cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe
Size

844KB
MD5

947dfdc0c9f27b0f86b1b42c421430c6
SHA1

bf477fd4de1ac5b459c3520f5898d3a64d2d045d
SHA256

cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8
SHA512

d6fe6406c29a57f5abd12b0d531e0ee518cdc33217887339a9ffb5e3b63d58ab0aa0f941fcfaf9d209189640a3e1b4c43cc7aed954326c77c180d6af543ad7ec
SSDEEP

24576:VH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:VH5W3TbQihw+cdX2x46uhqllMi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apddce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofbdncaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbljoafi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okailj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okailj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe

Executes dropped EXE 35 IoCs

pid	Process
3308	Ofbdncaj.exe
1812	Okailj32.exe
392	Oooaah32.exe
3540	Ofijnbkb.exe
2036	Pmhkflnj.exe
228	Pcbdcf32.exe
3168	Piolkm32.exe
1288	Pmjhlklg.exe
1212	Poidhg32.exe
1536	Pbgqdb32.exe
2464	Pfbmdabh.exe
4328	Piaiqlak.exe
700	Pkoemhao.exe
1172	Pcfmneaa.exe
112	Pbimjb32.exe
3944	Pehjfm32.exe
2140	Piceflpi.exe
916	Pkabbgol.exe
1900	Pomncfge.exe
3340	Pbljoafi.exe
4588	Qejfkmem.exe
2296	Qmanljfo.exe
4828	Qkdohg32.exe
1052	Qckfid32.exe
3832	Qfjcep32.exe
2272	Qihoak32.exe
4356	Qkfkng32.exe
3520	Qcncodki.exe
2624	Aflpkpjm.exe
3296	Aijlgkjq.exe
2720	Amfhgj32.exe
3500	Apddce32.exe
1012	Abcppq32.exe
3232	Aealll32.exe
1464	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pbljoafi.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Nbfndd32.dll	Ofbdncaj.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Aealll32.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Piolkm32.exe	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Pcfmneaa.exe	Pkoemhao.exe
File opened for modification	C:\Windows\SysWOW64\Qejfkmem.exe	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Pmhkflnj.exe	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Poidhg32.exe	Pmjhlklg.exe
File opened for modification	C:\Windows\SysWOW64\Pcfmneaa.exe	Pkoemhao.exe
File opened for modification	C:\Windows\SysWOW64\Pomncfge.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Qkdohg32.exe
File opened for modification	C:\Windows\SysWOW64\Pbimjb32.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Aflpkpjm.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Iipkfmal.dll	Poidhg32.exe
File created	C:\Windows\SysWOW64\Dapijd32.dll	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Amfhgj32.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Abcppq32.exe	Apddce32.exe
File created	C:\Windows\SysWOW64\Ebcgjl32.dll	Apddce32.exe
File created	C:\Windows\SysWOW64\Pbgqdb32.exe	Poidhg32.exe
File created	C:\Windows\SysWOW64\Pehjfm32.exe	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Dbooabbb.dll	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Piaiqlak.exe	Pfbmdabh.exe
File opened for modification	C:\Windows\SysWOW64\Pehjfm32.exe	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Pomncfge.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Pbimjb32.exe	Pcfmneaa.exe
File opened for modification	C:\Windows\SysWOW64\Aijlgkjq.exe	Aflpkpjm.exe
File opened for modification	C:\Windows\SysWOW64\Aealll32.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Jknmpb32.dll	Pomncfge.exe
File opened for modification	C:\Windows\SysWOW64\Ofijnbkb.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Qejfkmem.exe	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qihoak32.exe
File created	C:\Windows\SysWOW64\Apddce32.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Ofijnbkb.exe	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Piolkm32.exe	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Fldqdebb.dll	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Ggociklh.dll	Abcppq32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Aealll32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Kialcj32.dll	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Bllolf32.dll	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe
File created	C:\Windows\SysWOW64\Fddogn32.dll	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Pkabbgol.exe	Piceflpi.exe
File created	C:\Windows\SysWOW64\Qcncodki.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Mkbdql32.dll	Oooaah32.exe
File created	C:\Windows\SysWOW64\Knojng32.dll	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Kannaq32.dll	Pkoemhao.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Piceflpi.exe
File created	C:\Windows\SysWOW64\Oenflo32.dll	Qejfkmem.exe
File opened for modification	C:\Windows\SysWOW64\Piaiqlak.exe	Pfbmdabh.exe
File opened for modification	C:\Windows\SysWOW64\Piceflpi.exe	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Qkdohg32.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Lgilmo32.dll	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Oooaah32.exe	Okailj32.exe
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Pbljoafi.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Qfjcep32.exe	Qckfid32.exe
File opened for modification	C:\Windows\SysWOW64\Qcncodki.exe	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Abcppq32.exe	Apddce32.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbdncaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poidhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjokai32.dll"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenflo32.dll"	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdql32.dll"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipkfmal.dll"	Poidhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kialcj32.dll"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgilmo32.dll"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllolf32.dll"	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnggcqk.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qckfid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oooaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggociklh.dll"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pomncfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opepqban.dll"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofbdncaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmjhlklg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 3308	2648	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe	90
PID 2648 wrote to memory of 3308	2648	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe	90
PID 2648 wrote to memory of 3308	2648	cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe	90
PID 3308 wrote to memory of 1812	3308	Ofbdncaj.exe	92
PID 3308 wrote to memory of 1812	3308	Ofbdncaj.exe	92
PID 3308 wrote to memory of 1812	3308	Ofbdncaj.exe	92
PID 1812 wrote to memory of 392	1812	Okailj32.exe	93
PID 1812 wrote to memory of 392	1812	Okailj32.exe	93
PID 1812 wrote to memory of 392	1812	Okailj32.exe	93
PID 392 wrote to memory of 3540	392	Oooaah32.exe	94
PID 392 wrote to memory of 3540	392	Oooaah32.exe	94
PID 392 wrote to memory of 3540	392	Oooaah32.exe	94
PID 3540 wrote to memory of 2036	3540	Ofijnbkb.exe	96
PID 3540 wrote to memory of 2036	3540	Ofijnbkb.exe	96
PID 3540 wrote to memory of 2036	3540	Ofijnbkb.exe	96
PID 2036 wrote to memory of 228	2036	Pmhkflnj.exe	97
PID 2036 wrote to memory of 228	2036	Pmhkflnj.exe	97
PID 2036 wrote to memory of 228	2036	Pmhkflnj.exe	97
PID 228 wrote to memory of 3168	228	Pcbdcf32.exe	99
PID 228 wrote to memory of 3168	228	Pcbdcf32.exe	99
PID 228 wrote to memory of 3168	228	Pcbdcf32.exe	99
PID 3168 wrote to memory of 1288	3168	Piolkm32.exe	100
PID 3168 wrote to memory of 1288	3168	Piolkm32.exe	100
PID 3168 wrote to memory of 1288	3168	Piolkm32.exe	100
PID 1288 wrote to memory of 1212	1288	Pmjhlklg.exe	101
PID 1288 wrote to memory of 1212	1288	Pmjhlklg.exe	101
PID 1288 wrote to memory of 1212	1288	Pmjhlklg.exe	101
PID 1212 wrote to memory of 1536	1212	Poidhg32.exe	102
PID 1212 wrote to memory of 1536	1212	Poidhg32.exe	102
PID 1212 wrote to memory of 1536	1212	Poidhg32.exe	102
PID 1536 wrote to memory of 2464	1536	Pbgqdb32.exe	103
PID 1536 wrote to memory of 2464	1536	Pbgqdb32.exe	103
PID 1536 wrote to memory of 2464	1536	Pbgqdb32.exe	103
PID 2464 wrote to memory of 4328	2464	Pfbmdabh.exe	104
PID 2464 wrote to memory of 4328	2464	Pfbmdabh.exe	104
PID 2464 wrote to memory of 4328	2464	Pfbmdabh.exe	104
PID 4328 wrote to memory of 700	4328	Piaiqlak.exe	105
PID 4328 wrote to memory of 700	4328	Piaiqlak.exe	105
PID 4328 wrote to memory of 700	4328	Piaiqlak.exe	105
PID 700 wrote to memory of 1172	700	Pkoemhao.exe	106
PID 700 wrote to memory of 1172	700	Pkoemhao.exe	106
PID 700 wrote to memory of 1172	700	Pkoemhao.exe	106
PID 1172 wrote to memory of 112	1172	Pcfmneaa.exe	107
PID 1172 wrote to memory of 112	1172	Pcfmneaa.exe	107
PID 1172 wrote to memory of 112	1172	Pcfmneaa.exe	107
PID 112 wrote to memory of 3944	112	Pbimjb32.exe	108
PID 112 wrote to memory of 3944	112	Pbimjb32.exe	108
PID 112 wrote to memory of 3944	112	Pbimjb32.exe	108
PID 3944 wrote to memory of 2140	3944	Pehjfm32.exe	109
PID 3944 wrote to memory of 2140	3944	Pehjfm32.exe	109
PID 3944 wrote to memory of 2140	3944	Pehjfm32.exe	109
PID 2140 wrote to memory of 916	2140	Piceflpi.exe	110
PID 2140 wrote to memory of 916	2140	Piceflpi.exe	110
PID 2140 wrote to memory of 916	2140	Piceflpi.exe	110
PID 916 wrote to memory of 1900	916	Pkabbgol.exe	111
PID 916 wrote to memory of 1900	916	Pkabbgol.exe	111
PID 916 wrote to memory of 1900	916	Pkabbgol.exe	111
PID 1900 wrote to memory of 3340	1900	Pomncfge.exe	112
PID 1900 wrote to memory of 3340	1900	Pomncfge.exe	112
PID 1900 wrote to memory of 3340	1900	Pomncfge.exe	112
PID 3340 wrote to memory of 4588	3340	Pbljoafi.exe	113
PID 3340 wrote to memory of 4588	3340	Pbljoafi.exe	113
PID 3340 wrote to memory of 4588	3340	Pbljoafi.exe	113
PID 4588 wrote to memory of 2296	4588	Qejfkmem.exe	114

C:\Users\Admin\AppData\Local\Temp\cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe
"C:\Users\Admin\AppData\Local\Temp\cdc4a4381c5429aee3c609494b7f6e08c5ab985bcf1dc2f2802b91a8e073cad8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\Ofbdncaj.exe
  C:\Windows\system32\Ofbdncaj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\SysWOW64\Okailj32.exe
    C:\Windows\system32\Okailj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\Oooaah32.exe
      C:\Windows\system32\Oooaah32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
      - C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4236,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aflpkpjm.exe

Filesize
844KB

MD5
5f7b24aac55212281769acf8f9b067a4

SHA1
ec8e071bfc678fa35b0c7ff3dbede67bf5c60da4

SHA256
8ac6d60a370343fea88583ea7a5607b6b104e6bed9cf1818ced4eafe73f55ffd

SHA512
be617f34e330d7af2b97f7bbad40b5776beb1e6f526db08afc8e75d2935bce29995e07719eae33108c9dd1923f1c4010f2d7b68bda99f2e5eef66ccd5f10bcd6

Download Submit
C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
844KB

MD5
d55e75bec99d7bdf61718f8709c13c8b

SHA1
346a1f424cdffe7e9f1e08b5b77c6954cad4fd7b

SHA256
14932e636f54d9e9e5cdc1b116228c3d886a03fff3c07dabbd1beb42be405e1a

SHA512
7d15de5a2e16c099cdcd0aab06ccf6322eb016d5ab7530956e6f255f2fb4b1787543fb78f188bbefab08fcc7dbbf0e6d8802dede23fb197a5304fc5accd189a8

Download Submit
C:\Windows\SysWOW64\Amfhgj32.exe

Filesize
844KB

MD5
96388580a7545b1ad2405b6918fde71c

SHA1
a1e3e4f2f6ece93c013053d70f41e66776acc5e4

SHA256
1c8ec7669dd929b5ec109413343c1711dfabbf74f5de8aa3ed17313f7dcb409d

SHA512
a17290fede5254c8ad06600537d9127d00d7aaa584d44007afe800f2589da9317772293fe2d9673adda122aa0672ae52683f04dee1a2b896fb5723492d3ccb44

Download Submit
C:\Windows\SysWOW64\Apddce32.exe

Filesize
844KB

MD5
cf1e7f6ab111831311b1950cce862540

SHA1
620f4ed10facb4d89e256db8090969b68cb3798d

SHA256
3acccb0a98efb0bdef999cc0d7a35ba47caf8992f6b12f2e92765dad62ae2e70

SHA512
7443151996efea910fe7dae7c3c99d068a45f33759d0c4a3348f96adf6b528ceb7660a340b59ac2af68743cc857714bdde98bbab97edaab540471c57e9c99672

Download Submit
C:\Windows\SysWOW64\Dlqgpnjq.dll

Filesize
7KB

MD5
46f229e7a0e9e21c1271a95dac5f73d3

SHA1
8fe3afdb7797298c4a757b3f0d83088d47653772

SHA256
319e5f77bb2e6bc3beed9368252074c237b48108835595f1e1e4b87e97a7fbe4

SHA512
98e85fef9266ccdc278d544ea0526975954b614503bee737a5fb06c810c91baf1b97c0dfb889a0fbd189c899c009bf58b4a2809afe87421d016312681e2f1f4c

Download Submit
C:\Windows\SysWOW64\Ofbdncaj.exe

Filesize
844KB

MD5
7417a84efe17a21d6033498dccabb540

SHA1
8ceba2e1546be086ec1d32d21fa995dccb05a68d

SHA256
13696067cdf4c2e73b46bec11348aa129ccb13cda86211569ad23cac01417f39

SHA512
3b8a7bbe63b97788b7e13f802d881e99f6a15765984a029e88d4d7e18fffa181763f3e91df2085ef80b4ec50dc4e6ddaeb5e484f25e113e6bacd436b1574cb83

Download Submit
C:\Windows\SysWOW64\Ofijnbkb.exe

Filesize
844KB

MD5
8185f9b30bc1a9bdfcd714a9a8bad46a

SHA1
d0f0132658e217c391c5687d74eded0100ed63cb

SHA256
3292c5a4ffb326d58c9fb4e10c7885ed51bbf028dda6fd4461a4f913fdaabcbc

SHA512
f45af1911a5b844bb00ede823add0addbc24e7e5365c27dd4dd372ad5f5b1064160d25ee03b82b58cd43f473ee30c03ef1d4627dde523b761c9d0f958d096f93

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
844KB

MD5
ec1c89ac7c69a20b330a19fad10ec709

SHA1
c81d08a4ab710c82dbea5185b31de8a7c9177dc1

SHA256
ff16bb27e2249d5a8554bb6b3579ef09e6afb0be3d25470785dd3a845cac3670

SHA512
2b21dd2e9a028e0c6935f4cb6d11d44e8895ff73499f0e8bf188dcad32c31de03061b66f362388f5aff7147f3b9daf8ef9e1027ff72df0fabad07532ebd3fbd7

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
844KB

MD5
5d7eb41a39448ed3d26b818da5874ddb

SHA1
8401066b07c12b7f1e05f09b3b47f1d7f0755e41

SHA256
8e425ddafad266f7fa1121f70976f5d410d2b4c88ed34bec92b5804121d9268d

SHA512
3ebbe7fbe471c0e4a0d6b5075c37ccb238d95b42803353d12880e69bef0399abf4dd356cfb9e51b2e7b9a22e7fe1ba2c8a9ff551a4e6747354f13f05e8ed6b24

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
844KB

MD5
19e8bc7a7685bfa8b5c5c63dc80e912a

SHA1
b037086e98f4a50841306cfe305c7a33ac1e0b7e

SHA256
811e88abe6e42351e29e2681515401f3cd675209e52aa01cf23db77b52b21d98

SHA512
8059f465d4808b9cc0c9d61686dcfcdd0a74a55d89e9a07cffd5fb6b40ca33a297498b4664fb455faa6d4354e83777b4c0b671c5129db1799d1790256f6baa56

Download Submit
C:\Windows\SysWOW64\Pbimjb32.exe

Filesize
844KB

MD5
6a0498af0d923789e8c036f950d16250

SHA1
48da1438f1400a8b036f9458a89066a971d9e832

SHA256
0864e1fe97084229137347704a277cba03f7267e24f7fb9b9098510fe42d05f1

SHA512
ac41dea3ee1ee04d7ee19f13a20f47770bb7947aecd659fe0064d9bf85b02201e41b649125e43bbaaa6253575e40414d912f6e834ac38a946051ad1d3321be8d

Download Submit
C:\Windows\SysWOW64\Pbljoafi.exe

Filesize
844KB

MD5
d1ebd119bc090c5909b672e265b59b40

SHA1
9c3bd410e4b90738d65cb7bdc0986cda9c5a4ac0

SHA256
4e4bc1e7b38e3d4eb6b7611da3274931c071d36ae45cf371a1712308156228e9

SHA512
bd5ed31fafd2199b2836187ca398926f64fc44a05d3d01acf6e205244c7f38a02e20aab7a34c343999b3486279e8da58d3a705999d61292b53e16ac5757ee84c

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
844KB

MD5
386ef13fda190fa1085a66d9ed320e49

SHA1
9042f6a575d40789323312bf0827481de29c224e

SHA256
6510ce37a0f0af9063e41f07b94cf03e0593479a389414d51000467e5f7d3b26

SHA512
d7ec736c5662100ee0bc34a1360d281c4ff2acba89839ae2f376d35e46dd100b7a6bcffcc47d260e02b759e1cc19dca0ec6f62d448ac9881bbb5fbfe0a2deca6

Download Submit
C:\Windows\SysWOW64\Pcfmneaa.exe

Filesize
844KB

MD5
4620c5bfad6c42383029f4ae4669ab50

SHA1
8caf010b41d61115ddb774cb2ef70db1e7df2514

SHA256
80efc0caf468737e37c10fe5071268cb10c630d06bc09e4532eef3dc9da853ed

SHA512
565d564085be950c515f684ea34f640db3b4ae1eb340443eb64e8afa5074a3f3ee7eb66b21d64aad76eeb2d875dea6c2f2a83c1ca2c29fe1a8e4a6d324536000

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
844KB

MD5
df82ffc0c3b927a5ea2e699b3eaced0a

SHA1
f06928243aaac769073397a56e9f3a3e4e4afea8

SHA256
47abea717dd5105af20121d0030ce83e6394236a4df71cdef78d8f9989f7ee6d

SHA512
9db779449d96e598e3ddcd8a2c53bc490ab57750d47b396348c446d8ec59c10ce3ca4d2b6139970c5708b2f029e0224e701e43dda8fb97e5c007ab162ba2a2c4

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
844KB

MD5
4c95d6afd5a853621d18dac319208e66

SHA1
2904898934c7cd6cbec634d6a3bb93f18de7d9b0

SHA256
7cd6f410bf76f13a0b239c20ec3712864d8a84403ef1e240cc4abbf4d8774ac0

SHA512
6bc2749e22eccc5c2707f7b0a08c65951f90944b11d5ff013b0b60e01684e5d7e2d41d50b925506f5c4feb255ffddcbb50188048ff074b025782c5b7b1ff83e3

Download Submit
C:\Windows\SysWOW64\Piaiqlak.exe

Filesize
844KB

MD5
9dbcbfaaa76a2a72e55d7dd1da966cb7

SHA1
94007a40c79db67005ac12bdbdd284b319bf4568

SHA256
42cdc5cb935be425c5361714c5348751cbbbcb25ece98d7cddeefad7f81f2830

SHA512
483d15055a80a845e94552df0dc6fee976188039fc6cc9e8b70a2cc341da3c72a9ad75068461602ca2656bdc4b3a78090e2b385654b659160023d96b905278ff

Download Submit
C:\Windows\SysWOW64\Piceflpi.exe

Filesize
844KB

MD5
efb2301fd4203b0d31ab9c5a631bbeaf

SHA1
ce9c438161dd80a24e4c4362d77f4211b87fb0fb

SHA256
fa3d3105eba2673fdb3157a052c95f02e8d84fc6895eb1a42fe73d5c527d202f

SHA512
f13b1b08058fc56af66945db8fc7f4f1aa426d194045d9e09c8e3f13f5d2b6123fcf4098c3b382213a6043a2ba5b8b730388a34796c84ba2dc0cf160e81e084d

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
844KB

MD5
24e3cb78dd3c8a497044179a54094eb4

SHA1
f91b91fe8a5aabb52ea31eace0049332e58568b5

SHA256
88c707ace12093d0e6b17f982c13baccef8dc143c781b3f5b39716677e94cb26

SHA512
0f8e1da90299e26c1062f06dfa093232b89143a77edb6da09fa7a7af98023373d0a9a3922397f03f864f65aa8aafc7da17502198a36ae3caaf8fa4c76a014dca

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
844KB

MD5
13ad5fcb5d919369219a4d6e4239086c

SHA1
5985d51052c364b9c4586425c0038825f712fd34

SHA256
6e2a3f7a22c634b5d80781c860b2956d8ec4329fbc05f8b12b4c697610a02f53

SHA512
e53467584e45422c67df545074551b94c6528447ad1a632a17c2a79da0384301263bac195017ce14c50878d8f5fc3e36873d8234337292d710398dbd468a8f28

Download Submit
C:\Windows\SysWOW64\Pkoemhao.exe

Filesize
844KB

MD5
3a82314f1a10d8c6879c26581e0933d3

SHA1
f08cac2c2cdb7795129c38dd172114e6b05ce562

SHA256
965068264099b1c51325040fc65ba4b9a4e6fad3b978b38d376e052d8043b691

SHA512
f955a47ad37ca68d30d48aab0ccdf39320783f01078b6ab364d0cd7a1035c1e9a872d995318db83b9e0482bdf1586b04741fc870ac38cbc52cf73e1370f71693

Download Submit
C:\Windows\SysWOW64\Pmhkflnj.exe

Filesize
844KB

MD5
4f2f05c5df28051a0aa69c667c331d7d

SHA1
03d569f83ccd4d5c5aaea8068c7f7fc0c7629254

SHA256
567d8aedc3ef70a66d423c13e05ed5e2c275d10c5442ece20686de5958f2ec63

SHA512
b8dce2eda76fcbc16d50cab5c452e7fa960a8b62b9f44d0fc742008f0ad6df5984b60cdbbf1d3d0818d7ea2a15bc10869db6d2b11e6f1725533b50c3e64a2a22

Download Submit
C:\Windows\SysWOW64\Pmjhlklg.exe

Filesize
844KB

MD5
490ae7789fa08f78304c07a9637382c5

SHA1
0843744a49dff735a1bb6fd9391b5a25ab24973a

SHA256
2cefcc0ea6895409ce8e78c2d2d97b59fce061b7f705280c03a316d952203ba8

SHA512
7c860ec3b6e6db8e2a4ea04e53c9e12710b21e4e3b144b7a7564bb295e985563195eccfb8cecc6b682bb3a9403312bd44dc6b30540f561f94751482081dd59f8

Download Submit
C:\Windows\SysWOW64\Poidhg32.exe

Filesize
844KB

MD5
f4e918c4cb2d6cb5538168742ede4707

SHA1
b8066e6baf046644a9099d371f4efd1806d2f1d9

SHA256
bb718ab91913ccf4b9b8893b59fcbf596785c82245e035bb94ecce841c0a2622

SHA512
d7c6e7240e669c9d8daa4e75d099b1ec283f990b725e3a71262ca15025684bcc428a8dc2449a6bca6a569eae6cc0eb26dd0bf1e2faac3bee16af5f95387c896d

Download Submit
C:\Windows\SysWOW64\Pomncfge.exe

Filesize
844KB

MD5
8aa2ec6014d5efa3f05a5bd63844f06b

SHA1
7f3828cf640cf3537dc996c563f12d5f36119d35

SHA256
648accaaec36585de492b7f223e17f8cfba469ff7b83d2fbc521b1aed371ad6f

SHA512
fbc7106bd05c6ee66101f9025600e42a75cf8f4da947239b04d3aaf51e8edd54b77e0818dd9a09d168e58bb84aff35443862bcdbb0f92bfa59589666e9046148

Download Submit
C:\Windows\SysWOW64\Qckfid32.exe

Filesize
844KB

MD5
6b6ce9771f58778c5172b7f090b01737

SHA1
041e75b7062d05bc1ba2a6ec1f3528072e365ca2

SHA256
25c2254a80767443b2ca29122d33d175934acf36e5c3fafe98e24b76216a79dc

SHA512
c6899cddf5b1becab9668b0bc781c0b383c09ab864356ee614759acd42a9383e6715942f7b688f4c16be311dc17c45691eb311d43dddf37906f62e6b014a2100

Download Submit
C:\Windows\SysWOW64\Qcncodki.exe

Filesize
844KB

MD5
7ed747105f204f59c275f27896700562

SHA1
1b9ccc5722d4f9e4cf7b213bf7f635128c0ecec9

SHA256
db0418e4aa21540bfc1318dc7bd5157de62233351824ae628073d751f87a1ded

SHA512
2583c90bdae82dfdcb0a3cb919df2324cc4d9e8807a45e7be498e0a1200a58976a26b70343f42146d9aac3771b4d970712a912e1e2b06d8488b199a805b0ad56

Download Submit
C:\Windows\SysWOW64\Qejfkmem.exe

Filesize
844KB

MD5
8ccf2a7f4eaa556235ac6637056439ab

SHA1
06b60be9799d43ae6b3e1d4d0061b164228c56fb

SHA256
10d3cc9deff4b9375100d77e27d6838b6c01bbbe1e97d243c9b912d118d03b66

SHA512
a664ccfce1d5675fc785767c9af97a9db639b87713d90f660f0314f7e77c8d9bf323d33b245bfda129e9ff6c679939ff7b470a5ab27027a891fb46eb2e0a0335

Download Submit
C:\Windows\SysWOW64\Qfjcep32.exe

Filesize
844KB

MD5
7ea0adb43be54a73500b76b1868c9f0a

SHA1
5119f609547c14c8122ab3145e1fc0c7c9deaada

SHA256
03f419b23aace906bc5704b360e3277bbcf5bf8982b8e54db6678283b14e2800

SHA512
57cf5d1afd1f031ff435315e362a389c0f533cf3b42e41c952815abb6f4cf3f1425efebf8999f04cc0930f467eb6ca82769f1663d698e793bf6cc2c41a90717b

Download Submit
C:\Windows\SysWOW64\Qihoak32.exe

Filesize
844KB

MD5
728ea795ca137fd172146763e9480399

SHA1
62ae1065858d4b090d5936c04968cf24258232a0

SHA256
1841a119fe4c22e6b89f14aeedd8f8081cd417f4c7ebc4cb61dd0afad5958563

SHA512
78598a0c4a24f13e13e38691895176b512c7709eb3243f1528e56d01815d60599932fc91c45b9a8db46b458a35a2f0bece70f7c8622731fb3d0f8ccc77118fc1

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
844KB

MD5
ad7135a8478f30ed5c778c55bd5fff5f

SHA1
dc53bc7bf905141cc3f67fc0b174fa27077ca511

SHA256
63f6b71c48314dbb4ebf2d27ca7ebe575618aa3045648b4b163987d05f779070

SHA512
3be5c6cb5d5abdcfe3262e88f52e41de57ebe7993fef2de6e51d9a6305d73262af7d266f3d9e300562b9c5d615f29347bad2705f94c71056413bad653ab5d8e6

Download Submit
C:\Windows\SysWOW64\Qkfkng32.exe

Filesize
844KB

MD5
0cf7f06541ac55a61e6b2c9216d22063

SHA1
127a7a668ea1f2ee9044bdcee52b55a4341001e2

SHA256
a9e4c87dff5480fab8c47bc11384d5c062e51671a9cf97c5cf032bd029c3bbee

SHA512
5fe36bcba7a8852b29aacb85637a7fcae3c5e682439d46442e7777a3b23ff497befdf6d137d7ae55547200849854ef38ea1c59b8078c2d60ae3d1d12407c5bac

Download Submit
C:\Windows\SysWOW64\Qmanljfo.exe

Filesize
844KB

MD5
3c654021bc7d19e721317e3f46fb56b7

SHA1
16df28d575f815dc681710437e08f27c2e9eff33

SHA256
62279896dd8c80acdfdd8ce555e7ddf2c7d976b08cef649cd6a0c608d8f2e3e5

SHA512
edd5f2118c44aeb86078e8275a7fa57610ba05f967591b65959f155ac6a66486817bbd2d38bcba03b2a24c5892e3ece35bdfe7b11a83a6c2074c1b5e987fc528

Download Submit
memory/112-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/228-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/228-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/700-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/916-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1052-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1536-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1812-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1812-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1900-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2140-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2272-265-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2624-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2720-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3168-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3232-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3308-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3308-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3340-259-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3500-271-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3520-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3832-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4328-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4588-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads