5dd47166f3c5f5a0243cbc7aba269b4ec485ff0e3a8221f99dfa2d2cb53cdc72

Analysis

max time kernel
115s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92335216df9225f18b1968da56b1dac0N.exe
Size

467KB
MD5

92335216df9225f18b1968da56b1dac0
SHA1

5bc62a311610366e9f1f21a445cd58e68c8e8f10
SHA256

5dd47166f3c5f5a0243cbc7aba269b4ec485ff0e3a8221f99dfa2d2cb53cdc72
SHA512

67f3f2fef9d3d035552baa9c9bbd86913a57ebac8ef1bacd7f7d0804b2de59271f4be8d28bf357160012b544fac4d416fe2549e1e5689201e014756585184cca
SSDEEP

12288:2Dyg1D2o8wE39uW8wESByvNv54B9f01ZmHByvNv5:5g1D2o8wDW8wQvr4B9f01ZmQvr

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acppddig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acppddig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apddce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	92335216df9225f18b1968da56b1dac0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	92335216df9225f18b1968da56b1dac0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcncodki.exe

Executes dropped EXE 36 IoCs

pid	Process
1192	Oomelheh.exe
3360	Ofgmib32.exe
4308	Okfbgiij.exe
2812	Ocmjhfjl.exe
2860	Oflfdbip.exe
2440	Piolkm32.exe
892	Pcdqhecd.exe
1620	Pfbmdabh.exe
780	Pmmeak32.exe
4864	Pokanf32.exe
2268	Pcfmneaa.exe
3308	Pfeijqqe.exe
5092	Pehjfm32.exe
3924	Pmoagk32.exe
1784	Pomncfge.exe
4112	Pcijce32.exe
1540	Qfgfpp32.exe
2516	Qejfkmem.exe
2448	Qmanljfo.exe
1084	Qkdohg32.exe
4404	Qppkhfec.exe
1724	Qbngeadf.exe
1952	Qfjcep32.exe
2256	Qelcamcj.exe
4416	Qmckbjdl.exe
468	Qkfkng32.exe
3548	Qcncodki.exe
596	Abpcja32.exe
2692	Aeopfl32.exe
3116	Aijlgkjq.exe
4224	Akihcfid.exe
1944	Apddce32.exe
2664	Acppddig.exe
1508	Afnlpohj.exe
380	Aealll32.exe
1316	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Piolkm32.exe	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Pokanf32.exe	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Qfjcep32.exe	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Mfppnk32.dll	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Okfbgiij.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Pcdqhecd.exe	Piolkm32.exe
File opened for modification	C:\Windows\SysWOW64\Pomncfge.exe	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Aealll32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijce32.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Aealll32.exe	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Kjmole32.dll	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Kannaq32.dll	Pokanf32.exe
File created	C:\Windows\SysWOW64\Hkidlkmq.dll	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Bgcboj32.dll	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Pfeijqqe.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Ggociklh.dll	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Pcijce32.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Qppkhfec.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qelcamcj.exe
File opened for modification	C:\Windows\SysWOW64\Qejfkmem.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Aealll32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoagk32.exe	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Qmanljfo.exe	Qejfkmem.exe
File opened for modification	C:\Windows\SysWOW64\Apddce32.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Hblaceei.dll	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Ifoglp32.dll	Abpcja32.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Acppddig.exe	Apddce32.exe
File created	C:\Windows\SysWOW64\Kkpdnm32.dll	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Pehjfm32.exe	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Qfgfpp32.exe	Pcijce32.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Aeopfl32.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Pgoikbje.dll	Oomelheh.exe
File created	C:\Windows\SysWOW64\Dbooabbb.dll	Qmanljfo.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qppkhfec.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qfjcep32.exe
File opened for modification	C:\Windows\SysWOW64\Oomelheh.exe	92335216df9225f18b1968da56b1dac0N.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Cimhefgb.dll	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Odlpkg32.dll	Pcfmneaa.exe
File opened for modification	C:\Windows\SysWOW64\Aealll32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Pfbmdabh.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Pokanf32.exe	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Haafdi32.dll	Pomncfge.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Aijlgkjq.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Aknmjgje.dll	Acppddig.exe
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Pmmeak32.exe	Pfbmdabh.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Abpcja32.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Qejfkmem.exe	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Aeopfl32.exe	Abpcja32.exe
File opened for modification	C:\Windows\SysWOW64\Aeopfl32.exe	Abpcja32.exe

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeijqqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92335216df9225f18b1968da56b1dac0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnegipj.dll"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcijce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akihcfid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	92335216df9225f18b1968da56b1dac0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkdne32.dll"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkidlkmq.dll"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkbjk32.dll"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmole32.dll"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conllp32.dll"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcboj32.dll"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acppddig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoglp32.dll"	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgilmo32.dll"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggociklh.dll"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pcijce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobdnbdn.dll"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kannaq32.dll"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlpkg32.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll"	92335216df9225f18b1968da56b1dac0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acppddig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	92335216df9225f18b1968da56b1dac0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1192	4804	92335216df9225f18b1968da56b1dac0N.exe	91
PID 4804 wrote to memory of 1192	4804	92335216df9225f18b1968da56b1dac0N.exe	91
PID 4804 wrote to memory of 1192	4804	92335216df9225f18b1968da56b1dac0N.exe	91
PID 1192 wrote to memory of 3360	1192	Oomelheh.exe	92
PID 1192 wrote to memory of 3360	1192	Oomelheh.exe	92
PID 1192 wrote to memory of 3360	1192	Oomelheh.exe	92
PID 3360 wrote to memory of 4308	3360	Ofgmib32.exe	93
PID 3360 wrote to memory of 4308	3360	Ofgmib32.exe	93
PID 3360 wrote to memory of 4308	3360	Ofgmib32.exe	93
PID 4308 wrote to memory of 2812	4308	Okfbgiij.exe	94
PID 4308 wrote to memory of 2812	4308	Okfbgiij.exe	94
PID 4308 wrote to memory of 2812	4308	Okfbgiij.exe	94
PID 2812 wrote to memory of 2860	2812	Ocmjhfjl.exe	95
PID 2812 wrote to memory of 2860	2812	Ocmjhfjl.exe	95
PID 2812 wrote to memory of 2860	2812	Ocmjhfjl.exe	95
PID 2860 wrote to memory of 2440	2860	Oflfdbip.exe	96
PID 2860 wrote to memory of 2440	2860	Oflfdbip.exe	96
PID 2860 wrote to memory of 2440	2860	Oflfdbip.exe	96
PID 2440 wrote to memory of 892	2440	Piolkm32.exe	97
PID 2440 wrote to memory of 892	2440	Piolkm32.exe	97
PID 2440 wrote to memory of 892	2440	Piolkm32.exe	97
PID 892 wrote to memory of 1620	892	Pcdqhecd.exe	99
PID 892 wrote to memory of 1620	892	Pcdqhecd.exe	99
PID 892 wrote to memory of 1620	892	Pcdqhecd.exe	99
PID 1620 wrote to memory of 780	1620	Pfbmdabh.exe	100
PID 1620 wrote to memory of 780	1620	Pfbmdabh.exe	100
PID 1620 wrote to memory of 780	1620	Pfbmdabh.exe	100
PID 780 wrote to memory of 4864	780	Pmmeak32.exe	101
PID 780 wrote to memory of 4864	780	Pmmeak32.exe	101
PID 780 wrote to memory of 4864	780	Pmmeak32.exe	101
PID 4864 wrote to memory of 2268	4864	Pokanf32.exe	102
PID 4864 wrote to memory of 2268	4864	Pokanf32.exe	102
PID 4864 wrote to memory of 2268	4864	Pokanf32.exe	102
PID 2268 wrote to memory of 3308	2268	Pcfmneaa.exe	103
PID 2268 wrote to memory of 3308	2268	Pcfmneaa.exe	103
PID 2268 wrote to memory of 3308	2268	Pcfmneaa.exe	103
PID 3308 wrote to memory of 5092	3308	Pfeijqqe.exe	104
PID 3308 wrote to memory of 5092	3308	Pfeijqqe.exe	104
PID 3308 wrote to memory of 5092	3308	Pfeijqqe.exe	104
PID 5092 wrote to memory of 3924	5092	Pehjfm32.exe	105
PID 5092 wrote to memory of 3924	5092	Pehjfm32.exe	105
PID 5092 wrote to memory of 3924	5092	Pehjfm32.exe	105
PID 3924 wrote to memory of 1784	3924	Pmoagk32.exe	106
PID 3924 wrote to memory of 1784	3924	Pmoagk32.exe	106
PID 3924 wrote to memory of 1784	3924	Pmoagk32.exe	106
PID 1784 wrote to memory of 4112	1784	Pomncfge.exe	107
PID 1784 wrote to memory of 4112	1784	Pomncfge.exe	107
PID 1784 wrote to memory of 4112	1784	Pomncfge.exe	107
PID 4112 wrote to memory of 1540	4112	Pcijce32.exe	108
PID 4112 wrote to memory of 1540	4112	Pcijce32.exe	108
PID 4112 wrote to memory of 1540	4112	Pcijce32.exe	108
PID 1540 wrote to memory of 2516	1540	Qfgfpp32.exe	109
PID 1540 wrote to memory of 2516	1540	Qfgfpp32.exe	109
PID 1540 wrote to memory of 2516	1540	Qfgfpp32.exe	109
PID 2516 wrote to memory of 2448	2516	Qejfkmem.exe	110
PID 2516 wrote to memory of 2448	2516	Qejfkmem.exe	110
PID 2516 wrote to memory of 2448	2516	Qejfkmem.exe	110
PID 2448 wrote to memory of 1084	2448	Qmanljfo.exe	111
PID 2448 wrote to memory of 1084	2448	Qmanljfo.exe	111
PID 2448 wrote to memory of 1084	2448	Qmanljfo.exe	111
PID 1084 wrote to memory of 4404	1084	Qkdohg32.exe	112
PID 1084 wrote to memory of 4404	1084	Qkdohg32.exe	112
PID 1084 wrote to memory of 4404	1084	Qkdohg32.exe	112
PID 4404 wrote to memory of 1724	4404	Qppkhfec.exe	113

C:\Users\Admin\AppData\Local\Temp\92335216df9225f18b1968da56b1dac0N.exe
"C:\Users\Admin\AppData\Local\Temp\92335216df9225f18b1968da56b1dac0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\Oomelheh.exe
  C:\Windows\system32\Oomelheh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\Ofgmib32.exe
    C:\Windows\system32\Ofgmib32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\SysWOW64\Okfbgiij.exe
      C:\Windows\system32\Okfbgiij.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=1048 /prefetch:8
1⤵
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcja32.exe

Filesize
467KB

MD5
33fa8c393ae1731cb1ef88fdf9281b54

SHA1
5dbee456d40f54c7514602ce170e4cc0e4161f68

SHA256
577278fe9398b0e7eae99a2310ab3c8ce9d95eda63102a3745261690ef383681

SHA512
f586ab2c2241a4f31fc854ee70ce0fe15e7e351bd136a67d6b49319a6e2af4a8adaa5457c790609f9d5607f71705b3809a1828734853de57f36b9ed590d933c3

Download Submit
C:\Windows\SysWOW64\Aeopfl32.exe

Filesize
467KB

MD5
9f2fa81e5ef9d86c936e8bea34b9319d

SHA1
6455d1ca0c2b7e5caa40884c2b28b4b5bde32e09

SHA256
84bb5a79318a43712d9be4bd5819c5ec63b34d78226d96f04480ff0c7e9414b7

SHA512
de07bbc7e4836819c8aea663d70f904ce72e68823f4bc43851cad7bf8c5b6c9170b9b7f0d03149ed001c2b7ce8481ffe23feefcaa6d1b2dfcd21c2e230491fcd

Download Submit
C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
467KB

MD5
412f518584551ac5cec22fc0746533b6

SHA1
b5e18a161af7249d66cbe4a420a3f03054463730

SHA256
aaf9d4ee36a1cc09d30e4aa85ffda67c9ec8641d66856c15ba0cc8b38d40280e

SHA512
7a1b4b7a65b7274dae9b802b5dfd4e4bd3dc4a93ae77c7612f1369f9493ce8117f740691398f98322433517b9be1b257bc4023f454354b184a4ee613787b5b4d

Download Submit
C:\Windows\SysWOW64\Akihcfid.exe

Filesize
467KB

MD5
8473bbbddaaca5b8c1202d39be231c9a

SHA1
96b1c86eaec8177a5b20bdffaa2015b6ba8a872d

SHA256
df09eda70aa4522bf2ca2d9b7e5860280204e0e1c71180dfa8f61e2cd29d9708

SHA512
85480ae19516472695d4766adf1b6ee4c1bc8c3cef9899c2a5318f87cbd00113fa8fbce13795107ea9fd91fd020b9e2e6868b76e8cfda4c9ad93e4ea32cfb4cf

Download Submit
C:\Windows\SysWOW64\Apddce32.exe

Filesize
467KB

MD5
78dbc833194b7ae0c96b5f98fa420897

SHA1
fd5e3a1779acd32e393ce80d3dceaca1c013f40e

SHA256
127bd9537f9a2a84b95d0c948f6271c1644ab18a0a2f90f6d652df4fbd1ffe3f

SHA512
2cd99862d998cf9dc8ee55bea1f3c382b527441df1142ceb965b7e4052d4548a9ecf61428d20e44131e24e89fdce631649f3247c0636b0124c4c7720d1ed3e4a

Download Submit
C:\Windows\SysWOW64\Ocmjhfjl.exe

Filesize
467KB

MD5
780fcb45d5448e33984123132ad43651

SHA1
44f647b6b2ff2b39a34b7e8d89c58131b05b51d6

SHA256
5f07a41c2003cb911cd5c9ae86bff06a1727d983b8e4ddf6c99bb79da1ec7942

SHA512
cb8f1845a1ffeb6779381a78cf43cdb34990311f8384d94a9b588c05ed72594214c8994762f3f03e8531ac9581eeef9065ece1da45f3ac0ce0c151512d355152

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
467KB

MD5
2bf61237dca1f34789be2178a438dd99

SHA1
a0fbde1da07445bf290c9eaa230de36cb4c9fa5d

SHA256
3fcc578f362a70d0250db86dcf208e1d966afe10793e56582924f86bd6828ee7

SHA512
3771623109b13ca8925d829aca6b16c8ea289d8a02ded877552bc87562bc384d2f651552c6c17bd61ccccebd97d42c825b2c56def43ab72b31df8259c9fa6769

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
467KB

MD5
87e7171d6f0f17b281ecdf4ea329383a

SHA1
ae53e8f518d26c8128ce8d99fa43e1216bbe78ea

SHA256
cd5d8ae7099e7e5111f646f4e0501cbe72cc9486b76804def2578dc1b26f29dc

SHA512
b8ba39713143ee66d266b5ba5757337d7cc60de55e18a956c214ced9c19fcddd1e93470f8fdcb175cbecdd4cf3e996c59005db38b5efc131ad3e99ec07f09a0f

Download Submit
C:\Windows\SysWOW64\Ohbikenl.dll

Filesize
7KB

MD5
5616fee5ccca87a730e2425e04ad1048

SHA1
795449c0fb802b4f0fc38f9f1ea90ec2196513ed

SHA256
22482e83134c16ee50e59867c4b82d7fefa584ce76592aac4f3a218f42780a46

SHA512
b692b6cc0b52e3fa9429174265c301b82848327e91a4ced873d5b62521b0efde03c592a175f2f87b5b1d4b5da69c89b4240c2369ade233a24b463f1b8a9f7923

Download Submit
C:\Windows\SysWOW64\Okfbgiij.exe

Filesize
467KB

MD5
9dbfd5c57fa716ecabd9596ba57b89ff

SHA1
6ece7a82edff2842064bbf38f9aae9eff15003d8

SHA256
33ad4833d0f703c08ed0e86aed0ebde89f94919c5597cd9212f3ff143a1d53a1

SHA512
a3924ba2eedf2ab9fa81047060618a7be3bc0f4260c91dcb9eb38e8bf10dc387aefffa0a663725e28f9a9180e30e4bf83197b2066e1e5c086a75fee69d2dbe70

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
467KB

MD5
9315a8ab0e3447db58aece17963379b5

SHA1
87cbc54f570dcb2a19d7028f0a4d5fc205aace6e

SHA256
31d9ac28fab8ed6340f985c13e54016932a7b4522045d01134bd2d682f1a68a4

SHA512
bbd087f4609cef90833a94cdc346645297c9089a0cf119ba843fc4642454990ece64efe6744913fac0c84dcb80f8e11c1ff496d06680b06da35d2b5e30198802

Download Submit
C:\Windows\SysWOW64\Pcdqhecd.exe

Filesize
467KB

MD5
fd309d7a80e3c73feafd5792378cfaf3

SHA1
669dfdf4a3b9f2f9133deba365b1a492e3905965

SHA256
e2ee5abece5370f8431ebe889f6bf0c153e20d0771edbe120a0b42ca4ec559ad

SHA512
1c17bb90d57a928649e0d057e1fef86d45a74a6b1c3daecea9b2a746af1efb566a72727d384e19ee9ed20df36e71600238e2fa90f52b7e22642e694973fe1dad

Download Submit
C:\Windows\SysWOW64\Pcfmneaa.exe

Filesize
467KB

MD5
15dd7ebcf9db7fc845b0f81079e18aee

SHA1
434a5c10258ba796c8a9545cefccaad536c7e66a

SHA256
cafd215d262ed64b0d1fdfbd7c5f40b76537a0645217607390d68e025615861a

SHA512
a19af6adc0c2f9cee6b7ed2ae470e8e4441569c0e577908a95233972f7408172cfaa19e06c98d0f4fc2613060647b600963370fa083200fd1101583660b40e76

Download Submit
C:\Windows\SysWOW64\Pcijce32.exe

Filesize
467KB

MD5
86a7bf36307e8234496d8f9fbdb69f8e

SHA1
c28aa833a9412fcc4cbd8d465c0f476d210987fc

SHA256
a328eb687f7fb24debaa9c09cb75aff5dad462e03eb485b652a8ae757a5530f4

SHA512
5bc7d6d091dbc44fd72c75ab92000c100536d3f503b3326cf8035f9facb1736de15f02d0cfa71334b406db80d4605d2998b90b7748f525a51e156b6662d9ddee

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
467KB

MD5
24f8a798fdbeeb8ba8e646ad662177ef

SHA1
6bbac2c3e8f274a8b7d8dd5cd5317b54c0dd4e7f

SHA256
f9d06ad2e0b7bb65c33b7bb818ede0a90a0611ea29f80653c606a997a305d489

SHA512
becc1bc3e39256d5b2ff3fa5f05ac92ebb4ec8b101abe2427414a829fdf57761a291f289517f7a31fe14f98d5a5c55221ae37f806781d004e9b1e9386530f961

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
467KB

MD5
4f325dcfa2edde9919f8a2db9365d503

SHA1
e93149c3be519dd6276ec5bb19a9c236bae21d82

SHA256
d36693021068ed955c93d2871ed7f97b053757e7956d38e5275a426e2f0e7081

SHA512
00b9af3dbf434c0d3b06982e476ac1d929958b13d285fd5f9746340f14e1a3b5ce8b1580198efdf540e9c15b02b03ea0bbaa8e895fb10d654abc73ead1b7f284

Download Submit
C:\Windows\SysWOW64\Pfeijqqe.exe

Filesize
467KB

MD5
741c6a85542600f940502c0e680aa3c9

SHA1
81c7133f3a93652b727cd75f6f5ac81879c46316

SHA256
40741b2c49dcf68491572864db6472deba2778aaa88315ce15d14389c00378f8

SHA512
6b0b0a72b7c89986a7912ed131d7bd1b61610de0ef9910a2abab187fde7b6d5b8d2d9f236e21484b7b79a62bcad4121dae10d879ae7de42501023eac11dbd5e3

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
467KB

MD5
bd290df2309d9e18f3b60bd148726ae9

SHA1
52ea2b78051f687ad6fb30eb4de5466b341e2949

SHA256
2750bee82bd454fe32126fbf2f621a9f302825c14d96b264086f23cdbeb553db

SHA512
70e4d0ab4166a560374d86e0f0ca89e6030f97762e966784292b758ecdb8cc4147a0808a251308ada455aab602f980b5d06b287fbae10714f504f4bde5d233bc

Download Submit
C:\Windows\SysWOW64\Pmmeak32.exe

Filesize
467KB

MD5
45908ed3d5d97eeb78dcfc075515e77e

SHA1
7152337203a35ce2fa8895b87b213a5e46407413

SHA256
5f20fdc44aa508d9d25e81e85707893b0eade61f7b72f886f7ee5898beb2643d

SHA512
2890ed1ed5cad2cdfb4a695c25363759a702d140938881a81860874380fbafa25df6747ce8fc86508642b49e23e1a1c4a41cd9af733f505a1b1b09e265dbd235

Download Submit
C:\Windows\SysWOW64\Pmoagk32.exe

Filesize
467KB

MD5
51f2ddaf0a2b99ac25c0169114ffc829

SHA1
fdec5d29321b64c1bb79b31c8d84e418d6379525

SHA256
0047b73918e86da50ea2bc0984ba951168437c93704c2961dddcc591e7656e42

SHA512
ce75ad64f7e308f77a7416bbc2887d6bc06773c06004b14664e9824676cf7eeef18ed8723a25589d254be76b70844d8b8bae7cc9b40e819518b3dca0ace86899

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
467KB

MD5
a31439f88e1866eee6d686053fef6376

SHA1
a0231eccf57738f7572aa1aa3dac5590ccfda12e

SHA256
b51faaf0ad17baba14870dc25b336efc4a43cf9692d3ec5a20624551f45d0034

SHA512
4b3413666581b655a129c7e4768c25db85dd00e89321e795c57aa37a5881e6e579f72f7da2904233f66cd63a303341d28b826389871e479727cc508b5a8879ae

Download Submit
C:\Windows\SysWOW64\Pomncfge.exe

Filesize
467KB

MD5
80c2d115ace33f9c81ccc2d6dbb0b215

SHA1
982a82c7dc3d839ad9554739ad6314431d86e3df

SHA256
1ed21b4912ac0514eb98949b01437bdbba0255304af7ef9eb43f5abedc0e5ea2

SHA512
820ca6cb3c223228a42c052a2c183f849f897bab2392af31546e8be9f22b1052dbb0ae78356c75a60aa07fe3f6422f24264a88df52611f0e44597621c5441a27

Download Submit
C:\Windows\SysWOW64\Qbngeadf.exe

Filesize
467KB

MD5
21372f7657066e85dc6ecb720e23e47b

SHA1
bca082deb6a6c3ff0ddc23fecfe831180af447b8

SHA256
d562865c81592e0b8a0ab6cb3bfdcc16abcbc61b40c59b302275a0b5a2043ba9

SHA512
4cd05ef5be89125c31c569dfa0ded67c5502030f79dffcebe453fd33686137439194bc05a0696c0610597a0a30ca3da2b3aeb04277a5291e88c5c3a4e992ae5b

Download Submit
C:\Windows\SysWOW64\Qcncodki.exe

Filesize
467KB

MD5
2edbb89bc1459016cc92bad101cc5fe6

SHA1
8044149d7bfc8c91b055fe364b7789ba5f3c50ad

SHA256
471a5ada9af90ac596478c03116248842b79397c1b245a402ffbe45922292257

SHA512
b77494ff081fc95a68efe47832b482f490f0a5c26b2a271d22fa71c697713aac64ce757e1858f07e82efe6e97ae0284d09fc7f1e1b3550b110d98c8ba6c977cd

Download Submit
C:\Windows\SysWOW64\Qejfkmem.exe

Filesize
467KB

MD5
67661edd105e5d1994541cca3c467ea0

SHA1
db416ee06e8532214868f10f0f4fa8d71cdddd1b

SHA256
70b984c3251643aeaa98c5c4e103a9d78ddaf52483e7ef444c2ae68f737879d5

SHA512
4ee01795339045c20bba490a731bb6b887ec97b01c82ffd40264de88826521fc682e21f9cc05e5a3ca2a43d50c5f4eb44f4f299755f2c4c1e49881e2f4e60fde

Download Submit
C:\Windows\SysWOW64\Qelcamcj.exe

Filesize
467KB

MD5
ddc2c3617e11c51d0b7e27fcaef7c3c5

SHA1
ee58fba045584e80ff5e9051ceab1b2c39d5e1c3

SHA256
cd275ddde2075b1f8aef98cafe333eb5149c88e07af7df7538aa4434281939ab

SHA512
510c399ab5f1e72deefc346dd341e1df1c6d1ee350214a6a34357cdb8c8b236d236b0161ef94c246585284ce097dc7da8dee6320ab15c5c1f44cffc8bea20234

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
467KB

MD5
ea8260cc1276917c8072c9b212384ea5

SHA1
6d6956f28ee40b87a7888fb54c4eb7647981eecd

SHA256
64df33010d8b7e92384380121cc73021304f9fbe42c43abcd44206def773149e

SHA512
aaa5a38954caac613c1e5f59eecd750b0a979f14d79a5753ecb2778dd9f333edfd743f7fc182708baf343e46a4b5dde5703e87f3c0843f5b775020bd9fbbecdd

Download Submit
C:\Windows\SysWOW64\Qfjcep32.exe

Filesize
467KB

MD5
7c39cb9df8d82703e35f180d797bb843

SHA1
e157122f56cf1b802aef976908767d3e4e82830c

SHA256
909d6073b2f78a9790036a5ba3cd2c43a46e63945e17fd60be9e5ad9351feddc

SHA512
2c8498141de9faac6ee5064f88c78ff002f7a0cdfef18b81082efcc38726ce71a19d99715151e27f791da29b76673f1a1a0af4cd446e978202611854ce715093

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
467KB

MD5
2b61e0e28686d8d0f154530d6a57a7dc

SHA1
862f92908fbdfe9c3e1ec2fc015d972d84bc3ec8

SHA256
eb0be6b8f3e9f034065cfe249fdd82e955fa5e1bc1e030d59fc8ec9b1e3f4e6a

SHA512
10051b7b4f2bbcc4af9f78e4cf6aacc2b56f17be27bdc2598eb9b38617270ef66018612731095a69128c7d2795a125ad6204eaeb989ca1e59fd9eb5558df0ebe

Download Submit
C:\Windows\SysWOW64\Qkfkng32.exe

Filesize
467KB

MD5
b69e9c4710b695b728e43763053da499

SHA1
1fed1591b99a7703af4b787bdc235835b572afe4

SHA256
5d9e3411a8ab61dbbfedd6d24f415110558f278bfe1038dd72a93b0c9c8a9238

SHA512
3b53bcc8994f5c5ab8f3bf066a092f786392920d9d0b8912e733816a35482306e53f2c96474d030deadc89c9a53180ce71670a8f6e851edd80953c92c430439a

Download Submit
C:\Windows\SysWOW64\Qmanljfo.exe

Filesize
467KB

MD5
f51961b98d781a797d7da4da7bfbfde4

SHA1
577a102283003fb0522e7400409cb2091bccd1ca

SHA256
776ed978ad4aac9f8520ffa906a17b8e319d96d23fb2f85696af636ccc3e2c1e

SHA512
5612d8795e25af552e786fa9cc6517fe730813bf3e5aee3eb86216a7648d3bc9b7de907fd7407b0ce6d529766ae4298ebc76cfebc85f6da400cb14c3424565de

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
467KB

MD5
5d81973caf3f389b5b4c4cc23bc77d5c

SHA1
6a436acb57b07e81784db78daa39bcdd681a9382

SHA256
c6b9d0618a9fc3883bfce68032785d889878f28340cf1819db4deb2085f7bc5f

SHA512
2df0b1b2a2060206cb1ee4eed94fc4c0f93d5a39a7698c03b708124b783d5fb5dec380a2c6afe9a4be7106fad79adcd8d1e72cb7dc2b9d7f2a9df8163e73b332

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
467KB

MD5
b93a318fa4d272b6ac2343b541fce76c

SHA1
5394e149e03195dbdb101ba16bdf7b8414e28a3a

SHA256
e42f088de5eaf7bc78cae517c3a0006cea2523599d1eb61754acb2dec5afb09c

SHA512
b994a8e1322937aee97f103db3f92382d3c42a6550834792c2c25355a809ffe571c61faa291365c6207c18f38441517bbf06f925d4f480a5e43a8df624d603e1

Download Submit
memory/380-404-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/468-386-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/468-267-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/596-398-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/780-253-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/780-352-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/892-348-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/892-56-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1084-376-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1084-264-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1192-336-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1192-12-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1316-268-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1508-402-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1540-261-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1540-368-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1620-64-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1620-350-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1724-266-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1724-374-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1784-363-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1784-364-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1784-259-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1944-390-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1944-389-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1952-378-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2256-381-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2268-255-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2268-356-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2440-346-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2440-48-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2448-372-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2448-263-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2516-262-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2516-370-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2664-388-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2692-396-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2812-36-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2812-342-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2860-39-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2860-344-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3116-394-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3116-393-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3308-358-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3308-256-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3360-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3360-338-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3548-399-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3548-400-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3924-258-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3924-362-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4112-260-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4112-366-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4224-391-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4224-392-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4308-340-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4308-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4404-265-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4404-382-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4416-384-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4804-334-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4804-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4864-354-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4864-254-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5092-360-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5092-257-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads