552	Ofgmib32.exe
4428	Omaeem32.exe
376	Obnnnc32.exe
1092	Ooangh32.exe
2296	Pcpgmf32.exe
4300	Pdqcenmg.exe
3612	Piolkm32.exe
3732	Pfbmdabh.exe
1044	Pfeijqqe.exe
3712	Pkabbgol.exe
4580	Qfgfpp32.exe
1592	Qfjcep32.exe
3548	Aflpkpjm.exe
1932	Acppddig.exe
2220	Acbmjcgd.exe
3968	Apimodmh.exe
2736	Abjfqpji.exe
4268	Bejobk32.exe
1612	Bfjllnnm.exe
4552	Bflham32.exe
1492	Bpemkcck.exe
3176	Bbcignbo.exe
4220	Bcbeqaia.exe
836	Cpifeb32.exe
3640	Cmmgof32.exe
768	Cmpcdfll.exe
972	Cekhihig.exe
228	Cdlhgpag.exe
932	Cpcila32.exe
312	Clijablo.exe
4232	Dinjjf32.exe
1356	Dipgpf32.exe
224	Dbhlikpf.exe
4040	Dlqpaafg.exe
3452	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	Okailj32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpgmf32.exe	Ooangh32.exe
File opened for modification	C:\Windows\SysWOW64\Cpifeb32.exe	Bcbeqaia.exe
File created	C:\Windows\SysWOW64\Piolkm32.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Acbmjcgd.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Djbehfpe.dll	Cmpcdfll.exe
File created	C:\Windows\SysWOW64\Dinjjf32.exe	Clijablo.exe
File opened for modification	C:\Windows\SysWOW64\Dipgpf32.exe	Dinjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Dlqpaafg.exe	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Piolkm32.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Ofaqkhem.dll	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Pgoikbje.dll	Okailj32.exe
File created	C:\Windows\SysWOW64\Edjgidik.dll	Bbcignbo.exe
File created	C:\Windows\SysWOW64\Cmpcdfll.exe	Cmmgof32.exe
File opened for modification	C:\Windows\SysWOW64\Cdlhgpag.exe	Cekhihig.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Qfjcep32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Apimodmh.exe	Acbmjcgd.exe
File created	C:\Windows\SysWOW64\Kjmole32.dll	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Pfbmdabh.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Doklblnq.dll	Apimodmh.exe
File opened for modification	C:\Windows\SysWOW64\Bejobk32.exe	Abjfqpji.exe
File created	C:\Windows\SysWOW64\Bpemkcck.exe	Bflham32.exe
File opened for modification	C:\Windows\SysWOW64\Omaeem32.exe	Ofgmib32.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Omaeem32.exe
File created	C:\Windows\SysWOW64\Oijflc32.dll	Ooangh32.exe
File created	C:\Windows\SysWOW64\Gkhikf32.dll	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Dggkcakg.dll	Acppddig.exe
File created	C:\Windows\SysWOW64\Fqkiecpd.dll	Acbmjcgd.exe
File created	C:\Windows\SysWOW64\Oenlmopg.dll	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Nonhbi32.dll	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Mhinoa32.dll	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfjllnnm.exe	Bejobk32.exe
File opened for modification	C:\Windows\SysWOW64\Cekhihig.exe	Cmpcdfll.exe
File opened for modification	C:\Windows\SysWOW64\Bflham32.exe	Bfjllnnm.exe
File opened for modification	C:\Windows\SysWOW64\Bcbeqaia.exe	Bbcignbo.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Cpcila32.exe
File opened for modification	C:\Windows\SysWOW64\Pfeijqqe.exe	Pfbmdabh.exe
File opened for modification	C:\Windows\SysWOW64\Qfgfpp32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Bejobk32.exe	Abjfqpji.exe
File opened for modification	C:\Windows\SysWOW64\Clijablo.exe	Cpcila32.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Dipgpf32.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pfeijqqe.exe
File opened for modification	C:\Windows\SysWOW64\Aflpkpjm.exe	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Abjfqpji.exe	Apimodmh.exe
File created	C:\Windows\SysWOW64\Pbgnqacq.dll	Omaeem32.exe
File created	C:\Windows\SysWOW64\Qfjcep32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Bflham32.exe	Bfjllnnm.exe
File created	C:\Windows\SysWOW64\Opepqban.dll	Qfjcep32.exe
File opened for modification	C:\Windows\SysWOW64\Apimodmh.exe	Acbmjcgd.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Omaeem32.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Cdlhgpag.exe	Cekhihig.exe
File created	C:\Windows\SysWOW64\Dihmeahp.dll	Clijablo.exe
File opened for modification	C:\Windows\SysWOW64\Cpcila32.exe	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Okailj32.exe	6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe
File created	C:\Windows\SysWOW64\Cpcila32.exe	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Pfeijqqe.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Cbhkkpon.dll	Cpifeb32.exe
File created	C:\Windows\SysWOW64\Nbfndd32.dll	6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1708	3452	WerFault.exe	127

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acbmjcgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omaeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opepqban.dll"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqkiecpd.dll"	Acbmjcgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpcdfll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkpjeba.dll"	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbehfpe.dll"	Cmpcdfll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ooangh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Omaeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenlmopg.dll"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcbeqaia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgnln32.dll"	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abjfqpji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcila32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmphbcbb.dll"	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll"	Cpcila32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhfaig32.dll"	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjokai32.dll"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acbmjcgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edjgidik.dll"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihmeahp.dll"	Clijablo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpcdfll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apimodmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlqpaafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaqkhem.dll"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbcignbo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2068	5068	6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe	89
PID 5068 wrote to memory of 2068	5068	6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe	89
PID 5068 wrote to memory of 2068	5068	6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe	89
PID 2068 wrote to memory of 3552	2068	Okailj32.exe	90
PID 2068 wrote to memory of 3552	2068	Okailj32.exe	90
PID 2068 wrote to memory of 3552	2068	Okailj32.exe	90
PID 3552 wrote to memory of 4428	3552	Ofgmib32.exe	91
PID 3552 wrote to memory of 4428	3552	Ofgmib32.exe	91
PID 3552 wrote to memory of 4428	3552	Ofgmib32.exe	91
PID 4428 wrote to memory of 376	4428	Omaeem32.exe	92
PID 4428 wrote to memory of 376	4428	Omaeem32.exe	92
PID 4428 wrote to memory of 376	4428	Omaeem32.exe	92
PID 376 wrote to memory of 1092	376	Obnnnc32.exe	93
PID 376 wrote to memory of 1092	376	Obnnnc32.exe	93
PID 376 wrote to memory of 1092	376	Obnnnc32.exe	93
PID 1092 wrote to memory of 2296	1092	Ooangh32.exe	94
PID 1092 wrote to memory of 2296	1092	Ooangh32.exe	94
PID 1092 wrote to memory of 2296	1092	Ooangh32.exe	94
PID 2296 wrote to memory of 4300	2296	Pcpgmf32.exe	95
PID 2296 wrote to memory of 4300	2296	Pcpgmf32.exe	95
PID 2296 wrote to memory of 4300	2296	Pcpgmf32.exe	95
PID 4300 wrote to memory of 3612	4300	Pdqcenmg.exe	97
PID 4300 wrote to memory of 3612	4300	Pdqcenmg.exe	97
PID 4300 wrote to memory of 3612	4300	Pdqcenmg.exe	97
PID 3612 wrote to memory of 3732	3612	Piolkm32.exe	99
PID 3612 wrote to memory of 3732	3612	Piolkm32.exe	99
PID 3612 wrote to memory of 3732	3612	Piolkm32.exe	99
PID 3732 wrote to memory of 1044	3732	Pfbmdabh.exe	100
PID 3732 wrote to memory of 1044	3732	Pfbmdabh.exe	100
PID 3732 wrote to memory of 1044	3732	Pfbmdabh.exe	100
PID 1044 wrote to memory of 3712	1044	Pfeijqqe.exe	101
PID 1044 wrote to memory of 3712	1044	Pfeijqqe.exe	101
PID 1044 wrote to memory of 3712	1044	Pfeijqqe.exe	101
PID 3712 wrote to memory of 4580	3712	Pkabbgol.exe	103
PID 3712 wrote to memory of 4580	3712	Pkabbgol.exe	103
PID 3712 wrote to memory of 4580	3712	Pkabbgol.exe	103
PID 4580 wrote to memory of 1592	4580	Qfgfpp32.exe	104
PID 4580 wrote to memory of 1592	4580	Qfgfpp32.exe	104
PID 4580 wrote to memory of 1592	4580	Qfgfpp32.exe	104
PID 1592 wrote to memory of 3548	1592	Qfjcep32.exe	105
PID 1592 wrote to memory of 3548	1592	Qfjcep32.exe	105
PID 1592 wrote to memory of 3548	1592	Qfjcep32.exe	105
PID 3548 wrote to memory of 1932	3548	Aflpkpjm.exe	106
PID 3548 wrote to memory of 1932	3548	Aflpkpjm.exe	106
PID 3548 wrote to memory of 1932	3548	Aflpkpjm.exe	106
PID 1932 wrote to memory of 2220	1932	Acppddig.exe	107
PID 1932 wrote to memory of 2220	1932	Acppddig.exe	107
PID 1932 wrote to memory of 2220	1932	Acppddig.exe	107
PID 2220 wrote to memory of 3968	2220	Acbmjcgd.exe	108
PID 2220 wrote to memory of 3968	2220	Acbmjcgd.exe	108
PID 2220 wrote to memory of 3968	2220	Acbmjcgd.exe	108
PID 3968 wrote to memory of 2736	3968	Apimodmh.exe	109
PID 3968 wrote to memory of 2736	3968	Apimodmh.exe	109
PID 3968 wrote to memory of 2736	3968	Apimodmh.exe	109
PID 2736 wrote to memory of 4268	2736	Abjfqpji.exe	110
PID 2736 wrote to memory of 4268	2736	Abjfqpji.exe	110
PID 2736 wrote to memory of 4268	2736	Abjfqpji.exe	110
PID 4268 wrote to memory of 1612	4268	Bejobk32.exe	111
PID 4268 wrote to memory of 1612	4268	Bejobk32.exe	111
PID 4268 wrote to memory of 1612	4268	Bejobk32.exe	111
PID 1612 wrote to memory of 4552	1612	Bfjllnnm.exe	112
PID 1612 wrote to memory of 4552	1612	Bfjllnnm.exe	112
PID 1612 wrote to memory of 4552	1612	Bfjllnnm.exe	112
PID 4552 wrote to memory of 1492	4552	Bflham32.exe	113

C:\Users\Admin\AppData\Local\Temp\6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe
"C:\Users\Admin\AppData\Local\Temp\6834912202cef24a4ec946dc4d65da404a20b0db99a0f695bdddc5afbefe6321.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\Okailj32.exe
  C:\Windows\system32\Okailj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\Ofgmib32.exe
    C:\Windows\system32\Ofgmib32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\Omaeem32.exe
      C:\Windows\system32\Omaeem32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
      - C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Acbmjcgd.exe
        
        C:\Windows\system32\Acbmjcgd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        37⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 400
        38⤵
        Program crash
        
        PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3452 -ip 3452
1⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4272,i,6959856223548986108,4217696995639198458,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:8
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abjfqpji.exe

Filesize
465KB

MD5
58e659b55a40cfbce305327ca8289787

SHA1
c18cef4391d4356126e781eae06675ff5b9f4537

SHA256
816b520be635daf31e2529fc271b8ef367a006a97ba29744944358b29dfb7826

SHA512
3cdb27593acb9c31b42b6bfff3357b577929016204b39d2633fd21000f16705c18453c73deca2cd8d03c5aa63f07c2b8f54407cb72c1e3d4c524e4f387d5d7f7

Download Submit
C:\Windows\SysWOW64\Acbmjcgd.exe

Filesize
465KB

MD5
986bdf5ad4582a2d79faebbd1f51eaa5

SHA1
09c7155c12a05d118273ac7d1c746ff9fbad5dbf

SHA256
4a827bd522238e5020a4034b0dc9e4a120bd5e96ddcff2bdcfb96d4cb2246e83

SHA512
ef0797e670138d04a8713c9daa73b4533f3ff77758073046ad3fee7e9ea42ceec7f22dbbbf006c0b7f719f69d7c87da1a81f389f0d41dac7269f4124c7fed5a3

Download Submit
C:\Windows\SysWOW64\Acppddig.exe

Filesize
465KB

MD5
82c62938540bbc839a058c30ccacbfc3

SHA1
a016df98b4f528cdc2e59a199f54766b1d58285b

SHA256
db7a0f00a4fa7d9e8a9308ff0fc5963ee86497fc5ef5d6e920cd53497f50c690

SHA512
85c4b92a46af06a1db227f00e40cbdeeeaaf4730ba9c43229e4787280c92c16ae53d0179078aa5e7d9f23e203e0fd1c303fcbf70b524a15e80d894a42ab600b2

Download Submit
C:\Windows\SysWOW64\Aflpkpjm.exe

Filesize
465KB

MD5
5c0305710d28823360a8e89dbbc56a2a

SHA1
0a31a35a118e7a492e04de56f446fe259241fe4b

SHA256
54e41691805f73a5feb817d6f77ed9f952fc260e3141e2a65c02a3391cb7c3c0

SHA512
7ad6a97cb586554ccf38bc97f5b0f9a2f606675099de095cdf3ef0f8929929d069885513f7f4ad0af09e99ddadc552f6234e4c482f1b2bf52ecb0e71de00822c

Download Submit
C:\Windows\SysWOW64\Apimodmh.exe

Filesize
465KB

MD5
ba8f5146e603d9a494bc99612ae83c6e

SHA1
fb673b8e1e1b7d7d01b693f11f21dfc553856466

SHA256
8ccd5b300bb576ea225ed60bf32086c2f68ba6ff455092e36f0864cf77f5d227

SHA512
f6b7244e6b73a68634ea485f8798d52877e29a2e2a9d5f8c749018a948c7d3dc9dca6fdd10ec398ebafc0b7702d303a679d749f69bc8af2228b8efe819f220a8

Download Submit
C:\Windows\SysWOW64\Bbcignbo.exe

Filesize
465KB

MD5
02402418cf980b316ba31aec926454b9

SHA1
c2af3021b7fe9cd420802140380a833c2ccb3d5d

SHA256
caa26c5ad14e9bb8fa4d3233b0ece788288c7a3c61425d18858591ae1d14aa11

SHA512
35bd1263681ba34472378cd8d9e0af96de309bfce4f5502569e54f1bcf7848fb9649ba2522df368f70ed800d2d476a1fc66cd517f990c44929d8ddad591c56f6

Download Submit
C:\Windows\SysWOW64\Bcbeqaia.exe

Filesize
465KB

MD5
1804140ebb3aa1f22ea2e81f31621f34

SHA1
bcd35e3a1c45b1898c3a44a2db97bd3a8f2bd383

SHA256
b54a3c086ec3afa3ba42dc81cdc41b1ee3e046998a5a407cacda3d80fa710050

SHA512
ed6b30437d6a9f8bb8088ba3af80ed16f064a6f7ee6afd9a8c6be6622d81a30800d9718765083b1cf5c47fdf042266652ce8929d61c156c00ac4fc70ff2aee2a

Download Submit
C:\Windows\SysWOW64\Bejobk32.exe

Filesize
465KB

MD5
f81eb2c4da7652726ef04a313308b169

SHA1
7cd5021b8f37f5a43dcfe9710bb2a6205d2f2056

SHA256
5a4e5e15cda10a06b43720ad63b56fbabfe75304fb2b7f2b0e26f4244aef7129

SHA512
4173cf39c6f7cf2094d524a68d3ef3893503b9cb0722e12170273f5e2cc32cf1b0056a448391beac5aeab9b60d46b3f56aca500b3e8048d0d95db4bb7a68bc30

Download Submit
C:\Windows\SysWOW64\Bfjllnnm.exe

Filesize
465KB

MD5
60f6447033277e487ada5a17b68705f4

SHA1
15589cf14b456cbc9c2349a55a4fc7c5f59bb105

SHA256
ae3eb5d730c3c22afdafcc2a48280171c863ab1276a75fdacc37bd0e225dad11

SHA512
73316bb4dfa3189e9492144aa364e5cc957d0a1d3b11b56812e37c480987b688e65c0d2d1f433a7ae5c3c31a4e8b3775b9f73591a79afb7405bed45c77517cdf

Download Submit
C:\Windows\SysWOW64\Bflham32.exe

Filesize
465KB

MD5
e58ea89f0063841ae273e114ab9b2276

SHA1
31c1dc439092fd4de80666d62f73cbc2d8a87810

SHA256
33bd7ca85a8d0bf8b86b56cbb7484eb3e529af91126d14a11b08f228ec5f98af

SHA512
8e84ee4d5d1a4fe6326aa68935dfba006e2f329659e121b692adb6d3205385562a38d9799865115920ff8620281015cadb4203c5dbe63a5497175e4ffb4ea06c

Download Submit
C:\Windows\SysWOW64\Bpemkcck.exe

Filesize
465KB

MD5
5eef15cc20d3718e304a451bf2eee721

SHA1
9b3897ee194931a7f17c2dec5479217146639ee6

SHA256
e2fac2f1d51c0ac55ae9ed5480f391ac7db06a726aad203338326ea5a9c9c025

SHA512
8b17685218beced50e9580ead50012fde1f9fef5358790e6af6733effd6156ba0497c0d8b1f08684ef255aeeecad18ddb6333099fb4d1c01282654540a2389c1

Download Submit
C:\Windows\SysWOW64\Cdlhgpag.exe

Filesize
465KB

MD5
3505a3af30be4375f8d4b2f094ffc3cf

SHA1
48d065e917f73d5bff0bae82c16e4a24a4157db5

SHA256
1d0247a3ee400fd1b1a491ed905c561f3d06bc48e8ec1d4ae2800d794277cac9

SHA512
a21ec1125b289edc37afda242c35c8b66481c43c92362824c5defa5ca2c48fa6cb827b9c26f1e313ec5239a08f8e4a2d34217c5b0dc2030cc516925c4032fad4

Download Submit
C:\Windows\SysWOW64\Cekhihig.exe

Filesize
465KB

MD5
4a609b97ca2ed6eade7063ab993edf00

SHA1
4ae9b04372b8637ce5b70d02720e5e522fdf83ff

SHA256
167a983fd230f1240910163a2a9f009e99c7c1926eb6b4b95775ec09559a24bb

SHA512
0a4610317f40b4061145d9d18389820753fb01b28430d819d1f596a114087e3445ddeee3951a1ecb37b89923f341d2da4bd34d2372e9c8fb708e7159d1eb6854

Download Submit
C:\Windows\SysWOW64\Clijablo.exe

Filesize
465KB

MD5
9ebfaa528e02436a841c3d699fbbb5d3

SHA1
ed2dfd5af10e1bc574dd7badbc3a653a39a7752a

SHA256
99fc37b3598609db8349761284600e8eb561ba62022aee819f5ef2ba0acc9fb7

SHA512
fee83a45f4dfe9793bcf4386b25a64df515bec1e9b6a81a805618566e418dfaa5a4809878b2a840d92ba399bc285226beebb60daf49eff2f275c411e67f34dfa

Download Submit
C:\Windows\SysWOW64\Cmmgof32.exe

Filesize
465KB

MD5
729a6eef22fd571113f30b290fbf89e5

SHA1
7b14e78d79d393e6cbabd3371cb9392e87f9108b

SHA256
7da84d980f3327573f5ec71065e428612149335df9825f4cdf43b6458d35a41f

SHA512
119143b0701790adefc1cf2ebdeb5a9611d53b61d18df5140a8d77211ef4b688ef6d2dc53061a5b5d60fca9f0db6af62573c963462bc4764876102fe893a143a

Download Submit
C:\Windows\SysWOW64\Cmpcdfll.exe

Filesize
465KB

MD5
2f92fc9b75b43ec5d349a6a74ea55535

SHA1
b4cdf03a9a2ac7308f769a05cb41a65ff0d2a1ee

SHA256
8a8abc8c89050c689294c243e03e16813f0d1985720672657df8a7cb6e0d6a1e

SHA512
e02f87360c442ddc5e144653c41160a9b81622a0ec1ac61978fef9e8a08b6fd40c2bf7978885fbe9cc5fc240214b20eaf555c4f1485ef0630c79782f58c1b420

Download Submit
C:\Windows\SysWOW64\Cpcila32.exe

Filesize
465KB

MD5
f6de22d520dae1b3b1f0f2d29470633a

SHA1
8935ea983162177f48cacab175c5329ef8b6f3f3

SHA256
5b42feb9770a5a2ef3eb33eb0dc6b8dbc1a268561397b973cd61a31db5463148

SHA512
913bebae99e765c02d235808542a7a4720d3d3c45c98b0d9c1b9b695f020c12a4a5a27d79d4e59212e1e7d2a9bb6830e086ffdbb4b95a1fbba0fba75f3e679c1

Download Submit
C:\Windows\SysWOW64\Cpifeb32.exe

Filesize
465KB

MD5
65ea5aa27da30f308dcee206cfa06fea

SHA1
b3e8ceb4508455f8565d99a70fadf97fa31ada96

SHA256
301102cb53c0897891f1a17a0703c709a9ea133343cdeccbbc139d67f2532b70

SHA512
059ecc688aeb66341b12279082708ac179b9c8655d95aa90eff2248671d46e0523c6de0d3e41e3d534849f45878c68fa04f6c8be3a415d09dd4761e84c80a24c

Download Submit
C:\Windows\SysWOW64\Dinjjf32.exe

Filesize
465KB

MD5
ebd610927a2a51b536c2767320425c69

SHA1
2951d2cd115dea5d3958aed1afc0f50450a2eb08

SHA256
ed023cb08735916f05d23968504af0ad06b9bd13bc11a37a9ca9078bf962a9c0

SHA512
45147bf6f64d7cab433aa3ec43352a41b7f2a51dba6c5f0af31e87688bdea731dc3f5508926b8bcacf701da8d1ecb9b910f5a77c40f4fc5f88c646843c348227

Download Submit
C:\Windows\SysWOW64\Dlqpaafg.exe

Filesize
465KB

MD5
429c4e479ad9186ba3417b92ba878f5c

SHA1
816b2d162b734ad6a22790536072ac5bb8b3fb8e

SHA256
a734e25db8cbe0776b008201366a6736d52d88091a81e7c323bf6b6fe5536b1a

SHA512
7cbf2ad0ad32248174b574672b27c1c029a207e00f9727647cb1aa9aeccc59fad3e07a516022d8c41c4dd882e8a225654b160b3a8c368dc24eb2dc0bd8ba5b8c

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
465KB

MD5
4e87b667ccf4fb7017b72a66acd5e12f

SHA1
e74a191174f9048070a54e64b48283a5de1c27a7

SHA256
1dee43a01d23d4084e611b80313f2feeeca073039ae8309c666c65b4c1a01633

SHA512
d7ee6d961a3b8c6ca1c182f2cf95cc7f1af29472f74337b1ed7b861fba4802f16ed177ff50e21023f9ca4bfc00cfb0dea1319675b83acbfdff1607fe5e114196

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
465KB

MD5
24afcc6926edd72d4772afe2ca975fa3

SHA1
e15a8d0423de4808b3f9ce27f0365a3498d38864

SHA256
fc085f5be0e96fb6b1b90a4a3ef6ca2c37b541ffbd5e7f31db7127a541822934

SHA512
eb373a3fb1f860992341213919b2b4d38c9fc6c30277930a2c433fa80b9de95323c67803dfc1a5f199c3a8cf942cd98b200fb56fde89808490acf30f75f8a237

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
465KB

MD5
140deb46ff7aa9774738b409696212f3

SHA1
0f8f974e13e811233cbfec01212509f1e75fc95b

SHA256
e9f09eaf398ebdabfc2a90480f70671ed6965cc6347742725baa6d3cbd03c1cd

SHA512
963494b0a0a3de71d40e3ad1cfe48785e92724c97569dd44da2d35054804e53bcbf825c22208f2aac09ca76810c4f9a81fa37b85a4109a310325b7e3d7a9c046

Download Submit
C:\Windows\SysWOW64\Omaeem32.exe

Filesize
465KB

MD5
f0b3525532ee9456f3492d231a8a50f1

SHA1
864f5c004ee1a0d22c681f9c4434554c36778fed

SHA256
bfca1a67cdb597545a3980acd7a5d82e1f0658159c25c25d51ca751840f2d6c5

SHA512
3265914155aacccb303d9f5e6f1ba3053dd71f0a44f18cfac6f992d332c904ee19f89342dc8669ee02c172e71713511fb960a9f55afa255ce4347828ee688928

Download Submit
C:\Windows\SysWOW64\Ooangh32.exe

Filesize
465KB

MD5
8a953ef78e35c791b4a6fa1d5a6447bd

SHA1
d6fd9462819a6e01c35ca0b89fe6e906144e6e7a

SHA256
8a7bb802a5c87dc5d3b492a1aa6a31f291b5bcb5f3a505a4d85c5854118ee2d5

SHA512
6271091b87b253acc9b584a96ddd5df56f1019f1cb3e359bd3cfdc87e32b693a08eba4bf1be45cd206f7a8dcbba2f8c0af1621e4492b829362264f19df24b507

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
465KB

MD5
d675b84a066d157263e9af439ff7ec6e

SHA1
0220512431bea21e04c5b1a2ffa8aabad46d64e1

SHA256
b7254c2d0f301344ab52eed2e53fd7be7ce2e4735c5b1fc14be1c63b3977c57d

SHA512
2127d7dd308b9f4c0978091ac8a841ceb059936132fb401f94d9b034176379983a3ed5571ef85d9369c23fc0a5406207191d0ae86684d1e636713afc9a76193d

Download Submit
C:\Windows\SysWOW64\Pdqcenmg.exe

Filesize
465KB

MD5
d6cc64e06591faf4bd7325ba32a49731

SHA1
67ab58fe1fc8225d2ec89847898078b1074aa2fd

SHA256
b8e649707524c967c4f588cf7e5dd38e020296c666d081b5ee323a994d9e5998

SHA512
ca7731256fdec374d835339fd4924660df5fc83bd252340bbf899d6a4c112dda7f64aff704f3473d378ccc008ac8ebbbce4ecc1ab4ab2a2e96dcb7b44bb0cf16

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
465KB

MD5
99c2b7670a32638feea266e604aaee38

SHA1
110c1c7c86757cbe925dfd8cf3aa3697d5d4b70e

SHA256
6dacb320135ebb5e056869d4cc48eca68dbe060cf245def67e16a4d39f3de616

SHA512
9fadcae551061d1f668dc270a1393cafaf73de77e45a6f234fe4804bfc4b4aff95f191de490b6a7d1329d5f0f2e13798619bbb22a8f1766db3246caff4af0fcc

Download Submit
C:\Windows\SysWOW64\Pfeijqqe.exe

Filesize
465KB

MD5
8b0211033a13a7dfe5dec110354ada2d

SHA1
9a18f0d31f94a0a44d049866bb024b5690a5b4e9

SHA256
845ea463eec6fb0d10d45400b34d8c1bdabc93b4ba8cd5adfa580ec027de6311

SHA512
02c8c48789a80d866b0c32408d8ee2976557df5f938ba1cf5be903bf0171d0933204b3c10b1dbce7b787864405b6a5b71c80c448fb2380c0617b70973a61ca19

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
465KB

MD5
196b2b372377ca3dda36143b5aa80bb2

SHA1
985f92f09921dfb9d1c4b6b3a659b151190741d0

SHA256
bdc0e50c8e07cd97c81d3eef4e693324ded4e0fbdae7b770f3add6cbbca90864

SHA512
364a209c060bb7528e73efca6115b03eccf626418a7f9d175737f96e45e2fe82dab1f4afc8edcc4ca1bd672a3fd8863544f4e4ca589003f68be148f285a574ad

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
465KB

MD5
96cc6c697add5c3171a5bdbf624c6b45

SHA1
2b6171f00c788c89bc4077a8fba6a6985925f494

SHA256
b9470319948aec3a8918324c4745069189b69fb448002e049ef6b889b389c4af

SHA512
e7341905b6a745751d51ca9e5b34c1138293001538beb903481a7ce7a4d7fba75a1227f8549ef6e1a42afee1ad664167b157231276d41964bc6da75989f910d4

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
465KB

MD5
c7f204c8e9f16c8208e42c6c745ab070

SHA1
4140b44f9720775abb0012aad253e32c9268ae64

SHA256
5a7793ad7178868de066508bcb8b6d231dcd2b2bdc20929e6cb5eea3c6c1af8e

SHA512
d6fffd18e71a8cc3a82ab4691c4a0b544bb419d74bb3eb87bc226280d8a73d9f6cbae6633b54c60847cb1f903be501cadaed8bbbc6ad0752af951dfce30fa578

Download Submit
C:\Windows\SysWOW64\Qfjcep32.exe

Filesize
465KB

MD5
9ff878c6fab773dd2410f35c0f23f7df

SHA1
f70529291cb69ef665689ab7ea2933aa985d8853

SHA256
f59675b52f67f42414606c38b5f8502f633e8d5cfb3696cfa492a22e862e8621

SHA512
44e448c23302b6ef3f7b64edc257a885942f5063555105daf5f8b5f5efbc13082bf5110a03015de89ea33db1846454b4127ee557e6d886dc7888be4b2334eda4

Download Submit
memory/224-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/312-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/312-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/376-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/376-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1356-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1356-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3452-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3452-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3552-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3552-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3612-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3612-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4040-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4040-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-337-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads