3f1b7456a5bc35c932b53e16428589b02672d3959c179d1282a4a4ae585e81cb

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1581dc93ad73ee1709c14fb8a891ca0N.exe
Size

307KB
MD5

a1581dc93ad73ee1709c14fb8a891ca0
SHA1

f69ed25133113422052682357a6051b6de600267
SHA256

3f1b7456a5bc35c932b53e16428589b02672d3959c179d1282a4a4ae585e81cb
SHA512

e21935979c52bd039a6952cbb4a8d1b47cd43ea2640399d95a82481c9f90da8804dddc147cd8be1e54a7232544c1cbbbb997b50e7c5a7286258eb2bd2463a2c0
SSDEEP

3072:qLYZCm+dKG68+DQg+Q+jS3AvAniOktt61ky/6DiKT:qLYe2DL+Q+W3LVkO1ktj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podkmgop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aealll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poidhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfbgiij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a1581dc93ad73ee1709c14fb8a891ca0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a1581dc93ad73ee1709c14fb8a891ca0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe

Executes dropped EXE 49 IoCs

pid	Process
1068	Obidcdfo.exe
4308	Okailj32.exe
3092	Odjmdocp.exe
4032	Oooaah32.exe
2440	Okfbgiij.exe
5028	Ocmjhfjl.exe
548	Pmeoqlpl.exe
1684	Podkmgop.exe
3792	Pbbgicnd.exe
4668	Pdqcenmg.exe
2340	Pcbdcf32.exe
3604	Pbddobla.exe
5076	Pfppoa32.exe
1540	Piolkm32.exe
5116	Pkmhgh32.exe
1008	Poidhg32.exe
4244	Pbgqdb32.exe
1312	Peempn32.exe
2756	Piaiqlak.exe
1340	Pkoemhao.exe
4236	Pokanf32.exe
4548	Pcfmneaa.exe
3188	Pbimjb32.exe
1564	Pehjfm32.exe
4012	Piceflpi.exe
3300	Pmoagk32.exe
4192	Pkabbgol.exe
5080	Pcijce32.exe
3676	Pbljoafi.exe
1172	Qfgfpp32.exe
4052	Qifbll32.exe
4000	Qmanljfo.exe
4872	Qppkhfec.exe
460	Qckfid32.exe
232	Qbngeadf.exe
4436	Qfjcep32.exe
596	Qihoak32.exe
2908	Qmckbjdl.exe
2840	Qkfkng32.exe
5136	Qcncodki.exe
5184	Abpcja32.exe
5216	Aeopfl32.exe
5256	Aijlgkjq.exe
5304	Akihcfid.exe
5336	Acppddig.exe
5384	Abcppq32.exe
5416	Aealll32.exe
5464	Aimhmkgn.exe
5496	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Cojaijla.dll	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Mhinoa32.dll	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Abpcja32.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Ifoglp32.dll	Abpcja32.exe
File opened for modification	C:\Windows\SysWOW64\Obidcdfo.exe	a1581dc93ad73ee1709c14fb8a891ca0N.exe
File created	C:\Windows\SysWOW64\Hkidlkmq.dll	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Pkoemhao.exe	Piaiqlak.exe
File opened for modification	C:\Windows\SysWOW64\Pdqcenmg.exe	Pbbgicnd.exe
File created	C:\Windows\SysWOW64\Pcbdcf32.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Okfbgiij.exe	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Piaiqlak.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Qfjcep32.exe
File opened for modification	C:\Windows\SysWOW64\Qfgfpp32.exe	Pbljoafi.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Nbfndd32.dll	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Oooaah32.exe	Odjmdocp.exe
File created	C:\Windows\SysWOW64\Piolkm32.exe	Pfppoa32.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Pmeoqlpl.exe	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Bqpqlhmf.dll	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pbljoafi.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Aealll32.exe	Abcppq32.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Aimhmkgn.exe
File created	C:\Windows\SysWOW64\Pmeoqlpl.exe	Ocmjhfjl.exe
File opened for modification	C:\Windows\SysWOW64\Piolkm32.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Kialcj32.dll	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Qckfid32.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Acppddig.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Pokanf32.exe	Pkoemhao.exe
File opened for modification	C:\Windows\SysWOW64\Pmoagk32.exe	Piceflpi.exe
File opened for modification	C:\Windows\SysWOW64\Pbljoafi.exe	Pcijce32.exe
File created	C:\Windows\SysWOW64\Ofaqkhem.dll	Akihcfid.exe
File created	C:\Windows\SysWOW64\Okfbgiij.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Podkmgop.exe	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Edkamckh.dll	Pbgqdb32.exe
File opened for modification	C:\Windows\SysWOW64\Acppddig.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Pbbgicnd.exe	Podkmgop.exe
File created	C:\Windows\SysWOW64\Pdqcenmg.exe	Pbbgicnd.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Fldqdebb.dll	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Odjmdocp.exe	Okailj32.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Ggociklh.dll	Abcppq32.exe
File opened for modification	C:\Windows\SysWOW64\Pfppoa32.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Qifbll32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Qbngeadf.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Aimhmkgn.exe
File created	C:\Windows\SysWOW64\Okailj32.exe	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Pbgqdb32.exe	Poidhg32.exe
File created	C:\Windows\SysWOW64\Cimhefgb.dll	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Jknmpb32.dll	Pcijce32.exe
File opened for modification	C:\Windows\SysWOW64\Qfjcep32.exe	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Ocmjhfjl.exe	Okfbgiij.exe

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1581dc93ad73ee1709c14fb8a891ca0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poidhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkamckh.dll"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenflo32.dll"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abpcja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akihcfid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfomcn32.dll"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoglp32.dll"	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbndhppc.dll"	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqpqlhmf.dll"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a1581dc93ad73ee1709c14fb8a891ca0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkidlkmq.dll"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimhefgb.dll"	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Podkmgop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhikf32.dll"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipkfmal.dll"	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfndd32.dll"	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggociklh.dll"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmole32.dll"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kialcj32.dll"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnggcqk.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll"	Qcncodki.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1068	2028	a1581dc93ad73ee1709c14fb8a891ca0N.exe	91
PID 2028 wrote to memory of 1068	2028	a1581dc93ad73ee1709c14fb8a891ca0N.exe	91
PID 2028 wrote to memory of 1068	2028	a1581dc93ad73ee1709c14fb8a891ca0N.exe	91
PID 1068 wrote to memory of 4308	1068	Obidcdfo.exe	92
PID 1068 wrote to memory of 4308	1068	Obidcdfo.exe	92
PID 1068 wrote to memory of 4308	1068	Obidcdfo.exe	92
PID 4308 wrote to memory of 3092	4308	Okailj32.exe	93
PID 4308 wrote to memory of 3092	4308	Okailj32.exe	93
PID 4308 wrote to memory of 3092	4308	Okailj32.exe	93
PID 3092 wrote to memory of 4032	3092	Odjmdocp.exe	94
PID 3092 wrote to memory of 4032	3092	Odjmdocp.exe	94
PID 3092 wrote to memory of 4032	3092	Odjmdocp.exe	94
PID 4032 wrote to memory of 2440	4032	Oooaah32.exe	95
PID 4032 wrote to memory of 2440	4032	Oooaah32.exe	95
PID 4032 wrote to memory of 2440	4032	Oooaah32.exe	95
PID 2440 wrote to memory of 5028	2440	Okfbgiij.exe	96
PID 2440 wrote to memory of 5028	2440	Okfbgiij.exe	96
PID 2440 wrote to memory of 5028	2440	Okfbgiij.exe	96
PID 5028 wrote to memory of 548	5028	Ocmjhfjl.exe	97
PID 5028 wrote to memory of 548	5028	Ocmjhfjl.exe	97
PID 5028 wrote to memory of 548	5028	Ocmjhfjl.exe	97
PID 548 wrote to memory of 1684	548	Pmeoqlpl.exe	98
PID 548 wrote to memory of 1684	548	Pmeoqlpl.exe	98
PID 548 wrote to memory of 1684	548	Pmeoqlpl.exe	98
PID 1684 wrote to memory of 3792	1684	Podkmgop.exe	100
PID 1684 wrote to memory of 3792	1684	Podkmgop.exe	100
PID 1684 wrote to memory of 3792	1684	Podkmgop.exe	100
PID 3792 wrote to memory of 4668	3792	Pbbgicnd.exe	101
PID 3792 wrote to memory of 4668	3792	Pbbgicnd.exe	101
PID 3792 wrote to memory of 4668	3792	Pbbgicnd.exe	101
PID 4668 wrote to memory of 2340	4668	Pdqcenmg.exe	102
PID 4668 wrote to memory of 2340	4668	Pdqcenmg.exe	102
PID 4668 wrote to memory of 2340	4668	Pdqcenmg.exe	102
PID 2340 wrote to memory of 3604	2340	Pcbdcf32.exe	103
PID 2340 wrote to memory of 3604	2340	Pcbdcf32.exe	103
PID 2340 wrote to memory of 3604	2340	Pcbdcf32.exe	103
PID 3604 wrote to memory of 5076	3604	Pbddobla.exe	104
PID 3604 wrote to memory of 5076	3604	Pbddobla.exe	104
PID 3604 wrote to memory of 5076	3604	Pbddobla.exe	104
PID 5076 wrote to memory of 1540	5076	Pfppoa32.exe	105
PID 5076 wrote to memory of 1540	5076	Pfppoa32.exe	105
PID 5076 wrote to memory of 1540	5076	Pfppoa32.exe	105
PID 1540 wrote to memory of 5116	1540	Piolkm32.exe	106
PID 1540 wrote to memory of 5116	1540	Piolkm32.exe	106
PID 1540 wrote to memory of 5116	1540	Piolkm32.exe	106
PID 5116 wrote to memory of 1008	5116	Pkmhgh32.exe	107
PID 5116 wrote to memory of 1008	5116	Pkmhgh32.exe	107
PID 5116 wrote to memory of 1008	5116	Pkmhgh32.exe	107
PID 1008 wrote to memory of 4244	1008	Poidhg32.exe	108
PID 1008 wrote to memory of 4244	1008	Poidhg32.exe	108
PID 1008 wrote to memory of 4244	1008	Poidhg32.exe	108
PID 4244 wrote to memory of 1312	4244	Pbgqdb32.exe	109
PID 4244 wrote to memory of 1312	4244	Pbgqdb32.exe	109
PID 4244 wrote to memory of 1312	4244	Pbgqdb32.exe	109
PID 1312 wrote to memory of 2756	1312	Peempn32.exe	110
PID 1312 wrote to memory of 2756	1312	Peempn32.exe	110
PID 1312 wrote to memory of 2756	1312	Peempn32.exe	110
PID 2756 wrote to memory of 1340	2756	Piaiqlak.exe	111
PID 2756 wrote to memory of 1340	2756	Piaiqlak.exe	111
PID 2756 wrote to memory of 1340	2756	Piaiqlak.exe	111
PID 1340 wrote to memory of 4236	1340	Pkoemhao.exe	112
PID 1340 wrote to memory of 4236	1340	Pkoemhao.exe	112
PID 1340 wrote to memory of 4236	1340	Pkoemhao.exe	112
PID 4236 wrote to memory of 4548	4236	Pokanf32.exe	113

C:\Users\Admin\AppData\Local\Temp\a1581dc93ad73ee1709c14fb8a891ca0N.exe
"C:\Users\Admin\AppData\Local\Temp\a1581dc93ad73ee1709c14fb8a891ca0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\Obidcdfo.exe
  C:\Windows\system32\Obidcdfo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\Okailj32.exe
    C:\Windows\system32\Okailj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\SysWOW64\Odjmdocp.exe
      C:\Windows\system32\Odjmdocp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2708,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:8
1⤵
PID:5764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Obidcdfo.exe

Filesize
307KB

MD5
9b7ac1af80791e19b33d0c27a1abe4a3

SHA1
aebaffb035aa7cc5e95d28e3a0ec7ae9df16604e

SHA256
308576e875cbf8d19bd7b5611e9c19016b5baa1b6528152c54d89eb8391e5417

SHA512
e798c22a780d0ca48f1c3b8aa70d3a3ed6c12d2aea6c991fe473beeb863b168a4b210f413e3640aa5f419467e80ae589cd1cea5f5aecf9d2a72fb5da79ac7c93

Download Submit
C:\Windows\SysWOW64\Ocmjhfjl.exe

Filesize
307KB

MD5
5b1314669507918b5f77036016b52a8c

SHA1
28e86d3391953ba2924f963ab29039072a90763b

SHA256
8ff184987c1bc7e4f0991fdcb5af3fe064a8c7bc2873110108c98c075bfd3a5f

SHA512
93d91c53c622c110a180c0447220dd98b81ec9bf3dca5783a3a6b1d245297b1acf02905fd529a38631e28a2e9b39dbe6f80efebcf1b3ada901ed733fca5a1d4f

Download Submit
C:\Windows\SysWOW64\Odjmdocp.exe

Filesize
307KB

MD5
4fa0b7c4144730b945b0e341c6df4e3b

SHA1
99f85ddc8f67d1c20c6bbe0ada8873a1e19d4c47

SHA256
746b4f419728edcd83a85f3bfb725ea0c45932d9f824c04684b9c8f40c021554

SHA512
f6a5d181e1397ebf75b28f835c0f6e4e15f8d5ed9882ba0f12a208796f99c6d4bb2af7c127a139c8ba17c77b1a25c5d0839fe52546c406c2e516f56809f89100

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
307KB

MD5
72b7579bf4f030c36d37a0847c72b4b4

SHA1
b56bbd23519fde289feeeb9a78499de8e83fe234

SHA256
e25f80f83ee5bcfc41fcbdb7a5eb63054e1ed254cd2809613df93d01501ff7ef

SHA512
07b8577dfa8b8e1a967c1204246278ad5e27ad9e23a319100ce5c678f44480c2c83a9a8c80e486b8856a68d7fbdcd1b4af866924197530246adeb229ba52da72

Download Submit
C:\Windows\SysWOW64\Okfbgiij.exe

Filesize
307KB

MD5
48abf44b03b0bbbfc0bbd145b3a83626

SHA1
3e8b1849e6a6151f0dc1acc8669c3f49bde42198

SHA256
f1eb1d1962538f39807abb10a5a0d60b66c2a88dfcdef3ac654d6893fa6e0512

SHA512
221510485389a98338aafaf39a9b114490e81be34c467a5dae611f142550e54374f85ff8032a83861974923e21077ef32b2b596ad4e286097f79be630a0bb62b

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
307KB

MD5
33c8b9888e9859880e269569088fb90c

SHA1
840c760642f21ea24332f97c3c53e2af3756a4c7

SHA256
1aacf8de5923890a1f8d81263e11e2e6ea1084f96fb958de880ed432c5bfddfc

SHA512
b7f6f0425980964cc77c6c1f52332169ddbe95bf3ef02ea1a4d8f50f6bb57cc0e2a26b3a0d3e5bca2ba7caa521e777b619cca654155e56c656ad16bd6bcdfe52

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
307KB

MD5
9ed93755388ce4d715a0c380d1b1b8e6

SHA1
9fc04994fd685569aa05eb61eb6487ab66f9781a

SHA256
58377701d27724bb6dc6aa979eb203baae4a06853ee94fa9ecf9acabed7f308e

SHA512
5f5a7320ced043903266a864a16fd375c7c3c8a6ffbed0b16878d954c5213dff3a033c98cbd596b0651d68349097320dcba5ab81b48cd361ccf67ecdcedc2204

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
307KB

MD5
55186095d39e0a5604c018dd95b0b8a9

SHA1
dde44e11f27bd507864c334e4d30fefc48d02f20

SHA256
8b3c89302a72c9c133acb295169d8d1db2903f2b9f8e515c64e486ce44b561c3

SHA512
ac4ef6077f24f94d359034f05a7fb33b9303635925be96d04716d347f0895ac0281ddebd862fae12aaeb10ba38a25b774d209e11155fbde45bc66d78c4b7c00c

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
307KB

MD5
767b94110bc612120b1408da280b3860

SHA1
4c1090bf62b8072cd44a5b6768ab5055194b35df

SHA256
1ab9d44e403137844983be9096af0bce8510f7ce93a88fab6a9cfbd29cb7898a

SHA512
f4b0f9e0cff98d768689272607b89c35b20003ca8c1f209345fd4d93a7e00242856252bda06e587859dac681a09740c44f73257f33ae373bbcab4395ee84872d

Download Submit
C:\Windows\SysWOW64\Pbimjb32.exe

Filesize
307KB

MD5
77412c5f142c6ab77ab0cd7779a0e65d

SHA1
df36db2e0b2f1d4ebe24d23d68e5af594b3403b7

SHA256
cb27efa5cd99632701c7b4ad48f2a720418394d5080d9d0b83aee7fc189703a1

SHA512
6a1657ff10977f938334762b03fc9f0d7b1dcdc6ba0d60d077b9af3295a7a29b1805a872707c1eaea26f5e77ea3c370aa04947d1f75d5c4cbe8305920e3b6312

Download Submit
C:\Windows\SysWOW64\Pbljoafi.exe

Filesize
307KB

MD5
07c0602e60232e605730ae9baf6d6107

SHA1
6a12d97bdbf335d9de57fb6b616db56b7a05a6b5

SHA256
886f1231f00e0f025d075ffb236b86b43f250fb82b2a602db0e329b2e406ea66

SHA512
41613a998859716398dd17084895749a1663e46cbc672d4471cd92253c1343450619926036cf8f79990f2eaa12f1fae8c0fba9be70de6c4f09ca5a3ed0a2afbe

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
307KB

MD5
8fbcccdcda22daa414cd3a332e305c9f

SHA1
578f9e82e7a629d88332efcfe6cd49fda7f22109

SHA256
9b15f0578cbe999aba15091209bf5f078ec993792d32be2b1e2924d83acf99e7

SHA512
5c63e60efa47d6a7ef06ace3551f8d30b1aa4ef3cade2f3d3070e8f0675b013de1b055064fd23fdce7e82be32d293092bb2a88b419293711e156d68b6026e218

Download Submit
C:\Windows\SysWOW64\Pcfmneaa.exe

Filesize
307KB

MD5
0d8c1f453c5a115edfbdec87758ab196

SHA1
e18a59d3c3a1d7e1c4115d76c09f67634dbc5a9a

SHA256
eedc3566a381327e2e63d69dbc101687c1ce8671aceb9da3e37b5635acdcb7ac

SHA512
af0cbc070baf29290721291cbde8d0f3310604ac03969f4614075c185623f03baf3614999c11c3ba2acb697f59efe2c0b8fefe2099d6dcc2152b443d7e7ee1d0

Download Submit
C:\Windows\SysWOW64\Pcijce32.exe

Filesize
307KB

MD5
77fd953ef7e9130f0ace50ca5ab87be3

SHA1
fcd6c0c593b8d208096d3b56e9111334cccf7ecf

SHA256
a9ea8d3cb40c5130edda35136257660fe1e90c3d49992e5293b8d63daaaf69ef

SHA512
1be2edaa3bdac5d0d54c33bbc1a126a942a4b6d8929b4f5247c54735213129b48d285ac376d1216b9bb0dd4c3edfcb19ace3ea3bda77f67828a3d380c639f6b7

Download Submit
C:\Windows\SysWOW64\Pdqcenmg.exe

Filesize
307KB

MD5
6c494fe0da803afeab76b7e4af27fc96

SHA1
8994742b541fc8a7875a20ab73b31e0691721bcf

SHA256
37bbf635fd824bcfba7920955009d99ca0e12a0d6d93b694b676516ec29022e5

SHA512
3b1d1a325a08104edbf22a2a34b7bc57c4b65d39aab3bdf5503a51abb5cded8a0b89da96a1fd5ec6539172cc8ddb3b80636ab4b55f5dc65b7507f6f363655ac1

Download Submit
C:\Windows\SysWOW64\Peempn32.exe

Filesize
307KB

MD5
5153195b337e94c0e59b0f02afd66c37

SHA1
4f1fc6151afb2406149f98ec6a24d1302b637dbc

SHA256
bc05cf1fdbcca6b7c366dfe3cc3e5075221ab04d2066b418da2699fce3b2d3b4

SHA512
c9852ce426b61752d14cadb94a8e633d1378c838035db63b4aa2ef99816449410b9049d06c85656a68e58becc20959300f4be4e4cb0b042bf1ef6ad0155dabbb

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
307KB

MD5
370bbb0eca2f82613a1d6c0a4d529803

SHA1
866dfd7b5998fc4c765ccb26178033e3c43f23da

SHA256
78300a5fe9c8186df0efe8e40b007b020de2923c3a7b714641e1adc64b0c3aa4

SHA512
89e9f78da5cf424469187814375d97840ee154eb165ba4b0a189aba38850a120755afbd0127af68fa626f1290ecee258f43baa747f717ac009cefe4b6ebc46f8

Download Submit
C:\Windows\SysWOW64\Pfppoa32.exe

Filesize
307KB

MD5
5c74cbdd6a06cf30ef3b55d46baf8e92

SHA1
1159e072015135895e8bfd97cd5522f8385c6c2d

SHA256
4289945b741ea21303d64df88cb9127f7bcc767467f4dca80b3e66444bbec0fa

SHA512
5e6c50c7ee6cfa67a5c04f1e0abe43d5afa7f4998bb39dd20d589cc08c08bf505c62887f2a8e0915dc7178f4b5f925ce593067e980463cce9f1df4f1b05bb7c5

Download Submit
C:\Windows\SysWOW64\Piaiqlak.exe

Filesize
307KB

MD5
de769df3d5203beea45ea437fc63c6af

SHA1
71e43e46652a984c4159dd109ee975f8fe4aa14a

SHA256
a0e6809acd068624403d8933fe528cbc47808b7e2db50b1f54e5505dc9a3dd3a

SHA512
31d4054917132f7342395f4c2cb52ff6bb16099e85d95968a71b7e8ec8106d48c999f37197c4c4e5e4faada604926ce6c732ac370cff3737b87b5a2c5203acfd

Download Submit
C:\Windows\SysWOW64\Piceflpi.exe

Filesize
307KB

MD5
be3037030ab6ec0b97d081f599b629e0

SHA1
b12e7c0ce352d4f7c5e58faf6b58be06201bd49e

SHA256
4f89905854c7fe6c00ecba5d1d9e6c86d56d906032ceaa552a78f7d0ae64d7c7

SHA512
8d475eaff9afdc4e72190581031e768c3235d5db9b1d766ae5360063f66205ddde0d1b641b1f8745c7d260356d5c41fd7be62cbaae99d278801de5aa88fb79d0

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
307KB

MD5
5d61b0a62cb7a4d62f1666e24f52e402

SHA1
06760c069658b8088b77d1086bbb1fb96ba7e73e

SHA256
a1a71e2dc0587c4dc039c34033ed7cdd7915a075e175f2956e24a6ae78e72bf4

SHA512
1ac3d71dc4ca42c701eddc6434328232b9ce42e024ef193400e277fb0b7895b3d467205f13b2bf9d4dd20b2ca9f48cb194fcc99bfa87f10c9b3fb46ee2e061e3

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
307KB

MD5
a97ff5ad1c91f07425a35e79bd2aad3c

SHA1
5404f18aae202da773ef9eb646377a015ca30342

SHA256
d8ed614882e7b1298597276a0494298001f7fd28b3eab789aa166c51359a03ab

SHA512
aaa3dd1d7a3876e518af1e212ef0dec963de21117b5149264645b9ea201161426d39c879d8862fe6ef6c7a985043bdef0b3550686c9a48168f0acfd8e22086cd

Download Submit
C:\Windows\SysWOW64\Pkmhgh32.exe

Filesize
307KB

MD5
538a01efefa0509765afffe283a7ebc4

SHA1
17c4960f7d7ae06a3b44c33f76dfb1fee4c3ceb3

SHA256
31ebb2c52bea46189f88fb3eb3785b98bd4b09de17ffd1d12b5faede906e91f3

SHA512
e50483fe2f8bbb4217cdb1d3a8604136ec46729244d3cb59c1686d16a63e205dfcc7b92d59b5089ec3884f26567130d3c7452cd96d8468b32213994bd4b7e402

Download Submit
C:\Windows\SysWOW64\Pkoemhao.exe

Filesize
307KB

MD5
f1b8d61a4db957f54312b82cc977f07c

SHA1
65d618e3c0a1e5f1d1acdea347ad4a815050872c

SHA256
0d2acfddc1440edfc9845813857147566a37507709db921f2d8a3a6300f8e2d9

SHA512
d5d2ebd6559f947bc1a62356f2f84edf00f026dec89ce04af52535d384171ad902a965aa0179918e0056f29bdf4bf03f83603ffd6da11527b176f3180cac0fcb

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
307KB

MD5
53e670d816a9898d4fecbbe13d6f0802

SHA1
272e1dd39a68a33903db81ca8d2f85611566b2c5

SHA256
b5a0aa83d5e4b9b9cab9a490657875251dfe95db4cbbe2f3ed5dbb76c749e63d

SHA512
5690e141fb68302acd309d46f65f041080d8562b0ff074087139f73f73243661effdca4ff5882fc844728df2c147be53fdf3fae21553ab53068064a844dafcdb

Download Submit
C:\Windows\SysWOW64\Pmoagk32.exe

Filesize
307KB

MD5
69289571f864246dea757e7061c21b4b

SHA1
8a85e9b0379a6d45f65a76030c5a5b13910737eb

SHA256
a31b005f737d91788bde5879a8a604160624e7771a37c80396cec08eec46da71

SHA512
9cd304ee60dbf48ad1434861af981e0e8b8d4ae1500769287e5335052e8b95e9e8fdd1bb38b654a13027ed3e2bee00731164771fc1062c7b342df36f170b5925

Download Submit
C:\Windows\SysWOW64\Podkmgop.exe

Filesize
307KB

MD5
7051795ca0cbcc459e93f9587057dea8

SHA1
1ac4d7b15aa2f82116ff5a1cb7a5ad6b195eb8d2

SHA256
b6a7de3667116e250b7056bdcbe13aaf4cf5ea4dfaa09c3d1914b029d93ad525

SHA512
052ba35dbd9f59a2272d686583ad7092fd64372f88a38c0453b0b89c993377af177ce388be591871b3a618329d3e2211c873a7d2e69d62c1a1934fc319e318be

Download Submit
C:\Windows\SysWOW64\Poidhg32.exe

Filesize
307KB

MD5
3b45ddd668c0e4886784a8809cb34545

SHA1
b9f9a763662ff26ec15b6a19ee15a435057751ca

SHA256
7a36ae990ba04a012c338e3256cdae2a26402eef2263c2d5a992d2c2aec384b5

SHA512
753af3854db73147b3f51f09030c2541f57039432d59c544c7b283ac6e7f147ee1be2c3b70235bea57140e1a02c029b1e13d82397364eebfbc56f1f7b3d29cea

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
307KB

MD5
a9e63c3c2b87671f4a4fd67ee741a8e6

SHA1
1edaeeeeac1f32eae984e5d4c0dadceba1b5f9c6

SHA256
9a98212815d15e3a4c9a911512dc6f2b1d1fd4966c2e69ba11a7b2895a7491ca

SHA512
40ab93729aa2fab26999ee20b00678a976aab51fb2395683b4407f950c1ace1c1ba93375d3c576ea05a609816057e97e8760b3c1e4e96837170bce4e13ea9635

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
307KB

MD5
6656e2e8fbcfc701cf4565e2cb222cfc

SHA1
3822e52f3c8b47fcaa5347b95617351cb95e2618

SHA256
fc239aa2ef0ee7039727cf0788fcf2bdafd7d17ed04a05ac660790bae43f88a2

SHA512
101c90c430a4e1e9a0d9894efbaa7147d5607b8e858026df39219121134499e1afa164fcad6d77eb4952f0739c4e21365c0e2a49d4240737a0b8c63303b33220

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
307KB

MD5
f2f740597535ba439ab5759c60387b85

SHA1
dafa5bbd394e91470e9c9884170280cc75b50b4c

SHA256
c730e008ccc66c45102ae8696fcd7bdd18deb8fdc5e22e50570f83bbfd79378a

SHA512
13080a8813fe04e2bf7359717e87c96d9cb13665d706ebc63638644273d776864f7b1be1be2a8b62bcbc151e59ee1f6c2d573946158bff15374c6cda2428f704

Download Submit
C:\Windows\SysWOW64\Qmanljfo.exe

Filesize
307KB

MD5
d379e0e73b2aeb61470c622b8ce2d454

SHA1
920fa50d6967575520b31cd19ddc822c9c579916

SHA256
5dd79860338437d36f43bc7779cc1ad24b235eda165adb8495f18497741b5639

SHA512
58772df3155f8d0ea3a75c5b5de10b0804b50eb4953d1ffa1b7c4d85edac759cc226df050fa7fdd56bcd86ced8fc84be37ba91d215a603f5a48bb137de77178f

Download Submit
memory/232-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/596-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2028-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5184-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5256-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5304-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5336-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5384-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5416-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5464-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5496-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads