277f6b6103c13d6ebe7dea850c3719252665f461d91868aca153bfd6e312b071

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c256aa59c12f9d9c6fe8c38fca8d0a10N.exe
Size

300KB
MD5

c256aa59c12f9d9c6fe8c38fca8d0a10
SHA1

10673693b77e58a4bcf6c0ac741f11e6e03d6abb
SHA256

277f6b6103c13d6ebe7dea850c3719252665f461d91868aca153bfd6e312b071
SHA512

4868bc80c3b692da0cc96d96ab132e51c35543d41bb503d4f5df1269399c79ceb5f3e4a364995e55965140101816a8b6fa91733e2c9ad731b199d36be411632a
SSDEEP

6144:KCaeoS7M0055tT7B9mo436zthGEU5tT7B9mo43N:t65tHKo4othW5tHKo4d

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c256aa59c12f9d9c6fe8c38fca8d0a10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmddihfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbljoafi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bedbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bimach32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apngjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bedbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbhbbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c256aa59c12f9d9c6fe8c38fca8d0a10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bimach32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbhbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgqie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmddihfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhlikpf.exe

Executes dropped EXE 30 IoCs

pid	Process
1784	Pbbgicnd.exe
3708	Pilpfm32.exe
600	Pecpknke.exe
1444	Pmjhlklg.exe
4376	Pokanf32.exe
4816	Piceflpi.exe
4880	Pbljoafi.exe
3484	Qkdohg32.exe
720	Qelcamcj.exe
4272	Qkfkng32.exe
1204	Akihcfid.exe
3488	Abcppq32.exe
3676	Apgqie32.exe
3452	Aioebj32.exe
1064	Abgjkpll.exe
3780	Apngjd32.exe
724	Bldgoeog.exe
3056	Bmddihfj.exe
1984	Bbalaoda.exe
748	Bimach32.exe
1788	Bedbhi32.exe
4484	Cbhbbn32.exe
2228	Cplckbmc.exe
4340	Cehlcikj.exe
4952	Cmbpjfij.exe
1104	Cdnelpod.exe
3984	Ddqbbo32.exe
4928	Ddcogo32.exe
2996	Dbhlikpf.exe
2160	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Mmccbngq.dll	Abcppq32.exe
File created	C:\Windows\SysWOW64\Ifgeebem.dll	Aioebj32.exe
File created	C:\Windows\SysWOW64\Bedbhi32.exe	Bimach32.exe
File created	C:\Windows\SysWOW64\Dbhlikpf.exe	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Pecpknke.exe	Pilpfm32.exe
File opened for modification	C:\Windows\SysWOW64\Pmjhlklg.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Pbljoafi.exe	Piceflpi.exe
File created	C:\Windows\SysWOW64\Abgjkpll.exe	Aioebj32.exe
File created	C:\Windows\SysWOW64\Idcdeb32.dll	Bmddihfj.exe
File created	C:\Windows\SysWOW64\Ddcogo32.exe	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Lcoeiajc.dll	Pilpfm32.exe
File opened for modification	C:\Windows\SysWOW64\Pokanf32.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Apngjd32.exe	Abgjkpll.exe
File created	C:\Windows\SysWOW64\Ggiipk32.dll	Cmbpjfij.exe
File opened for modification	C:\Windows\SysWOW64\Pbljoafi.exe	Piceflpi.exe
File created	C:\Windows\SysWOW64\Ebcgjl32.dll	Akihcfid.exe
File created	C:\Windows\SysWOW64\Ndfchkio.dll	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Cmbpjfij.exe	Cehlcikj.exe
File opened for modification	C:\Windows\SysWOW64\Pilpfm32.exe	Pbbgicnd.exe
File opened for modification	C:\Windows\SysWOW64\Pecpknke.exe	Pilpfm32.exe
File created	C:\Windows\SysWOW64\Bimach32.exe	Bbalaoda.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Dbooabbb.dll	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Kdogqi32.dll	Abgjkpll.exe
File opened for modification	C:\Windows\SysWOW64\Bedbhi32.exe	Bimach32.exe
File opened for modification	C:\Windows\SysWOW64\Piceflpi.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Abcppq32.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Bldgoeog.exe	Apngjd32.exe
File created	C:\Windows\SysWOW64\Efiopa32.dll	Bimach32.exe
File created	C:\Windows\SysWOW64\Ibnoch32.dll	Bedbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Pecpknke.exe
File opened for modification	C:\Windows\SysWOW64\Qkdohg32.exe	Pbljoafi.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Apgqie32.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Mbgjlq32.dll	Bldgoeog.exe
File created	C:\Windows\SysWOW64\Cplckbmc.exe	Cbhbbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddqbbo32.exe	Cdnelpod.exe
File created	C:\Windows\SysWOW64\Pbbgicnd.exe	c256aa59c12f9d9c6fe8c38fca8d0a10N.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Cbhbbn32.exe	Bedbhi32.exe
File created	C:\Windows\SysWOW64\Ebldoh32.dll	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Cdkdne32.dll	Qkdohg32.exe
File opened for modification	C:\Windows\SysWOW64\Abgjkpll.exe	Aioebj32.exe
File created	C:\Windows\SysWOW64\Dmabgl32.dll	Bbalaoda.exe
File opened for modification	C:\Windows\SysWOW64\Cplckbmc.exe	Cbhbbn32.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Eflmkg32.dll	c256aa59c12f9d9c6fe8c38fca8d0a10N.exe
File created	C:\Windows\SysWOW64\Pilpfm32.exe	Pbbgicnd.exe
File opened for modification	C:\Windows\SysWOW64\Apgqie32.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Cdnelpod.exe	Cmbpjfij.exe
File created	C:\Windows\SysWOW64\Cogcho32.dll	Pecpknke.exe
File created	C:\Windows\SysWOW64\Kialcj32.dll	Pokanf32.exe
File opened for modification	C:\Windows\SysWOW64\Apngjd32.exe	Abgjkpll.exe
File created	C:\Windows\SysWOW64\Icldmjph.dll	Apngjd32.exe
File created	C:\Windows\SysWOW64\Bbalaoda.exe	Bmddihfj.exe
File opened for modification	C:\Windows\SysWOW64\Bimach32.exe	Bbalaoda.exe
File created	C:\Windows\SysWOW64\Qelcamcj.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Aioebj32.exe	Apgqie32.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Qkfkng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1656	2160	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldgoeog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbalaoda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdnelpod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c256aa59c12f9d9c6fe8c38fca8d0a10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbhbbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimach32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmddihfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bedbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgqie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgjkpll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apngjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cplckbmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cehlcikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcdeb32.dll"	Bmddihfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnoch32.dll"	Bedbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbhbbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apgqie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbhbbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c256aa59c12f9d9c6fe8c38fca8d0a10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c256aa59c12f9d9c6fe8c38fca8d0a10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkdne32.dll"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmpb32.dll"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgeebem.dll"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmabgl32.dll"	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoeiajc.dll"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piceflpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmddihfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbljoafi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efiopa32.dll"	Bimach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bimach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bimach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmddihfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfijgnnj.dll"	Cbhbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icldmjph.dll"	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogcho32.dll"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kialcj32.dll"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piceflpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll"	Pbljoafi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 1784	4944	c256aa59c12f9d9c6fe8c38fca8d0a10N.exe	88
PID 4944 wrote to memory of 1784	4944	c256aa59c12f9d9c6fe8c38fca8d0a10N.exe	88
PID 4944 wrote to memory of 1784	4944	c256aa59c12f9d9c6fe8c38fca8d0a10N.exe	88
PID 1784 wrote to memory of 3708	1784	Pbbgicnd.exe	89
PID 1784 wrote to memory of 3708	1784	Pbbgicnd.exe	89
PID 1784 wrote to memory of 3708	1784	Pbbgicnd.exe	89
PID 3708 wrote to memory of 600	3708	Pilpfm32.exe	90
PID 3708 wrote to memory of 600	3708	Pilpfm32.exe	90
PID 3708 wrote to memory of 600	3708	Pilpfm32.exe	90
PID 600 wrote to memory of 1444	600	Pecpknke.exe	91
PID 600 wrote to memory of 1444	600	Pecpknke.exe	91
PID 600 wrote to memory of 1444	600	Pecpknke.exe	91
PID 1444 wrote to memory of 4376	1444	Pmjhlklg.exe	93
PID 1444 wrote to memory of 4376	1444	Pmjhlklg.exe	93
PID 1444 wrote to memory of 4376	1444	Pmjhlklg.exe	93
PID 4376 wrote to memory of 4816	4376	Pokanf32.exe	94
PID 4376 wrote to memory of 4816	4376	Pokanf32.exe	94
PID 4376 wrote to memory of 4816	4376	Pokanf32.exe	94
PID 4816 wrote to memory of 4880	4816	Piceflpi.exe	96
PID 4816 wrote to memory of 4880	4816	Piceflpi.exe	96
PID 4816 wrote to memory of 4880	4816	Piceflpi.exe	96
PID 4880 wrote to memory of 3484	4880	Pbljoafi.exe	98
PID 4880 wrote to memory of 3484	4880	Pbljoafi.exe	98
PID 4880 wrote to memory of 3484	4880	Pbljoafi.exe	98
PID 3484 wrote to memory of 720	3484	Qkdohg32.exe	99
PID 3484 wrote to memory of 720	3484	Qkdohg32.exe	99
PID 3484 wrote to memory of 720	3484	Qkdohg32.exe	99
PID 720 wrote to memory of 4272	720	Qelcamcj.exe	100
PID 720 wrote to memory of 4272	720	Qelcamcj.exe	100
PID 720 wrote to memory of 4272	720	Qelcamcj.exe	100
PID 4272 wrote to memory of 1204	4272	Qkfkng32.exe	101
PID 4272 wrote to memory of 1204	4272	Qkfkng32.exe	101
PID 4272 wrote to memory of 1204	4272	Qkfkng32.exe	101
PID 1204 wrote to memory of 3488	1204	Akihcfid.exe	102
PID 1204 wrote to memory of 3488	1204	Akihcfid.exe	102
PID 1204 wrote to memory of 3488	1204	Akihcfid.exe	102
PID 3488 wrote to memory of 3676	3488	Abcppq32.exe	103
PID 3488 wrote to memory of 3676	3488	Abcppq32.exe	103
PID 3488 wrote to memory of 3676	3488	Abcppq32.exe	103
PID 3676 wrote to memory of 3452	3676	Apgqie32.exe	104
PID 3676 wrote to memory of 3452	3676	Apgqie32.exe	104
PID 3676 wrote to memory of 3452	3676	Apgqie32.exe	104
PID 3452 wrote to memory of 1064	3452	Aioebj32.exe	105
PID 3452 wrote to memory of 1064	3452	Aioebj32.exe	105
PID 3452 wrote to memory of 1064	3452	Aioebj32.exe	105
PID 1064 wrote to memory of 3780	1064	Abgjkpll.exe	106
PID 1064 wrote to memory of 3780	1064	Abgjkpll.exe	106
PID 1064 wrote to memory of 3780	1064	Abgjkpll.exe	106
PID 3780 wrote to memory of 724	3780	Apngjd32.exe	107
PID 3780 wrote to memory of 724	3780	Apngjd32.exe	107
PID 3780 wrote to memory of 724	3780	Apngjd32.exe	107
PID 724 wrote to memory of 3056	724	Bldgoeog.exe	108
PID 724 wrote to memory of 3056	724	Bldgoeog.exe	108
PID 724 wrote to memory of 3056	724	Bldgoeog.exe	108
PID 3056 wrote to memory of 1984	3056	Bmddihfj.exe	109
PID 3056 wrote to memory of 1984	3056	Bmddihfj.exe	109
PID 3056 wrote to memory of 1984	3056	Bmddihfj.exe	109
PID 1984 wrote to memory of 748	1984	Bbalaoda.exe	110
PID 1984 wrote to memory of 748	1984	Bbalaoda.exe	110
PID 1984 wrote to memory of 748	1984	Bbalaoda.exe	110
PID 748 wrote to memory of 1788	748	Bimach32.exe	111
PID 748 wrote to memory of 1788	748	Bimach32.exe	111
PID 748 wrote to memory of 1788	748	Bimach32.exe	111
PID 1788 wrote to memory of 4484	1788	Bedbhi32.exe	112

C:\Users\Admin\AppData\Local\Temp\c256aa59c12f9d9c6fe8c38fca8d0a10N.exe
"C:\Users\Admin\AppData\Local\Temp\c256aa59c12f9d9c6fe8c38fca8d0a10N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\Pbbgicnd.exe
  C:\Windows\system32\Pbbgicnd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\Pilpfm32.exe
    C:\Windows\system32\Pilpfm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\SysWOW64\Pecpknke.exe
      C:\Windows\system32\Pecpknke.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:600
    - - C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 400
        32⤵
        Program crash
        
        PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2160 -ip 2160
1⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4300,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:8
1⤵
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcppq32.exe

Filesize
300KB

MD5
08cce643e96bb07afd0cf4a3af85fe5d

SHA1
2fc8c24365606af555b246d33d0a570dbc8be280

SHA256
a0ec65dab077ea507ef848b8f2abbf5c5ba769922b807b1fd505d0bf0acbfefa

SHA512
69e9b4324a8783f458ee1a3102aa79fc376ffc3b6f27a1b710644508e5f4eaa1913014a46b445ce40823b8c207b4cc1b89ff37184e61ecaac3f35909bddde1ca

Download Submit
C:\Windows\SysWOW64\Abgjkpll.exe

Filesize
300KB

MD5
6b9730a81a26c33cae6fa85dc55da13f

SHA1
c8bd79bb5c47fbafa490999177c775aeaeabf0ce

SHA256
24ab50e8645c39b915b346eefd18c8c122bea91b6981719ff71a8e714847340f

SHA512
191273bfe4910fb8d26b1836b8530b4fcb9d49e89222f4d3af259d4ddab50b253e71205bff08d2aa45ef708ee3c92962e85304891464968e5ac3a0d2c7ce6b81

Download Submit
C:\Windows\SysWOW64\Aioebj32.exe

Filesize
300KB

MD5
88165694931bb3b3da8b056a23a16dba

SHA1
5f3c9fbb8e25a9f281c59545be0ca70a73069e22

SHA256
a1c6dc3d860fe0c9f7c65f1d2332b2ae363474fd316cf0665c8d627059e6f3fc

SHA512
0d6b4450c3c7353680cc2820b25934f826e34977e0f7ecb0fdba54eea91f35d9637b787540060859d002fef6dcbbb51ca136328c7d977ce1fc033427e70dfdae

Download Submit
C:\Windows\SysWOW64\Akihcfid.exe

Filesize
300KB

MD5
f8156b86be2d01a93dafdd70aaa4143e

SHA1
acc2ce1b817f51dbed8c54e081dd6662940a7d6c

SHA256
9f18b83bee8a247719e50fa563fd1b17f597b4251baa2e69d6721ff3e7787231

SHA512
e236bbd3d770a52c65caa1c4507745a1f8b54fc29f59ea23bb70ac3166943d673b8e6bfbb185a2053d486555df515018dca7de574439df3b7885aef4207ddabf

Download Submit
C:\Windows\SysWOW64\Apgqie32.exe

Filesize
300KB

MD5
5c463f3c1f67ee1d3f5907c4f614155d

SHA1
1c85f4c73a1cd7f5f9f745ea9d99e215e783f4e4

SHA256
5c8ca7704e87c06a3ff4e200d20eb97f4fbf2ffbecad34b48fd05946f0f04ed5

SHA512
bba5678164e368dc04ae15878f416f9cb866be0362e476120bea320c422937950eeb0dd9705ba4bf56495472a6afa81aeb89b96ad054d471d4c54c46481a9a98

Download Submit
C:\Windows\SysWOW64\Apngjd32.exe

Filesize
300KB

MD5
d301626c17ffd8b7fff4937c84e73ba1

SHA1
d265050db4ab61fb8bbb1d85378d71d8b6bce3c6

SHA256
80795a5cf0339acfeac3a513ad261cd950a4b019ec47536046fd1aa0c06ecbd5

SHA512
d157238568f5fe59bf4bfd5e4233b617602351eed83818c7abb134d9f46a15bccc3de0a4ae6cf8ea09f3d26ae5f56806ed4c6124db6bdaf471ec8e202975f0a1

Download Submit
C:\Windows\SysWOW64\Bbalaoda.exe

Filesize
300KB

MD5
dbb2d00320f1d86b58cd7c31f7b83523

SHA1
ff373cc6442ad1dfb4efcd7d87b8e72df77b4f9b

SHA256
f1150a4ac16f5630c198d695b323e65e214cb6b83b21ac6c568b3ae6d766b717

SHA512
b45370adddf682869bf47e6f82c6b722ad36b4b6d268243c6e8c40c65cd360c830d7eae64491d5c5903035ac5941bfcc5126d20cc1c205c6d56d7265b19bff32

Download Submit
C:\Windows\SysWOW64\Bedbhi32.exe

Filesize
300KB

MD5
ca461eec6c3a9b332a724a67439f530b

SHA1
0b4fd230fa9480ed608eb646d0a5de30297906f6

SHA256
92b2406583505e77f0709489b58d97e52a18c7ce841f892babde5e542edbfd42

SHA512
4cb497a3a7e09dde3eeb9b234746a9ed69b0044a0406c66d677235681422b03c83fab0d18cf22acaa5d85a401b23348ffec901d30d985ae21371ddbd4177d8f3

Download Submit
C:\Windows\SysWOW64\Bimach32.exe

Filesize
300KB

MD5
c40a3649f419c104b9eb3516c64fce75

SHA1
e07d434a5fdc543503e96ff4706e24abc706edad

SHA256
2a9435a85f9d40a41cc508d6cc30d5f06ac26cd014c2bcb90e5acfd362bfbeaa

SHA512
391410ee3fb783a1ae47ea85f776e22852e54ea2bd6bd6171672f19c7adb3e8eff49a4bae7254356b24bc143c0003c69bf1771c5f976b28334b3473e759ea2dd

Download Submit
C:\Windows\SysWOW64\Bldgoeog.exe

Filesize
300KB

MD5
88bb3d5c400348717b0178f93828add1

SHA1
fa5186eea5f4dd6bfa28a1169ecebb6d54947985

SHA256
87d729f550cf8364705717179fe36ec2886f34a778632113f12080f392f8efc9

SHA512
cfd87269784a6cc5f26877f3ea81edcc95f4a3d9c4c1e397955333922fd57635a868434bbc4c7f3aed085c5550f2268d681b85f413968a3d08688d64291abfeb

Download Submit
C:\Windows\SysWOW64\Bmddihfj.exe

Filesize
300KB

MD5
4abe085e0c7a0434b78ead78d98da911

SHA1
888e2bb55a66f10b17fc8ccd7113fc4087b53cde

SHA256
91dee9560db8ffbc5843a2740cd259bbdb3dce7ebfbef1b85b85d64af7b45df5

SHA512
e3d78921dbbdf92ebbf9f33ebaf043af41e696cfef1694e7f662cbb0cc34fe53911552c144a1d22b9557fba05a182851708c1f5ea01c67d045821d783855cb34

Download Submit
C:\Windows\SysWOW64\Cbhbbn32.exe

Filesize
300KB

MD5
5d253eb3234fad5e5a8ea5847a4ac2a0

SHA1
c5b43ea8f333f2b493c18117ac7a50c131987a19

SHA256
74e621034458c806b89705dac74897707e60ae0ca0e331fccf8b2c2e8daaf19e

SHA512
d51356ae7159bda56d6f2cf99df6ce7c357efc05afc4b63efe3e0c113a0f1e7f35e637adc9b91b9ab2d1832c334d5a2a8eea3b11fbd3e9aa88e903e43dabefce

Download Submit
C:\Windows\SysWOW64\Cdnelpod.exe

Filesize
300KB

MD5
ba38f33d589c7311e8f4849e44771254

SHA1
bb28171ef8a4dddd9fbfb4460a9ddde22328302f

SHA256
8a97be4c0441904cc40d8964bb9438ee4b3a07ad61a73e5a8d2273916fb40541

SHA512
15df1f23424bef5e1994924533ce412ea5d245d17a7997b21145ceaaa2b7501a4b9bae44e4954ac2135cc5f89c9aad9a7ae6393407610cb2cd985def3f00f4d1

Download Submit
C:\Windows\SysWOW64\Cehlcikj.exe

Filesize
300KB

MD5
f862ac949cb2d4e2cb31af43d957a89d

SHA1
fa7efd519245dbb1961b609e501719945d1eba1e

SHA256
af5284b28eb651cadf2d6b4b8a66c2acc7b4a188265c1f884366065bcff29570

SHA512
78e727dee64f9718ac51b137675992872e104c8f481c626d96bce07f32eb1c65ebf28b5922f5f81863fb4f35b8f87395eb4c1d8d8662a7f3af00b5d5c1c60140

Download Submit
C:\Windows\SysWOW64\Cmbpjfij.exe

Filesize
300KB

MD5
6da00703b8f03b6fe4fbb399352f4a77

SHA1
8ca34b56898d48b3119492678e5b6273d42ec43a

SHA256
a4cf8c4a436c22d9fe707430be4c42427674a293fea2942d9e733819b3ca6d90

SHA512
e9a29a7a71d0ad261692d4003cd41307ab187cb5fc33472907f775714085e8944fd6578025f672686c4f614e41152a41672ce433808ed02516b7c0cd284d3fb6

Download Submit
C:\Windows\SysWOW64\Cplckbmc.exe

Filesize
300KB

MD5
f9aad9e29aa0d464357269c749bb65b0

SHA1
e019bd49893f86f71db0035fb868cac54b82453d

SHA256
8e38c164daba09da5dc3e5c39c8ddcf3102e01279cc068532387f17472e828b1

SHA512
5513575d4ca8e098209da9ec8e830f3522a8b52d4f077f0ecbbe74edbf4a826778d47b00d50f5d4e92fbf0b169a9f4fddf2810cab0ac38d953e62be11a107d50

Download Submit
C:\Windows\SysWOW64\Dbhlikpf.exe

Filesize
300KB

MD5
845a79f1da9e480ee2f888fa64442529

SHA1
7670e7f05909e10efc61f227c56819e54935cbf2

SHA256
9e135f9b657fe901f2f4da5bca28d1860584ac1d87e456ea5fd844418573936e

SHA512
212d2adc79fd0d07c49e57191925105c3c35ded93637867aa245a878295c9318dcd5caf8f8c98cf7c468b96fbaad00851346c006b07025e3c247b8ec2816f596

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
300KB

MD5
1f4f1bad3483eee99306afe1799a62b1

SHA1
c274f72fb89fadbf741c73559677a1ff6bf3ca44

SHA256
3c4da73e2eb8e39aa0be21d4a5ccaff58f210a31df7f86c0f3926139475e16a8

SHA512
dae9166d95eb31d7c4f261e9be70f99cd714c5541d40224120f720b4e7903004c4100fdc8550511aeeb40be183be942821e46bc11f727cd677e6d6e6df24cdee

Download Submit
C:\Windows\SysWOW64\Ddcogo32.exe

Filesize
300KB

MD5
a316e39dd06f587753a0a8ebb860a039

SHA1
c2fae6f76470d9df84b86a3744265e6807f1b69e

SHA256
4a875bd70f7e1351ed1895212d70e556ee3474f8e011f4ffbe66d6972bb66467

SHA512
25322b906fc5f933ba30e52fd903f0db24119cf85f0b69812559d1d0f748559a1809b92569541edd5ea8b1800de90de5f3a3755c5e934a1b34ecbac6b8611bdd

Download Submit
C:\Windows\SysWOW64\Ddqbbo32.exe

Filesize
300KB

MD5
927d38157186e371b611e2572f80a2ad

SHA1
d3317882512754833cb804170d579d33375bbc20

SHA256
ee4d62345f0acec330dab4c2fb12df0e47030a23d05146d6ea1c546ce3a020b3

SHA512
f2021b6598f7b3d9ec20aa7331e390590ee645f3d53d8f837de97d82c9168c2c9b823e78446b80422e05efe7fab04ac62adcd1620858f84d5e5eeb46a2dc8f9a

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
300KB

MD5
4d77ed2912faf3a8640d78bbe402c6bd

SHA1
29b92272b691340159c25c6fc5931c89b015335e

SHA256
54389e9b707c8c0ac92b8a542eddf1dbf3cd68134c836bb7c75f641d361ec7a1

SHA512
17a9bc3af694e67bc68a73ca1dc02b9bbb9e3d46cbf1304f4bf61b69b23441e0c98aa2c042fbd72cebff528cd0b281628fd1f2e228ccbc6b9fd527227626b1eb

Download Submit
C:\Windows\SysWOW64\Pbljoafi.exe

Filesize
300KB

MD5
0d090464a84ac1db6cd04039cad71ee1

SHA1
ccd23fee2a1051ce337340f1f3bb14434761ac4f

SHA256
69c86a04bef0dcf4003b8575706039fb212cc922e5806c980c06a59a286e229b

SHA512
a23e246544bb2d5a1509bb8cf4ddf744e809d71f8aba9b97bd2c6224723081a097b0a7aa0344f73de879683390f004125d9befcbae8651621730e2181b02c106

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
300KB

MD5
32df3d909e450e59b86582254c7600ed

SHA1
b798aa425b8facad2b999dd871b5f5474ca4a343

SHA256
6b8dd3292445c20a8475b1a1f273f8bc5e0a84e4e3cb1dae743d170804af9058

SHA512
28b893d0e8282e8e504fbffd85053131e60cefdc3cfcb675ddb21f9307b2b0e07429104c4f8b9176241840495b235b1049333ba41ea41fe505eb13f9797378f4

Download Submit
C:\Windows\SysWOW64\Piceflpi.exe

Filesize
300KB

MD5
c8a15bf8c28bcd4cb63c0ec3a54d6856

SHA1
46f94e4a83c206f31f7d81d0d1d564c125aef669

SHA256
08cb32dfb7fe4de33120f37712d3c5e7a918ef0b5bfef58baa2dcec038c367d7

SHA512
db0cbe3de0a6b8b1b5aaf3ac745d8b7a624fa79dbb7848b7826ba515f5afae9454e67830deea76eaa6dad4ef34b87491e0f0dd4af365a1a9451a53dc33ac1220

Download Submit
C:\Windows\SysWOW64\Pilpfm32.exe

Filesize
300KB

MD5
78559314f9596d1d903f7361f49c3f0d

SHA1
9550e0ca90d855faaaed6b6db0598ee1ab820ad9

SHA256
efbc8860275f7de38f9fb94d499f068d1745d5d36872a34f7bd12b7e7e6a6cb7

SHA512
a2183b021322024d82c852432e8750809025f062fed882d5f1b0ce1d50b4c5785a047e58df896ed2bd109a18462637b145f5ba538a68ea3fd8a59a73c6b17647

Download Submit
C:\Windows\SysWOW64\Pmjhlklg.exe

Filesize
300KB

MD5
db02ffde39fd78b6bcd6f1e22ab2332a

SHA1
6ca4c71f42ea8b1c87efbb0868008bbf08c2eaa5

SHA256
080dd629e5fe7f425004eb9ba1d345266a0922ab1baf18ece7fa1555ef91500c

SHA512
927e00f59092672d7921283a70a3fc4e9f09254015fdab1324e5ddba9bbb00074f21de2f252746f73f4e122623a66a62e0e2d1c0cf196617779ffb829816515a

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
300KB

MD5
f6fddca726472bba8519ff46ca697fa7

SHA1
5308dc2b3ea2872415a0d1220e9d036de178d8f2

SHA256
e6ebe35bb570846383713419ebc3f1349ff94d5f4dab185f694bf90da9f30e8e

SHA512
10c29aca94b764ae3f3f436a880ba3eb2eb1dc019f5600681d702740fdc20139eea838c4c27eddfa3ad4eb748d8eb5d576c3946aae21695ec133cde29aa5da75

Download Submit
C:\Windows\SysWOW64\Qelcamcj.exe

Filesize
300KB

MD5
35930870f7eb8016f9a8057896f1e8fc

SHA1
845285ff58c151b986afca3bae1d29497c47eb8d

SHA256
dc562ae5c8b2550d08c6d9c2a3e7a0e3aee91fbe5ed1fea584eb03025b0f9373

SHA512
4b1825390c3a383da08948f4ca6070ca43917e75cfe641bb1377cc6bdb1da7b4b5273f18a751cf598579e18465471772743994c3a05e06dbb7719f9abdf406aa

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
300KB

MD5
336d986ce67e72ff414f1ecdf050d3e1

SHA1
3a7883e8fb4feb535e350c18ec314ba869e44483

SHA256
eda5078e4b2af8e10d5f6c89a84cc9c3a5901bf13b87a4aa1a58ee7aa948191f

SHA512
ae90387dc29b115aa7e6b8565edb268e12682a8d9c3b84582c0a6b7d4f79b368118ea2bad999ef7f7284cb4ff1d5376374730923ecb8f9c410c4c25b3ee7e5c1

Download Submit
C:\Windows\SysWOW64\Qkfkng32.exe

Filesize
300KB

MD5
b4fa9af0f019619eb20f286c61fba9e8

SHA1
4c55e650f77a7d8a2c674769c5632b92ece5e4f2

SHA256
b716b005f079a96b5493ae5ee01d2cc132d20ec23a8eb9c0e71ccbca01718f9b

SHA512
240b74218f4b4a72eb42873399ef96e5a3e09644d652a9373a0fe5b77197409ed7e2027bdc4ec7e507a4b43cd38bd604c705bf4670f29494897d63af12b2e4cc

Download Submit
memory/600-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/600-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/720-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/720-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/724-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/724-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2160-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2160-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3452-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3452-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3780-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3780-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads