6f3facc60c9062047f3a7c4f39fa45f4e4b4e178d4beb68d8d46c67948d1f92b

Analysis

max time kernel
115s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8331a899c04717aeab645ab735877490N.exe
Size

73KB
MD5

8331a899c04717aeab645ab735877490
SHA1

f23e402efb4064d22ec2db49854b7646b590a758
SHA256

6f3facc60c9062047f3a7c4f39fa45f4e4b4e178d4beb68d8d46c67948d1f92b
SHA512

e112c64e72f506ba41c5ec3abd04250fba3cc78698827881d585a1c59c5dbeaa627bd5c54078f167f1d6dc4495b68a7b791e29a8cc8c83f91a05d1da5ebf6b04
SSDEEP

768:qj0uM0t5qcY/9v0yHa+YlsKO/9Rz7Sd3LvUSEcZ2xhWb/1H5rnB8W44jzo1MkEJo:6S0GcMTR/r7m3LsSEcfpj5YMkhohBM

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acppddig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8331a899c04717aeab645ab735877490N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfncia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8331a899c04717aeab645ab735877490N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acppddig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkholi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfncia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe

Executes dropped EXE 23 IoCs

pid	Process
1472	Okceaikl.exe
3216	Ocknbglo.exe
4464	Omcbkl32.exe
4396	Oflfdbip.exe
2960	Pkholi32.exe
3372	Pfncia32.exe
3116	Pofhbgmn.exe
1944	Pbddobla.exe
1832	Pmjhlklg.exe
1684	Pbgqdb32.exe
3792	Pmmeak32.exe
2656	Pehjfm32.exe
2660	Pkabbgol.exe
1784	Pcijce32.exe
4004	Qfgfpp32.exe
3852	Qkdohg32.exe
4128	Qppkhfec.exe
8	Qmckbjdl.exe
3864	Abpcja32.exe
1936	Aijlgkjq.exe
2040	Acppddig.exe
2452	Afnlpohj.exe
4416	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Bgcboj32.dll	Pbgqdb32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	8331a899c04717aeab645ab735877490N.exe
File created	C:\Windows\SysWOW64\Miiepfpf.dll	Ocknbglo.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Omcbkl32.exe
File opened for modification	C:\Windows\SysWOW64\Pfncia32.exe	Pkholi32.exe
File created	C:\Windows\SysWOW64\Pofhbgmn.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Dbooabbb.dll	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Ofaqkhem.dll	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Cogcho32.dll	Pbddobla.exe
File created	C:\Windows\SysWOW64\Pmmeak32.exe	Pbgqdb32.exe
File created	C:\Windows\SysWOW64\Daliqjnc.dll	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcja32.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Honmnc32.dll	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Mpaflkim.dll	Pfncia32.exe
File created	C:\Windows\SysWOW64\Pehjfm32.exe	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pcijce32.exe
File opened for modification	C:\Windows\SysWOW64\Qkdohg32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Abpcja32.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Omcbkl32.exe	Ocknbglo.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Aofbkbfe.dll	Pkholi32.exe
File opened for modification	C:\Windows\SysWOW64\Pmjhlklg.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Haafdi32.dll	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Aijlgkjq.exe	Abpcja32.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File opened for modification	C:\Windows\SysWOW64\Pkholi32.exe	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Pkabbgol.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Iipkfmal.dll	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Pkholi32.exe	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pofhbgmn.exe
File opened for modification	C:\Windows\SysWOW64\Acppddig.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Nonhbi32.dll	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pcijce32.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Abpcja32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Hfqgoo32.dll	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Okceaikl.exe	8331a899c04717aeab645ab735877490N.exe
File created	C:\Windows\SysWOW64\Omcbkl32.exe	Ocknbglo.exe
File created	C:\Windows\SysWOW64\Pbddobla.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Qkdohg32.exe
File opened for modification	C:\Windows\SysWOW64\Pofhbgmn.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Nnmmnbnl.dll	Okceaikl.exe
File created	C:\Windows\SysWOW64\Hpacoj32.dll	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Cimhefgb.dll	Qkdohg32.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Abpcja32.exe
File created	C:\Windows\SysWOW64\Pfncia32.exe	Pkholi32.exe
File created	C:\Windows\SysWOW64\Pbgqdb32.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Paajfjdm.dll	8331a899c04717aeab645ab735877490N.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Acppddig.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Pbgqdb32.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Ocknbglo.exe	Okceaikl.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Pmjhlklg.exe
File opened for modification	C:\Windows\SysWOW64\Qfgfpp32.exe	Pcijce32.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkholi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8331a899c04717aeab645ab735877490N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8331a899c04717aeab645ab735877490N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbikenl.dll"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8331a899c04717aeab645ab735877490N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acppddig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8331a899c04717aeab645ab735877490N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paajfjdm.dll"	8331a899c04717aeab645ab735877490N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimhefgb.dll"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkholi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaqkhem.dll"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofbkbfe.dll"	Pkholi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipkfmal.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcboj32.dll"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmmnbnl.dll"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abpcja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8331a899c04717aeab645ab735877490N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaflkim.dll"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8331a899c04717aeab645ab735877490N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogcho32.dll"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miiepfpf.dll"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pofhbgmn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1472	1932	8331a899c04717aeab645ab735877490N.exe	90
PID 1932 wrote to memory of 1472	1932	8331a899c04717aeab645ab735877490N.exe	90
PID 1932 wrote to memory of 1472	1932	8331a899c04717aeab645ab735877490N.exe	90
PID 1472 wrote to memory of 3216	1472	Okceaikl.exe	91
PID 1472 wrote to memory of 3216	1472	Okceaikl.exe	91
PID 1472 wrote to memory of 3216	1472	Okceaikl.exe	91
PID 3216 wrote to memory of 4464	3216	Ocknbglo.exe	92
PID 3216 wrote to memory of 4464	3216	Ocknbglo.exe	92
PID 3216 wrote to memory of 4464	3216	Ocknbglo.exe	92
PID 4464 wrote to memory of 4396	4464	Omcbkl32.exe	93
PID 4464 wrote to memory of 4396	4464	Omcbkl32.exe	93
PID 4464 wrote to memory of 4396	4464	Omcbkl32.exe	93
PID 4396 wrote to memory of 2960	4396	Oflfdbip.exe	94
PID 4396 wrote to memory of 2960	4396	Oflfdbip.exe	94
PID 4396 wrote to memory of 2960	4396	Oflfdbip.exe	94
PID 2960 wrote to memory of 3372	2960	Pkholi32.exe	95
PID 2960 wrote to memory of 3372	2960	Pkholi32.exe	95
PID 2960 wrote to memory of 3372	2960	Pkholi32.exe	95
PID 3372 wrote to memory of 3116	3372	Pfncia32.exe	96
PID 3372 wrote to memory of 3116	3372	Pfncia32.exe	96
PID 3372 wrote to memory of 3116	3372	Pfncia32.exe	96
PID 3116 wrote to memory of 1944	3116	Pofhbgmn.exe	97
PID 3116 wrote to memory of 1944	3116	Pofhbgmn.exe	97
PID 3116 wrote to memory of 1944	3116	Pofhbgmn.exe	97
PID 1944 wrote to memory of 1832	1944	Pbddobla.exe	99
PID 1944 wrote to memory of 1832	1944	Pbddobla.exe	99
PID 1944 wrote to memory of 1832	1944	Pbddobla.exe	99
PID 1832 wrote to memory of 1684	1832	Pmjhlklg.exe	100
PID 1832 wrote to memory of 1684	1832	Pmjhlklg.exe	100
PID 1832 wrote to memory of 1684	1832	Pmjhlklg.exe	100
PID 1684 wrote to memory of 3792	1684	Pbgqdb32.exe	101
PID 1684 wrote to memory of 3792	1684	Pbgqdb32.exe	101
PID 1684 wrote to memory of 3792	1684	Pbgqdb32.exe	101
PID 3792 wrote to memory of 2656	3792	Pmmeak32.exe	103
PID 3792 wrote to memory of 2656	3792	Pmmeak32.exe	103
PID 3792 wrote to memory of 2656	3792	Pmmeak32.exe	103
PID 2656 wrote to memory of 2660	2656	Pehjfm32.exe	104
PID 2656 wrote to memory of 2660	2656	Pehjfm32.exe	104
PID 2656 wrote to memory of 2660	2656	Pehjfm32.exe	104
PID 2660 wrote to memory of 1784	2660	Pkabbgol.exe	105
PID 2660 wrote to memory of 1784	2660	Pkabbgol.exe	105
PID 2660 wrote to memory of 1784	2660	Pkabbgol.exe	105
PID 1784 wrote to memory of 4004	1784	Pcijce32.exe	106
PID 1784 wrote to memory of 4004	1784	Pcijce32.exe	106
PID 1784 wrote to memory of 4004	1784	Pcijce32.exe	106
PID 4004 wrote to memory of 3852	4004	Qfgfpp32.exe	107
PID 4004 wrote to memory of 3852	4004	Qfgfpp32.exe	107
PID 4004 wrote to memory of 3852	4004	Qfgfpp32.exe	107
PID 3852 wrote to memory of 4128	3852	Qkdohg32.exe	108
PID 3852 wrote to memory of 4128	3852	Qkdohg32.exe	108
PID 3852 wrote to memory of 4128	3852	Qkdohg32.exe	108
PID 4128 wrote to memory of 8	4128	Qppkhfec.exe	109
PID 4128 wrote to memory of 8	4128	Qppkhfec.exe	109
PID 4128 wrote to memory of 8	4128	Qppkhfec.exe	109
PID 8 wrote to memory of 3864	8	Qmckbjdl.exe	110
PID 8 wrote to memory of 3864	8	Qmckbjdl.exe	110
PID 8 wrote to memory of 3864	8	Qmckbjdl.exe	110
PID 3864 wrote to memory of 1936	3864	Abpcja32.exe	111
PID 3864 wrote to memory of 1936	3864	Abpcja32.exe	111
PID 3864 wrote to memory of 1936	3864	Abpcja32.exe	111
PID 1936 wrote to memory of 2040	1936	Aijlgkjq.exe	113
PID 1936 wrote to memory of 2040	1936	Aijlgkjq.exe	113
PID 1936 wrote to memory of 2040	1936	Aijlgkjq.exe	113
PID 2040 wrote to memory of 2452	2040	Acppddig.exe	114

C:\Users\Admin\AppData\Local\Temp\8331a899c04717aeab645ab735877490N.exe
"C:\Users\Admin\AppData\Local\Temp\8331a899c04717aeab645ab735877490N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\Okceaikl.exe
  C:\Windows\system32\Okceaikl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\Ocknbglo.exe
    C:\Windows\system32\Ocknbglo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\SysWOW64\Omcbkl32.exe
      C:\Windows\system32\Omcbkl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4464
    - - C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
      - C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1304,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcja32.exe

Filesize
73KB

MD5
7d384906dbce03756d8725f1f6c755e6

SHA1
807de1cca757941bf602167a0696b17387cafa73

SHA256
1243f32d2c8d87ddd70ae0557459d077a83e80cd30d09bf65c73129ca5c56cee

SHA512
504cfd66d3f78b74d3b7aed04e2b53227756384d64482e4b2c14a10f3268102a9bf1bc9783fb06313a365bde2fdf44f709baf0abaf9c0fae19618e84b866c715

Download Submit
C:\Windows\SysWOW64\Acppddig.exe

Filesize
73KB

MD5
287a2b69bf25fa4e0aac7812e478e017

SHA1
151b65d7c3879810c9a3a5da8730b7a52f975087

SHA256
88e1880aa1a8a6eb310fd61e03e3dd3f5cd3c9bdf6641107a76202310de7efe2

SHA512
37c03ea26f35462056b7251624e1e6cf184725e3f8af6c09b5c63f05790e8d5751943119488b7364ce744bb7c2da53652ee04751bbcc94e0c6b8c54ee2f1e175

Download Submit
C:\Windows\SysWOW64\Afnlpohj.exe

Filesize
73KB

MD5
70d7f642ce9575e96744e2f7dd2ec5b6

SHA1
948178d0f6e1a108b02b16407847085696206665

SHA256
60c910dfcbfe848542868413a5c7920c177c51f734ad47477730a65913e1556d

SHA512
090e3b22702f6f58bd266e046232d69650c73d94aa6be70bb3cf0f400f8843394a8ddb94a1953a79de536fda4b2989f3093a0097c6eaf503472b08466b042e7b

Download Submit
C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
73KB

MD5
de0cad67df4042de956d26afafc15a02

SHA1
a593c7b491d7bbf35dfc3ef51f473a3da87dbc28

SHA256
1ef73523855ce0c27091d099b431a5cd596ea5effbd138d391b36b0938af77fa

SHA512
4356f54502eb10dc1b0d9a8a030faba39fe0640f3fd9dbc5684d8702d21d022532fa7df8e6c716509b6e756e9c9cd1dc5ce5b74a0d45b3a7890716af7450d1e5

Download Submit
C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
73KB

MD5
9bc32f576d3fe84d7b415cdc03b4ca00

SHA1
573a51dba612929da72e93c3b3c1e1cb5685f716

SHA256
a056b6df69570c0354ff67103b74271c96656493a024b4b29c912e512aa6e3d7

SHA512
82bcf5d69ebc347ae1a735a9571bb57a53fa2e68139e6e26fcf4670614247309bbfbc2bff75848f406ce8a24be5a8423fe850a8425249cdf8d9b8c42ceb15c53

Download Submit
C:\Windows\SysWOW64\Ocknbglo.exe

Filesize
73KB

MD5
be323a79ac970fe84e5bf92ec37d8a58

SHA1
9f2ec5f51df424cfbab9eed1527e24674db337e3

SHA256
842721f61f83c7b4011de7dd92b2cf4ae0806186c3a8cbb83e7e4391c2593ec7

SHA512
5aebb7f6704e2876f09435040b89586bd79932ffea3a116f0f287200b5eeaabe51692e24ec3651334c568b07f475b0553a3335e5af57f13b2cceeff630797c0a

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
73KB

MD5
3c2b8ef329e0f3e46bb9648ccd9fd745

SHA1
64b7b34a53384188189927861fe8c60fac778326

SHA256
5246b0ce3fde65916f2ca725fb7cc9c9d72ea2b1e36c11037450c2411467e462

SHA512
497a29fcfbadf004a59d2d5754886a2430dcf68ec29a55a673b133360d4e45d3289fb93320eab0b74901c875561923e205ab0a668d8514ac3989c1a4caa3b29e

Download Submit
C:\Windows\SysWOW64\Okceaikl.exe

Filesize
73KB

MD5
592a8be8542dc3a638e11a4af2b2c9e4

SHA1
8372d2f5630414ceb582a7df804ae46aa52f46ce

SHA256
01aab649e27dbf99651ea10527b7a388d503c133bb8b76351fb9ebb6fa97bd1f

SHA512
fa74649909d8eb1b7e29069cd56d341fa2d93a1631437bdca16d9251bf75b71e135d8bd20df865764393c51a48bb37d2ae9ab93135d8f0ae48975537a85bc5f4

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
73KB

MD5
8e4f9126c81831d293e153196990f07c

SHA1
21b2a85bffaf03cca426e9f000fa49b972a89fd7

SHA256
bf94e1d889dc427f0ff1a96bced156c6f47562b64a8e1815659cedde32c91b28

SHA512
efd4310692df31667d5d7a8264b9e6d1a18a32dde9ad86d79087c1abc510c04f2f6ac63bd3e140f8dd8d8ea9c2c524336b7e0db546b776068c4d3a0d5a26e500

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
73KB

MD5
06c67a87307e49fe7f40f0c0a4d4a771

SHA1
d348909d522f25c991bb7c9f5cf719bb745f46f5

SHA256
1f33909d9f34b6bb93a417edf8134db6145da37f4439fdc107abbce49b08f544

SHA512
6d1e74efbcc7dbe516cf1b0b3c9b0645d7b4f81cc66a685fc0ec2ba4bef07f6c8162b6e93234d2343d22a22bc3f71ddaec0680a8af9f9a0465b63dab0263c6ea

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
73KB

MD5
b4d4aa5397db09a3562453cf44a58d25

SHA1
3c96cefdbc7c92b1cbe5f643af247e3af678602d

SHA256
40b2d324797a6ad7d515608d82bd05b0a08ca0e3b8222a6357103af94471539b

SHA512
f2682d3cb89647ed1ea91c04ef65524fbb9adf61445e2f8e90afb76ae36113c0ea5c2f64935447d83a14dc5fb17b81aaaf67ec64c16325f8b104f56edbd1fe83

Download Submit
C:\Windows\SysWOW64\Pcijce32.exe

Filesize
73KB

MD5
a0339d91b7aecb5daa2171e50b0c70d8

SHA1
ab1c7b1cdf381d50fce9dda83be82975708f45dc

SHA256
2006e077ca2d937391fd0d3ce8e2701241248d1800908e0eac3182831abcafeb

SHA512
a93d3e5d0914554e674cce29a5fc6a3f412e93fd6707b9709a1cceb38c42e9243228942a9a6268654b7a6414afdf960306614d6d53c09d1a25bfbef836a32168

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
73KB

MD5
f2cb547faf82bce58eecca43f1ab78b5

SHA1
9b7d42774a261d9264150ab98dcf52e49464c5b1

SHA256
b35ae5ec2cfc49ea6315640f5f573c5dde95ed843f9721c8ca545c4a03d1f710

SHA512
70353023e7cdcb9a362923f47bad44536b781114a9a883792b3d37f79c9f818519bb5bf800eecdf3d997f039633f1844ae1f194c4714b0aea035dc71f6b36af8

Download Submit
C:\Windows\SysWOW64\Pfncia32.exe

Filesize
73KB

MD5
f0f5ad83ee304d6eb2e160a905497b77

SHA1
63e6b6b314dd59d96c52daf45e68da9215b15c76

SHA256
3ccdcd0143d2db3af810c3daff2d7139856af197dbc3dee45a68b44989579366

SHA512
abc6e312af0dd06e82bae084bf9bed5cbb61e83d4fe41c0b490b834620e04272a2ddbbb656f68572007b1d2fef723d7d76ab7a51eff8ca5d98e4559f2f35b184

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
73KB

MD5
9655fa730c4349f00e8e467ab702f453

SHA1
99386915bbf6aaa5aca38f35e89d065c4ba87f13

SHA256
0ec1b929194aeb4bd238494574568536f39cd2622726cd472a459599a608910d

SHA512
673c7dd856f3f268ffa0e63a11b83d3f935baef3c1cc0b87b0786c236d57e12003455adfaf5462b7ad37f711040dc59347f711f410c86f31d88a650471cafd0c

Download Submit
C:\Windows\SysWOW64\Pkholi32.exe

Filesize
73KB

MD5
471895a5521b6de596dbe4e275399f45

SHA1
a8c1629b374c2c6e24b5469551933654420ceacf

SHA256
ae55e113bce0b4fa8cc1ce12338d4f76b3ba39db8fad08f23796433a59bbfe84

SHA512
1ed197ad5f7b649d1a2cc9518d7729f661fa285fc81c24cc0a9b360255242ea5e0a35e99fbbac699dc12f99ca8a6b564d77a837e9ee64800d43ddc80a884af60

Download Submit
C:\Windows\SysWOW64\Pmjhlklg.exe

Filesize
73KB

MD5
286ee912e69873e2b5496957fd621798

SHA1
c8205759bd23a0a235a09aaa4e2f4732323a04c2

SHA256
dc83723318d2fb663fd3e1dd8f59a162efb341b533bc89e8c9a0cb1686f937c9

SHA512
8621f55e17b5b158e28d7e21e93231848fbff69c3589ef07bc75b5bd9860e3cceb645a0d275903e16cc6c061c8eb6bf3b0d4d0fcbba2eb91b096cd6277b476da

Download Submit
C:\Windows\SysWOW64\Pmmeak32.exe

Filesize
73KB

MD5
17caabb5cd75ae9c90218fe4d760a45f

SHA1
8df3d2b59a5fcb7ae980bcfad4fe150656f55e73

SHA256
3fe938e5fb4b4fb2120b0794115b2ff506b4ec26379c5ae4a7de6c3c663319ad

SHA512
bb78de4dc03e592cd73f3e77649d49c637d0a709ecb3b7246363b1857c05c329620646bcbc0352e67726d9bcc64c8516bd168f62ae694db4956206d7e2380bf5

Download Submit
C:\Windows\SysWOW64\Pofhbgmn.exe

Filesize
73KB

MD5
cd2470ffd6f7445f6e41c1dc0e54cfe3

SHA1
3d9605fc71be1413af4f8c1cfdb241ee7a1a2e30

SHA256
f3323ee18949a6c3cb605e19b19252fec2df4cb2ae231c921aab74784357dc62

SHA512
cc40e5808851fee04dcc01fe038224b2359610e7caeb516921259fe37e47dc5b1b7f4090854c77c8bacefd10dc098a8a6eeb6bbac03d01fdd35dd7d65b92631a

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
73KB

MD5
e7eef3d114f217d81e4848917464146b

SHA1
a9aaf0e72500f2dc7130e902ccf80351cfa6f4b4

SHA256
1804c5a4a5b6d9ef21d2e84ff5feda695e3c73bde533700f84a26706b5764bf5

SHA512
8b1538bd89c3b8b1f1e31592c06dcae9bf62663cf386f9424c94725bdec1be0f5441afed043014e89af33137e0b33a9030a6cfdcc4c3e66a302d1a0589aca001

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
73KB

MD5
731d610fdf4863cc3b7ebeb3425c1f15

SHA1
101211c5208d629ccd451bdb0e8630a7fb080a73

SHA256
e0a409cc5c22cacd264194f8f66bb9f5cc74a53f4d1d6a5a07721aa3da8999e1

SHA512
a71bd27b4e416e8fba924122e0c52258d2e2a3f8c5f30ba4a01cfd8678a45d32aa71a731fdd1c5981b1f17b3f9cc260775590b3b2b650d6c265a9198981e2fff

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
73KB

MD5
f62713798f4ab41ac5859413e92af8de

SHA1
7992d08e4af18d390b2046721f5fe93a682172c4

SHA256
91e7c63713e86b0335d6700b54899e8f7a8b6d253421ce6072250e0eb105311e

SHA512
276b957da0ad91386111d6f01948480f1c17a42958d92e46e5876a09a4970e18915090ffd4587043dc56ccff9500c38ca1a1de3d16538766f0bfe08a794a0cd2

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
73KB

MD5
8df4a1df3d702efef7763b7cafe89f3f

SHA1
28b5d456eae2fb4b2cb43450a9cbf41a4c7d3534

SHA256
5f23b6e022e09fa4d1481afb639a96fba138a0f9cfe3ba934cbee3d22edda084

SHA512
45f1bfc81560e2c5311107176c95b59f1d05a0a4596e5fc3c234aae3f5ff061e75bb50259a8cfafe0edc1e07fc2186a24cafe0c55120d3666afd75ce1ba005ce

Download Submit
memory/8-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/8-203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1472-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1472-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-195-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1832-194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1832-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1932-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1932-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1944-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1944-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3116-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3116-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3216-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3216-187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3792-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3792-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3852-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3852-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3864-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3864-204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4004-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4004-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4128-202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4128-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads