8b2ea80ebdc8bc06ea9c4dee25f2a20103ecdf8d297c0627133f9a3036105e05

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

880d9187c2619974b4c6bbfa2141bf60N.exe
Size

160KB
MD5

880d9187c2619974b4c6bbfa2141bf60
SHA1

a15c2d13fd7def14f7fff25c4d365d205c9cdce2
SHA256

8b2ea80ebdc8bc06ea9c4dee25f2a20103ecdf8d297c0627133f9a3036105e05
SHA512

93d7ac16616e6eb980f195b44f26ecc4aed39228faaf9b1a4929e483008c9fa66ba4bee0eedda7300679fb543124c17e8f1bdb38dd171760d7da4f366d22c664
SSDEEP

3072:SO3hFI9tWVWj5XAo3df+wQAGkeJSJdEN0s4WE+3S9pui6yYPaI7DehizrVtNe:XFI9tWVWj5XAanQAG/4ENm+3Mpui6yYM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omaeem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aealll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	880d9187c2619974b4c6bbfa2141bf60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Poidhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oooaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ochamg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pijcpmhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe

Executes dropped EXE 47 IoCs

pid	Process
3252	Ocfdgg32.exe
392	Ofdqcc32.exe
2496	Ochamg32.exe
1904	Ofgmib32.exe
3500	Oheienli.exe
2376	Omaeem32.exe
3684	Oooaah32.exe
220	Obnnnc32.exe
1212	Odljjo32.exe
1536	Omcbkl32.exe
4284	Ocmjhfjl.exe
3440	Oflfdbip.exe
2028	Pijcpmhc.exe
640	Pkholi32.exe
3020	Pcpgmf32.exe
2140	Pfncia32.exe
5020	Pilpfm32.exe
536	Pmhkflnj.exe
1520	Pkklbh32.exe
2516	Pcbdcf32.exe
3852	Pbddobla.exe
3932	Pecpknke.exe
2648	Piolkm32.exe
5056	Pkmhgh32.exe
4660	Poidhg32.exe
1484	Pfbmdabh.exe
1228	Piaiqlak.exe
4256	Pkoemhao.exe
3960	Pbimjb32.exe
312	Pehjfm32.exe
1288	Pomncfge.exe
1600	Qfgfpp32.exe
4804	Qifbll32.exe
4512	Qkdohg32.exe
1900	Qckfid32.exe
2308	Qbngeadf.exe
3236	Qelcamcj.exe
4480	Qmckbjdl.exe
4800	Qpbgnecp.exe
2804	Abpcja32.exe
4860	Aeopfl32.exe
3068	Amfhgj32.exe
1744	Akihcfid.exe
1740	Acppddig.exe
1672	Afnlpohj.exe
2488	Aealll32.exe
748	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qpbgnecp.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Ncloojfj.dll	Pfncia32.exe
File created	C:\Windows\SysWOW64\Pfbmdabh.exe	Poidhg32.exe
File created	C:\Windows\SysWOW64\Mfppnk32.dll	Qelcamcj.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Dlqgpnjq.dll	Pilpfm32.exe
File created	C:\Windows\SysWOW64\Pkklbh32.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Pcpgmf32.exe	Pkholi32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Cjokai32.dll	Poidhg32.exe
File created	C:\Windows\SysWOW64\Pbphca32.dll	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Aealll32.exe
File created	C:\Windows\SysWOW64\Pfncia32.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Knojng32.dll	Pfbmdabh.exe
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	Ochamg32.exe
File created	C:\Windows\SysWOW64\Oheienli.exe	Ofgmib32.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Odljjo32.exe	Obnnnc32.exe
File opened for modification	C:\Windows\SysWOW64\Aealll32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Ochamg32.exe	Ofdqcc32.exe
File opened for modification	C:\Windows\SysWOW64\Piolkm32.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Qifbll32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Dbooabbb.dll	Qifbll32.exe
File created	C:\Windows\SysWOW64\Abpcja32.exe	Qpbgnecp.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pkklbh32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpgmf32.exe	Pkholi32.exe
File created	C:\Windows\SysWOW64\Pecpknke.exe	Pbddobla.exe
File opened for modification	C:\Windows\SysWOW64\Pehjfm32.exe	Pbimjb32.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Ocmjhfjl.exe
File opened for modification	C:\Windows\SysWOW64\Qkdohg32.exe	Qifbll32.exe
File opened for modification	C:\Windows\SysWOW64\Pfbmdabh.exe	Poidhg32.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Ocfdgg32.exe	880d9187c2619974b4c6bbfa2141bf60N.exe
File created	C:\Windows\SysWOW64\Fpqifh32.dll	880d9187c2619974b4c6bbfa2141bf60N.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Pbgnqacq.dll	Oooaah32.exe
File created	C:\Windows\SysWOW64\Ofgmib32.exe	Ochamg32.exe
File created	C:\Windows\SysWOW64\Pomncfge.exe	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Amfhgj32.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Oijflc32.dll	Pkholi32.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcja32.exe	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Qelcamcj.exe	Qbngeadf.exe
File opened for modification	C:\Windows\SysWOW64\Acppddig.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Pkholi32.exe	Pijcpmhc.exe
File opened for modification	C:\Windows\SysWOW64\Pkklbh32.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pomncfge.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Acppddig.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Ggociklh.dll	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Kncgmcgd.dll	Ofgmib32.exe
File opened for modification	C:\Windows\SysWOW64\Oooaah32.exe	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Pilpfm32.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Daliqjnc.dll	Pbimjb32.exe
File opened for modification	C:\Windows\SysWOW64\Piaiqlak.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Pkoemhao.exe	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Pnnggcqk.dll	Pkoemhao.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Oooaah32.exe	Omaeem32.exe

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poidhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	880d9187c2619974b4c6bbfa2141bf60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkholi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdojoeki.dll"	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkholi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll"	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpkdlkd.dll"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll"	Pijcpmhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflnkhef.dll"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pomncfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abpcja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpqifh32.dll"	880d9187c2619974b4c6bbfa2141bf60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofbkbfe.dll"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjokai32.dll"	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcokoo32.dll"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acppddig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	880d9187c2619974b4c6bbfa2141bf60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oooaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkmhgh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 3252	4968	880d9187c2619974b4c6bbfa2141bf60N.exe	91
PID 4968 wrote to memory of 3252	4968	880d9187c2619974b4c6bbfa2141bf60N.exe	91
PID 4968 wrote to memory of 3252	4968	880d9187c2619974b4c6bbfa2141bf60N.exe	91
PID 3252 wrote to memory of 392	3252	Ocfdgg32.exe	92
PID 3252 wrote to memory of 392	3252	Ocfdgg32.exe	92
PID 3252 wrote to memory of 392	3252	Ocfdgg32.exe	92
PID 392 wrote to memory of 2496	392	Ofdqcc32.exe	93
PID 392 wrote to memory of 2496	392	Ofdqcc32.exe	93
PID 392 wrote to memory of 2496	392	Ofdqcc32.exe	93
PID 2496 wrote to memory of 1904	2496	Ochamg32.exe	94
PID 2496 wrote to memory of 1904	2496	Ochamg32.exe	94
PID 2496 wrote to memory of 1904	2496	Ochamg32.exe	94
PID 1904 wrote to memory of 3500	1904	Ofgmib32.exe	95
PID 1904 wrote to memory of 3500	1904	Ofgmib32.exe	95
PID 1904 wrote to memory of 3500	1904	Ofgmib32.exe	95
PID 3500 wrote to memory of 2376	3500	Oheienli.exe	96
PID 3500 wrote to memory of 2376	3500	Oheienli.exe	96
PID 3500 wrote to memory of 2376	3500	Oheienli.exe	96
PID 2376 wrote to memory of 3684	2376	Omaeem32.exe	97
PID 2376 wrote to memory of 3684	2376	Omaeem32.exe	97
PID 2376 wrote to memory of 3684	2376	Omaeem32.exe	97
PID 3684 wrote to memory of 220	3684	Oooaah32.exe	98
PID 3684 wrote to memory of 220	3684	Oooaah32.exe	98
PID 3684 wrote to memory of 220	3684	Oooaah32.exe	98
PID 220 wrote to memory of 1212	220	Obnnnc32.exe	99
PID 220 wrote to memory of 1212	220	Obnnnc32.exe	99
PID 220 wrote to memory of 1212	220	Obnnnc32.exe	99
PID 1212 wrote to memory of 1536	1212	Odljjo32.exe	100
PID 1212 wrote to memory of 1536	1212	Odljjo32.exe	100
PID 1212 wrote to memory of 1536	1212	Odljjo32.exe	100
PID 1536 wrote to memory of 4284	1536	Omcbkl32.exe	101
PID 1536 wrote to memory of 4284	1536	Omcbkl32.exe	101
PID 1536 wrote to memory of 4284	1536	Omcbkl32.exe	101
PID 4284 wrote to memory of 3440	4284	Ocmjhfjl.exe	102
PID 4284 wrote to memory of 3440	4284	Ocmjhfjl.exe	102
PID 4284 wrote to memory of 3440	4284	Ocmjhfjl.exe	102
PID 3440 wrote to memory of 2028	3440	Oflfdbip.exe	103
PID 3440 wrote to memory of 2028	3440	Oflfdbip.exe	103
PID 3440 wrote to memory of 2028	3440	Oflfdbip.exe	103
PID 2028 wrote to memory of 640	2028	Pijcpmhc.exe	104
PID 2028 wrote to memory of 640	2028	Pijcpmhc.exe	104
PID 2028 wrote to memory of 640	2028	Pijcpmhc.exe	104
PID 640 wrote to memory of 3020	640	Pkholi32.exe	105
PID 640 wrote to memory of 3020	640	Pkholi32.exe	105
PID 640 wrote to memory of 3020	640	Pkholi32.exe	105
PID 3020 wrote to memory of 2140	3020	Pcpgmf32.exe	106
PID 3020 wrote to memory of 2140	3020	Pcpgmf32.exe	106
PID 3020 wrote to memory of 2140	3020	Pcpgmf32.exe	106
PID 2140 wrote to memory of 5020	2140	Pfncia32.exe	107
PID 2140 wrote to memory of 5020	2140	Pfncia32.exe	107
PID 2140 wrote to memory of 5020	2140	Pfncia32.exe	107
PID 5020 wrote to memory of 536	5020	Pilpfm32.exe	108
PID 5020 wrote to memory of 536	5020	Pilpfm32.exe	108
PID 5020 wrote to memory of 536	5020	Pilpfm32.exe	108
PID 536 wrote to memory of 1520	536	Pmhkflnj.exe	109
PID 536 wrote to memory of 1520	536	Pmhkflnj.exe	109
PID 536 wrote to memory of 1520	536	Pmhkflnj.exe	109
PID 1520 wrote to memory of 2516	1520	Pkklbh32.exe	110
PID 1520 wrote to memory of 2516	1520	Pkklbh32.exe	110
PID 1520 wrote to memory of 2516	1520	Pkklbh32.exe	110
PID 2516 wrote to memory of 3852	2516	Pcbdcf32.exe	111
PID 2516 wrote to memory of 3852	2516	Pcbdcf32.exe	111
PID 2516 wrote to memory of 3852	2516	Pcbdcf32.exe	111
PID 3852 wrote to memory of 3932	3852	Pbddobla.exe	112

C:\Users\Admin\AppData\Local\Temp\880d9187c2619974b4c6bbfa2141bf60N.exe
"C:\Users\Admin\AppData\Local\Temp\880d9187c2619974b4c6bbfa2141bf60N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\SysWOW64\Ocfdgg32.exe
  C:\Windows\system32\Ocfdgg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\Ofdqcc32.exe
    C:\Windows\system32\Ofdqcc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\Ochamg32.exe
      C:\Windows\system32\Ochamg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kncgmcgd.dll

Filesize
7KB

MD5
13ddae06755ebaf8c241781d13f7a5bf

SHA1
c337f1523467a9ace2e54d21b34bfe2c041d7c58

SHA256
554bf699931cba88b5eebdeed0ee0b19387586370c5d4884d89bd5ab9e5dbe4b

SHA512
f4997e2dd07ccc20df1117eba67fd3eaa180dcc882028a969ad5b3b157b761bc707a7b3ab0b2f1f7f756a58693d02839493eb92322839e5adf6b531e963da8cc

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
160KB

MD5
3f25d6a69336079ff3076b3a67783e7f

SHA1
f301816da700bc4850fb1d396e2450caa4c0aa67

SHA256
21c2a7192e7907dcdc4af15dd2b33f9bb177324818be92023c21a849c1fa68db

SHA512
f9d7b77c277c50b7923847703746f1c444a4bad176292f24a510ce3f9dbc436c690c6a957a1915eb336b9b2ed3716eab43c31e33a1b108332deacf6b2eaf6510

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
160KB

MD5
3fb7317cda9fa7690f93afe3078b35ab

SHA1
377393dc4a2d88f77bc757f847358a91777fde1c

SHA256
b462c8ad4fa00030ddb2d3630616b08708597902f97766750c88bd3259f6f63d

SHA512
d2c737a20a9a6c6b5c353149e45c5e48557c206ec538c9cf7a7391b651a3003cadf314fcb5638c4bd00c00fed11e5bd50f246305abf76fa97c7ee4918de539eb

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
160KB

MD5
a468b18de53e79a11fe4b3ae312882e3

SHA1
06a56b2f81bb74f189cf7674e0059477f959dfe6

SHA256
23597c0ff85206862bf1390c562bea737abc04c22dbcd5aae36a8a18977a904d

SHA512
599798e0b233f6d45aef6d6fa693ae56177b84016d751dee7e18ddafa360d46b62bb9e125f3d2d592294d78d1b5762a18d33c9181c0ff8f59c58ad387e3b5c51

Download Submit
C:\Windows\SysWOW64\Ocmjhfjl.exe

Filesize
160KB

MD5
dbb2cb9f1996599cdc4f78616804eb8f

SHA1
5288f911f595774d49d595d6615cf71ffa0de449

SHA256
813b9c8a01dba4bf7ac0219f251ddcfeaeb07d37d39e48a5736a08ed1cb55deb

SHA512
154c9cb0204881f49cff99cc70aab077cf61309a9a33b0befb99cc751aa53ad2409147c4bdbe5bbcd24548b0785bb68a670ab59f100dad6242dae59c1b61271c

Download Submit
C:\Windows\SysWOW64\Odljjo32.exe

Filesize
160KB

MD5
5c357206de0805a852cb02466eb9c5b7

SHA1
a0db1e00dca1c3083f28e1b484a9ccd77ba9dbe4

SHA256
5e777a9e6654096893344adc069dbfad2c2d931f48f87598452af693e3195f04

SHA512
770374859b765fd9480482b2b20b0d096d51dc57acdf34ed8e033b0292fe874ce145e90aecbd2cc67a0f0ae6b3bf640be8cf6212c9e619e1ec24cffee416c2b5

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
160KB

MD5
1f466eca2471a3f15c667806ae143a4b

SHA1
72ecd7d20b1f82359f7037c11f44ab87e109300a

SHA256
56b732f449cbed13c55e0b914313a9c42ef5b17bf5524ab16faf73d095fa1fcc

SHA512
040ed4af232d8a10c4233ad59081a49392765d9eaafd7ae98c09ce2f4a6aed502b46ae469d4e6567ebac134082a8ac7e90f51098fe9caf8de6d6004d6aa456cd

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
160KB

MD5
f31149ab2ab6419893a470bf73aafd03

SHA1
05fa77cb74a385aea3a1239bc9f568553893bc70

SHA256
5275f14959562a34dc64e6ee57192d18d0bc7da8c34450cb882f72f07e65a952

SHA512
d63edfdf1397e867ad812de00c1aa78317ec13f9c2cb210ca54f3e0f0234af633d5dfd235fdd00276afce06f8e53e29b5435a8c01dafebd7652850e15640139f

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
160KB

MD5
8be6e417a9cd0b2b4064d780e639b874

SHA1
fe643d3dbd2dfc18e9cd4a534a2d2225f42d8b0f

SHA256
9990d14ed58e44436b7da8315a3c46f99c9a7899a0e4d3a2233fda5e158b882a

SHA512
444ee17bffc71c18465d644f607d9c35a0edcfde400537fd208388477e25501a8213ee8c8022bb1299635e0273c8a123447fb22b1a0fc5a4acbf96c30ae67259

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
160KB

MD5
97fdc16572a5ed7ec7572e7ef3d042c6

SHA1
edb2a9ef55984ed2ea7a67e4e691f99ab53c54f4

SHA256
87749b75b5ad3b3b280c7a40bd71bc8ca9558c0b88b98298a1fcdfdb9e724cc7

SHA512
cc159bf425090b937c6148fe9588e1c2a2b1d9babd4420058c632b0a7c640ba9cf222517bf2127125c87b03cb6b860a6fcdb941df52eeb6bdd351348388184c7

Download Submit
C:\Windows\SysWOW64\Omaeem32.exe

Filesize
160KB

MD5
646f5095aa1f26b540c0bd9a233f7171

SHA1
53ec7951087f4ea42cc347cc255718c3525bad08

SHA256
2a7c1a860e227d82e651ec1ccf97fce999196b43c7cd63e353a538234627400c

SHA512
e0d9ba5fe21fc0c2bda55c0d94f7faeb4ba8a75b72f892370ab3c05ab70366f213c807a17a7380e6ea055a3ac47d4c266afe4197a14111d62150df34799ed5b4

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
160KB

MD5
f12b3828d8c28797709ee3191b05d3ab

SHA1
cc94b44ce2acc6dc8777738d420736a475d379fc

SHA256
762ed341f77b4d585a30c62d17a33c996f167172cc8c1f8167b6d35077a924ab

SHA512
29b3681009cceca028eb0033ebff7bbe289d3cf7fb65f9b90e359e956a873b0897d881ed0bb3f9a438cf67b94488c2a058fa8bd1aeacbd9865163a70e96b36a8

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
160KB

MD5
e087c57ac10fd9faa20935bf259137f9

SHA1
faee0e59efaf7d11bd2b2fa48c5d0614dd7de240

SHA256
0b84b165d8f1bce97d26927e6b5baa038b96abe28b91a51dab9f1891f444ae56

SHA512
0dd73eff5eaa8ae81591a34f9285c5263f98eef0daafe2a660db5560b282e11e988a530f62ab2105e9eea169b353102b604dea37c5f5f8c2ba53db0e800cb7bc

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
160KB

MD5
eaf4cda809e90f63218c14a8f05bb3c8

SHA1
d30afe6b03f91c34c73b7f3c04e5031ca57ef595

SHA256
03c5a0aa8da903261b99dac9ddcd0622e5b0553424c861ba0b3fe46ae1f87004

SHA512
0b58915b80aae440a9d1e65d5ba86d587048eb5dbfbed99d0adbed2fa3b0b51c89a3f66995a0f799bf6c632cc4a003f79c40f96445f2ffc1053b8b65ef04ea64

Download Submit
C:\Windows\SysWOW64\Pbimjb32.exe

Filesize
160KB

MD5
afb0ab4573fd9b99884feb50d6dadfc7

SHA1
3a8d4e8b44a042c2605231f70f0df0c9150c310d

SHA256
ab95f73ba97a5abd9ab1f0cd7f1aab95d36347b70c2f7def85ba73b47fbba825

SHA512
ff51898f17f8e825281d872c4b4b998c1c0229f5a33861a3fcc548526185be9c6a2613bc457f4ba75784f04bf15516375a8a5d052eae96931ebff115042e7b66

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
160KB

MD5
277a3bff87101d989228bf69c52312ec

SHA1
ba3fc239e26928bd6ea794b0e3e3d859c2792d0d

SHA256
559cae60697597d3ae634540e0743547e449d6fb25db63e6326921f89b63e7a0

SHA512
2009c180d34d346c51782ad02b3dbef6701d24edc4cf6cf883435ea71801d54f870093109d5207cc16ccb73b2a8e3e6021661d727b22b3c8207bfaf0dcc697c5

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
160KB

MD5
8bd78620cad745e7a6377ac3f21fd549

SHA1
c3fb164ccd8dcf3de631bc3f601a07402183a26b

SHA256
195aeeae98f32ed9da5ba5fac81e82f36453ac4406e1fd15b5e3f91795013164

SHA512
59133783d1e0e3a93630b76664bfc3794b6085bfb021fdfca779f784c5614f312431e58f514ba09fe8d84d22269b99a059789fb921532822498c9b48000d0565

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
160KB

MD5
d0e0c3d06e4ac0a907b2cec03af5bc85

SHA1
34ff53a467d0c952e599435c5e6015b653900b9e

SHA256
5d5d3c058f85a48c0c419bcf5b7243540c5a52839b8310737f3acbe70401afe1

SHA512
4383adf8acd41575f4b360dbceec32d93e9092f17a0351b2321655fb430950ab21a720e16bc21d96cca356787dfa51000e9d39fc440cf0e272d78a84b596a16e

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
160KB

MD5
99d1a6f0ca3a08652e4315512d3429f5

SHA1
a1fec45a0e54ffce10d8aa79370ce343635c8e86

SHA256
15ae1c87c7f4bb263e80ae79429988b513fd75dba207bee1c194f1f234daabf4

SHA512
b652a8f0ef26ad23900e14cdc59c52ab87773dc93f36a537d4048e52b0f60bcb6193a03e796c1a7f7b960a2248ac16716056f3e7fc05443ecc3637bbe2844d53

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
160KB

MD5
12698b37d5c47832aa3102f5f8573352

SHA1
8352ec4150a47d23c11a69361f4092617ff0a993

SHA256
1896cafe2e132cbdbcc6af8c18656ead9071cb3fd89581310fb3ef14672c058e

SHA512
211719514fe868287ee2cf6088282995bb064c7e0121049a9e89ecd9ae19b72b7f3f8e7c101bf41586f0b410ec8a44c78e5212d0cb94a6ad3a40464815a8e4ce

Download Submit
C:\Windows\SysWOW64\Pfncia32.exe

Filesize
160KB

MD5
94fa4aabdaeb25b8fea1696e0cf1a03d

SHA1
7a1b8cc75f2821d1a6aa0f2d7e521e4309a8f298

SHA256
5a69e09f784f49dff9dfa759c17b6c781365b3585fb6fd9283ffd72fdd11a00d

SHA512
9ec407dff6ef4001259ab993f1e02c3c84258f972dc4a173f56a47895e0fe85bafe940bbc81cdbb43d28c7834ccfbd22e78a281fbea31f3f88a6f391773a3d1f

Download Submit
C:\Windows\SysWOW64\Piaiqlak.exe

Filesize
160KB

MD5
68ec81960e962ff5224afa88beaf6e31

SHA1
b434a62e9e4170c69233e1d31e7cc60815c54557

SHA256
30d7ac3733c8c375fac1b39fc4026d4d5a97f0891ee78562923cc32acf864b19

SHA512
c9e65e1d1a2ac656e913f93e018f791fc236e13dd264e94f7e226b7290496bf827696ca0fcc82e743ff2964e8f7085dda7bcf84f54d1700022beadc0b36a63de

Download Submit
C:\Windows\SysWOW64\Pijcpmhc.exe

Filesize
160KB

MD5
18fcb374e74b6644fdcb7f96c256287c

SHA1
4cb128ff6dd3809541c7b4c9073f6f26a283965c

SHA256
f631725238bfe9829b307430dfe6e165144fca0d972981eb30f110bc9d079c8c

SHA512
ee526b04e6947e600f37d1897a6e84db0df433056a9aa715a47df718512e34fb189cb1f4294003960650f3316448713416cfc22cbe29430df6b4739da6cd4456

Download Submit
C:\Windows\SysWOW64\Pilpfm32.exe

Filesize
160KB

MD5
9e398ed4f94ed7b693063c98dd37b5e9

SHA1
7b29910b341672ed1b7aad839280800caa14bc0d

SHA256
71b1899be2a0987eac6df06747455653429b64ba0bfdea356d4a586c8c6dea52

SHA512
3f59165872078ff772430cd0d5daac5076c2579a793ee9b9463057c99c72973d4e80cebb766a54dafacbe08eb277742c546397efa82f811201bda3f6bf692169

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
160KB

MD5
147be13bd663548d354cd44f0aa69577

SHA1
60a8334d50f912e5fbd883bf2821fb42d76f473a

SHA256
98e995db2d0c8530f3a46bad6236ff2b7de9298dc0e577f0e8944b079c96fedc

SHA512
b37740522d951e81d0cdf517279ee678e0b3b186479985bbe1fd962033b684799aaff36b6d05c4bf7e7a33eec396cdbda3b6a7707e672f33a7de639f5796830b

Download Submit
C:\Windows\SysWOW64\Pkholi32.exe

Filesize
160KB

MD5
34d6968ecad35754582a9c9f737e7b85

SHA1
e96de0dcf11177b87255e8d854984d722530a3c0

SHA256
512bd944fe83a225e752c514e6c738161416537006e42898341ebc62301b691f

SHA512
f5255ae87301a950d8c8d97bce970dab77d165d7c8226f116530d2404957e15db70b19c675323f25887ee688af2875fa830afae6afdba79e4a5f91c24f905494

Download Submit
C:\Windows\SysWOW64\Pkklbh32.exe

Filesize
160KB

MD5
b2de5ae5e0f614235fde041e84446ee9

SHA1
fd1ebf074fe2ed1083b60d524029c0c0e81fc724

SHA256
7af7ede87fe2bf2789db2198e1d6e76dec3799054a87535856158c81bfbc21f4

SHA512
4d6083b03c16b9050ea472e11bb1e9afd55371420496c91c4c6fdc73083fdc2929ebd107977f594c2fb941841847b7dc353f007b078fb64bee7bc7a58d68409f

Download Submit
C:\Windows\SysWOW64\Pkmhgh32.exe

Filesize
160KB

MD5
6987a1c04bd82f778fcf1c80bb083bcd

SHA1
d540e6e18607fc9a61e33135ef3682cc9aff01a5

SHA256
a80cd9d9c9d904c97701f21979b6c1bcecb802ae8f6481790536b807e96c7125

SHA512
ff5340a261b2f0a819d10408361c267fe377eae29aa3d0a4f3a2d6abf041508036435b55643339b8115fd035a23be9d16613654442504e50fa5c230e554ac3e0

Download Submit
C:\Windows\SysWOW64\Pkoemhao.exe

Filesize
160KB

MD5
58ba13dcc29e4d3c4a5169f7cdba0688

SHA1
2ea988bae554952c53390ecf9fa665581a2a405a

SHA256
b4264a979127f4bfddb1b66f8416851cb75c7b937f7c436f5888fc4fd7d02137

SHA512
2377803bf747df5f80cad8499c9cbec714e27a7a0a1537473f5a35d09791ffbd1335065bdd08a68ba100819c692f567a4146df3e4ee2425397400cf17b053acd

Download Submit
C:\Windows\SysWOW64\Pmhkflnj.exe

Filesize
160KB

MD5
2a0eca93e4b5cd88fa317be5ef8724d2

SHA1
09b4004e18a6999cba11a2a2077468cc1dfc71de

SHA256
c14b6f823d97eb15a63f7ee2f187efd80fb28181bed656c5f88298b2fa0d52fc

SHA512
9c4181be567ccd0fc8ec8271c6081165e62968f9f85e05ca3490b67731ee42d1c227042cf4719b9ee511b5a5dd2294b32c43216aba3eb260ec7ef832dd682d91

Download Submit
C:\Windows\SysWOW64\Poidhg32.exe

Filesize
160KB

MD5
1b32e1239b3077a99034ab3db97bb375

SHA1
fb74e8de91a18e65d421d3e3cd33e1d8b6b97bad

SHA256
ca30e39ae49e135d30f2ec6de4f037940550b6730024f0ad8d212119450f6e50

SHA512
7a83970af85ab664cf2cb16ee1ff0c010b8f540d43959f00300d3a09e3635e6fd7d5dec796e447a21a20548b40ec04c735eb14b3f75cfbdfefffe3701d6cb876

Download Submit
C:\Windows\SysWOW64\Pomncfge.exe

Filesize
160KB

MD5
8fd8058f1023594608269e168e0ec4fb

SHA1
cab1dfa0cfc13108bb0841a45c19005ad459d8de

SHA256
60158362c4131ab05b5691fc81d6cc32bbd27bd4b702f654b801cee27196bb86

SHA512
ccded65d842531a1de2d6c473b9084b7be57c0b1c269196d7c3f97a0429c4cc4ec1b54b3bf359598047b8e932d12eba2179144cf195af2c403d7cc2b1d40de30

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
160KB

MD5
440105d5dc2374837a587a639837ec14

SHA1
236fa8e5e4967f542b17822f541199bac10f210c

SHA256
9c50c6d0ddb493932fcdbe99719745ddd4162789b2f8bff50a59a638ce5d2325

SHA512
efd99df00e9b413f147e93a382a47fa89c9e6431be268545b18a8d9cdf38f2f2d2273569a215d52212d3928203b644e933a028d020bf6a52a900537f4819254f

Download Submit
memory/220-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/312-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/748-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1212-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2376-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2376-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3684-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3684-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4256-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4968-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4968-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-147-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5056-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads