ef8e36bd7df742810a825e133703d5d0e1903bedaa57b7c081150a64dee709a6

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b01cd8cf536bd5ab02934f4440d7ca80N.exe
Size

128KB
MD5

b01cd8cf536bd5ab02934f4440d7ca80
SHA1

5725fcea832146819f76f7f15f63f8d47e7b1831
SHA256

ef8e36bd7df742810a825e133703d5d0e1903bedaa57b7c081150a64dee709a6
SHA512

d93f2d78574b7a63b3e79f6494b9eb852855c320a832786577df6d15b9c2acb1c0fb16ccfc47add609b054a91b9ff92c2588f657588b1d1271d3915e3b5c07eb
SSDEEP

3072:Ff7O6xMEjvD7e9TBvFnDd1AZoUBW3FJeRuaWNXmgu+tB:Ff7j3rDi9TBvFDdWZHEFJ7aWN1B

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofbdncaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b01cd8cf536bd5ab02934f4440d7ca80N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Namegfql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omaeem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b01cd8cf536bd5ab02934f4440d7ca80N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Namegfql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofbdncaj.exe

Executes dropped EXE 32 IoCs

pid	Process
1184	Namegfql.exe
3388	Nlcidopb.exe
2244	Ncmaai32.exe
4292	Ndnnianm.exe
2616	Nconfh32.exe
3056	Ndpjnq32.exe
4028	Nlgbon32.exe
4176	Nbdkhe32.exe
384	Okmpqjad.exe
4548	Ofbdncaj.exe
4864	Ookhfigk.exe
4728	Ofdqcc32.exe
4520	Ohcmpn32.exe
3236	Ofgmib32.exe
2656	Omaeem32.exe
3644	Okceaikl.exe
3620	Ocknbglo.exe
4504	Pmeoqlpl.exe
4156	Pbbgicnd.exe
4992	Pcbdcf32.exe
2364	Pfppoa32.exe
784	Piolkm32.exe
4988	Pmmeak32.exe
3976	Pfeijqqe.exe
3324	Pkabbgol.exe
1492	Qejfkmem.exe
4372	Qckfid32.exe
3328	Qmckbjdl.exe
3288	Qpbgnecp.exe
3876	Akihcfid.exe
1244	Abcppq32.exe
5032	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Abcppq32.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Daphho32.dll	Nlcidopb.exe
File created	C:\Windows\SysWOW64\Odemep32.dll	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Ndnnianm.exe
File opened for modification	C:\Windows\SysWOW64\Ohcmpn32.exe	Ofdqcc32.exe
File created	C:\Windows\SysWOW64\Kmjaeema.dll	Ofdqcc32.exe
File created	C:\Windows\SysWOW64\Nonhbi32.dll	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qckfid32.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Qckfid32.exe
File opened for modification	C:\Windows\SysWOW64\Nlcidopb.exe	Namegfql.exe
File created	C:\Windows\SysWOW64\Okmpqjad.exe	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Ocknbglo.exe	Okceaikl.exe
File created	C:\Windows\SysWOW64\Pmeoqlpl.exe	Ocknbglo.exe
File created	C:\Windows\SysWOW64\Odlpkg32.dll	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Qpbgnecp.exe
File opened for modification	C:\Windows\SysWOW64\Ndpjnq32.exe	Nconfh32.exe
File created	C:\Windows\SysWOW64\Ofbdncaj.exe	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Piolkm32.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Bgcboj32.dll	Piolkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmaai32.exe	Nlcidopb.exe
File opened for modification	C:\Windows\SysWOW64\Ndnnianm.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Ndpjnq32.exe	Nconfh32.exe
File created	C:\Windows\SysWOW64\Ohcmpn32.exe	Ofdqcc32.exe
File opened for modification	C:\Windows\SysWOW64\Pmeoqlpl.exe	Ocknbglo.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Cojaijla.dll	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Pfqdbl32.dll	b01cd8cf536bd5ab02934f4440d7ca80N.exe
File created	C:\Windows\SysWOW64\Flekgd32.dll	Nconfh32.exe
File created	C:\Windows\SysWOW64\Ookhfigk.exe	Ofbdncaj.exe
File created	C:\Windows\SysWOW64\Jcokoo32.dll	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Omaeem32.exe	Ofgmib32.exe
File opened for modification	C:\Windows\SysWOW64\Okmpqjad.exe	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Pcbdcf32.exe	Pbbgicnd.exe
File created	C:\Windows\SysWOW64\Pmmeak32.exe	Piolkm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfeijqqe.exe	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Abcppq32.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Nlgbon32.exe	Ndpjnq32.exe
File created	C:\Windows\SysWOW64\Bllolf32.dll	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Pbbgicnd.exe	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Pbphca32.dll	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Ocknbglo.exe	Okceaikl.exe
File created	C:\Windows\SysWOW64\Gfomcn32.dll	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Piolkm32.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Pkabbgol.exe	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Mqkbjk32.dll	Qpbgnecp.exe
File opened for modification	C:\Windows\SysWOW64\Ofbdncaj.exe	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Paajfjdm.dll	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Pfppoa32.exe	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Namegfql.exe	b01cd8cf536bd5ab02934f4440d7ca80N.exe
File created	C:\Windows\SysWOW64\Ncmaai32.exe	Nlcidopb.exe
File created	C:\Windows\SysWOW64\Ndnnianm.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Conkjj32.dll	Ndpjnq32.exe
File created	C:\Windows\SysWOW64\Nbdkhe32.exe	Nlgbon32.exe
File created	C:\Windows\SysWOW64\Qejfkmem.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Qpbgnecp.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Qpbgnecp.exe	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Namegfql.exe	b01cd8cf536bd5ab02934f4440d7ca80N.exe
File opened for modification	C:\Windows\SysWOW64\Nbdkhe32.exe	Nlgbon32.exe
File opened for modification	C:\Windows\SysWOW64\Ofdqcc32.exe	Ookhfigk.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Pbbgicnd.exe	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Ebcgjl32.dll	Akihcfid.exe

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b01cd8cf536bd5ab02934f4440d7ca80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeijqqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbdncaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b01cd8cf536bd5ab02934f4440d7ca80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Namegfql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkbjk32.dll"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flekgd32.dll"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgoikbje.dll"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qckfid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conllp32.dll"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b01cd8cf536bd5ab02934f4440d7ca80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcokoo32.dll"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b01cd8cf536bd5ab02934f4440d7ca80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Namegfql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflmkg32.dll"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omaeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conkjj32.dll"	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paajfjdm.dll"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b01cd8cf536bd5ab02934f4440d7ca80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmmnbnl.dll"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll"	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codncb32.dll"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllolf32.dll"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofgmib32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 1184	4960	b01cd8cf536bd5ab02934f4440d7ca80N.exe	90
PID 4960 wrote to memory of 1184	4960	b01cd8cf536bd5ab02934f4440d7ca80N.exe	90
PID 4960 wrote to memory of 1184	4960	b01cd8cf536bd5ab02934f4440d7ca80N.exe	90
PID 1184 wrote to memory of 3388	1184	Namegfql.exe	91
PID 1184 wrote to memory of 3388	1184	Namegfql.exe	91
PID 1184 wrote to memory of 3388	1184	Namegfql.exe	91
PID 3388 wrote to memory of 2244	3388	Nlcidopb.exe	92
PID 3388 wrote to memory of 2244	3388	Nlcidopb.exe	92
PID 3388 wrote to memory of 2244	3388	Nlcidopb.exe	92
PID 2244 wrote to memory of 4292	2244	Ncmaai32.exe	93
PID 2244 wrote to memory of 4292	2244	Ncmaai32.exe	93
PID 2244 wrote to memory of 4292	2244	Ncmaai32.exe	93
PID 4292 wrote to memory of 2616	4292	Ndnnianm.exe	95
PID 4292 wrote to memory of 2616	4292	Ndnnianm.exe	95
PID 4292 wrote to memory of 2616	4292	Ndnnianm.exe	95
PID 2616 wrote to memory of 3056	2616	Nconfh32.exe	96
PID 2616 wrote to memory of 3056	2616	Nconfh32.exe	96
PID 2616 wrote to memory of 3056	2616	Nconfh32.exe	96
PID 3056 wrote to memory of 4028	3056	Ndpjnq32.exe	98
PID 3056 wrote to memory of 4028	3056	Ndpjnq32.exe	98
PID 3056 wrote to memory of 4028	3056	Ndpjnq32.exe	98
PID 4028 wrote to memory of 4176	4028	Nlgbon32.exe	99
PID 4028 wrote to memory of 4176	4028	Nlgbon32.exe	99
PID 4028 wrote to memory of 4176	4028	Nlgbon32.exe	99
PID 4176 wrote to memory of 384	4176	Nbdkhe32.exe	100
PID 4176 wrote to memory of 384	4176	Nbdkhe32.exe	100
PID 4176 wrote to memory of 384	4176	Nbdkhe32.exe	100
PID 384 wrote to memory of 4548	384	Okmpqjad.exe	101
PID 384 wrote to memory of 4548	384	Okmpqjad.exe	101
PID 384 wrote to memory of 4548	384	Okmpqjad.exe	101
PID 4548 wrote to memory of 4864	4548	Ofbdncaj.exe	103
PID 4548 wrote to memory of 4864	4548	Ofbdncaj.exe	103
PID 4548 wrote to memory of 4864	4548	Ofbdncaj.exe	103
PID 4864 wrote to memory of 4728	4864	Ookhfigk.exe	104
PID 4864 wrote to memory of 4728	4864	Ookhfigk.exe	104
PID 4864 wrote to memory of 4728	4864	Ookhfigk.exe	104
PID 4728 wrote to memory of 4520	4728	Ofdqcc32.exe	105
PID 4728 wrote to memory of 4520	4728	Ofdqcc32.exe	105
PID 4728 wrote to memory of 4520	4728	Ofdqcc32.exe	105
PID 4520 wrote to memory of 3236	4520	Ohcmpn32.exe	106
PID 4520 wrote to memory of 3236	4520	Ohcmpn32.exe	106
PID 4520 wrote to memory of 3236	4520	Ohcmpn32.exe	106
PID 3236 wrote to memory of 2656	3236	Ofgmib32.exe	107
PID 3236 wrote to memory of 2656	3236	Ofgmib32.exe	107
PID 3236 wrote to memory of 2656	3236	Ofgmib32.exe	107
PID 2656 wrote to memory of 3644	2656	Omaeem32.exe	108
PID 2656 wrote to memory of 3644	2656	Omaeem32.exe	108
PID 2656 wrote to memory of 3644	2656	Omaeem32.exe	108
PID 3644 wrote to memory of 3620	3644	Okceaikl.exe	109
PID 3644 wrote to memory of 3620	3644	Okceaikl.exe	109
PID 3644 wrote to memory of 3620	3644	Okceaikl.exe	109
PID 3620 wrote to memory of 4504	3620	Ocknbglo.exe	110
PID 3620 wrote to memory of 4504	3620	Ocknbglo.exe	110
PID 3620 wrote to memory of 4504	3620	Ocknbglo.exe	110
PID 4504 wrote to memory of 4156	4504	Pmeoqlpl.exe	111
PID 4504 wrote to memory of 4156	4504	Pmeoqlpl.exe	111
PID 4504 wrote to memory of 4156	4504	Pmeoqlpl.exe	111
PID 4156 wrote to memory of 4992	4156	Pbbgicnd.exe	112
PID 4156 wrote to memory of 4992	4156	Pbbgicnd.exe	112
PID 4156 wrote to memory of 4992	4156	Pbbgicnd.exe	112
PID 4992 wrote to memory of 2364	4992	Pcbdcf32.exe	113
PID 4992 wrote to memory of 2364	4992	Pcbdcf32.exe	113
PID 4992 wrote to memory of 2364	4992	Pcbdcf32.exe	113
PID 2364 wrote to memory of 784	2364	Pfppoa32.exe	114

C:\Users\Admin\AppData\Local\Temp\b01cd8cf536bd5ab02934f4440d7ca80N.exe
"C:\Users\Admin\AppData\Local\Temp\b01cd8cf536bd5ab02934f4440d7ca80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\Namegfql.exe
  C:\Windows\system32\Namegfql.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\Nlcidopb.exe
    C:\Windows\system32\Nlcidopb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\SysWOW64\Ncmaai32.exe
      C:\Windows\system32\Ncmaai32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
      - C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcppq32.exe

Filesize
128KB

MD5
dee1ddbb718f3125484f542ec9ec5c44

SHA1
ea7d57fb26cfc287651c5da1704726337aa2ab6b

SHA256
7b3bd460bc3e84da8e40e3a2384cae13aad3212de1540c3c3e76e2c80806a3b3

SHA512
cd88eb90b174bdf0088c04feb0419c5d317c10e82792ac93992d496f23d7dd90b5816f2c538e0d3887ca0a9ca96841902dc099871d4cfe8032ed8df7d918c223

Download Submit
C:\Windows\SysWOW64\Akihcfid.exe

Filesize
128KB

MD5
bf3a3b7c13691d279e078275d54ba638

SHA1
e0303937c93bab350c61a275adc633e697e8feae

SHA256
0390247dcf14a123cba002b0bffe506ce534d9a819b210a8e00ddaed0941e7b6

SHA512
e09119413445a1def4e52312b3a46c31b6d59596bbf39db3dd5ee9dd20ea5d4e56834aab122741eaa9133ee2cb167811d895da86aa80eca55c5f71722077158e

Download Submit
C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
128KB

MD5
5b8a5794125373a8cc0364d17cc08282

SHA1
09613a89e68d5715715612c11a92d2cddd04553e

SHA256
f96eceeb3be83186bb327db233503f0eabc33aeee35d519642bd608f387da0e6

SHA512
a7b735c40c24723cf93b3c662c89a350145d1a8d5b3aa9aca89ef7feccd7706befe7c7fb95375be2f82c38d1744f31be0237d100b6b3fe578a2e5fba44685d4d

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
128KB

MD5
0edcc7290c7c50bafe941250168561ca

SHA1
00070e7802ad054dd01633dcb0205aee35b4010b

SHA256
daf3d2b42b4398a80087310a85b8eadc30aa449c7eba71693c75427d8c859f0f

SHA512
c1e9ff8ad87d6a1861ce093c607d82d493abf0576afd06e3ba04c758d9f87eee34678bd614d570e9a9845100d2e981dd64eedd05f846f5dcd178ec93ea89df93

Download Submit
C:\Windows\SysWOW64\Nbdkhe32.exe

Filesize
128KB

MD5
4b9b277970dd6873081f6de8a253eb0b

SHA1
47668cd565907f04dc7f3d5e8328a0d8f8c1344d

SHA256
a36a4e48f7f776a84af3eca05ea7e4d0bf4753ac0e60680828f92c9dc77f325f

SHA512
1ce514c3116013b3b6c330d7f59ff3c607e5b0dad134755fe3c0195f88a947ede02c9ccb1d46795959b2f091ac50082a47bfaed3ed7955707a802bb88bd654cd

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
128KB

MD5
c426959057ece3bec8702703a235e8b7

SHA1
2c7df0c59369e6cf0ec900b729a9e0d638e1bf94

SHA256
957b5ec904336e490dc8ee9880c3c2f5be05a0b026c47eceeb38dc8d7e9d30e2

SHA512
69c18ea4363d95cb84ea1c35869c454b58bccaf6225048d31aeac0d83aef4b0a4e84cc882815c0ff3b61a622ed52f58d3fc97360f43b51b48f185d8975ad97d3

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
128KB

MD5
1d373625cbe19b53020237e86cc8a67a

SHA1
502d3e8fb9eb2feb91e6bca3a35fb8ae7f4a8521

SHA256
d71fde80d2439745a23b4c8e65b6406afd2ce66066c24cb5a5b65d747a1b96cf

SHA512
d797fb463eac076bd9bee8ae61ad198870f07f6223710613b2d74a6f952d1bf6bcbb668e1fbbc0a0d81f5e3703ba674255ad1a40a6efd58577c4052a3d81376d

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
128KB

MD5
21f6f920603dbbf04f416481fc469e92

SHA1
1b35a6d904308f04123489d17926b79b293ab390

SHA256
d6d5146ca305aaa8ba48e525ba9327b5cb5b37e25b4203bcd75c83f46d9fab22

SHA512
e7d9f00be956ddeb67f2f08e1f41b33bac9378b7c4409ab592438302c2265b7965a7a1f962f5b1e6f1ba6f9871e321f9d0a9f5a412465bfbf92c572113b727e5

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
128KB

MD5
1d3f9bcd5897325714c48e7d742959a2

SHA1
cff97254f4e47be8bda293bf99854787fde829b6

SHA256
a67836f864fd83cb98c377cccd0c6bd552ed765f07a27652ab9ef348e12c6028

SHA512
739626e55b0d2bde189d7dbb2295f7c24269abc51c3c61884a2badc14e9440254de69e2033045c051f15cdd389f245df70726256db55d8cfd7b77689beb8b0e7

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
128KB

MD5
097283e8a47cdcbf411a5c30a4c02a06

SHA1
630d1bd1ccabf8fa671b7b27ef982429175bb36e

SHA256
d25534088b790343a276ab83af0e648afa8b19a6b6a879d26441f07dee375ae7

SHA512
865a8c02148da8de5d827354bdae7c914d0ba9c5ebe62c8c0d5c2eb46a3d023203d4365bf9d9e7c321f7940705f49a976903735e1ecf888fcceafff47c0037c4

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
128KB

MD5
6ac1ebafb5cd83de7ffc9d2cf80c3ec4

SHA1
c4a7ef5373c3b755c5965086bc27277d824cf284

SHA256
929dd5c7c21600864302b535a346c29f18a7c6a37ca1e35955e87b4a0dad9904

SHA512
eb1ba461083c4bbf0aebbd48b9f7580f1e4021d2e188f873ef095f297ee7f91de9ca59ca3f48c1063b9635990067899f0f3449865a50cf0fa1b5712e757c36f6

Download Submit
C:\Windows\SysWOW64\Ocknbglo.exe

Filesize
128KB

MD5
cf70149cdbb832f5e2fcc9354f59351f

SHA1
ac342aa21158bc32dda06865f351695f227b42f5

SHA256
e0678b90f853cfc5ae66a23b78d2362068aa544fd8bc98d27e969cd1922dba11

SHA512
42b860a4354f935f72cd6d5e882811ea7a21b5a60d555a75845361b151f85cc3a0569f7eb29f52f69833f49eb68d062d8710cec5e15db2a721a05a6beb9fe0c9

Download Submit
C:\Windows\SysWOW64\Ofbdncaj.exe

Filesize
128KB

MD5
a6f7a1469289bd78799e2d89ec04abbc

SHA1
302f04577bc5eaf3dc71b1bd9911cd6162e87b95

SHA256
7928673a1065fb54ba7d695b61a8e3a8a7996a35bbf75613d7b943e7af9f2866

SHA512
61ae5b6f4a0a73adf154aaebc1969e893bcf4b746011c4501512fd37293b40f0ff21a526b5291c455a13e97d3fbec4d70cbec934d6b335dcd8ed5c22db0c49a3

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
128KB

MD5
9cc7c1d1bd4943f4480dbc4c2c5e7eba

SHA1
73b9751f2f23d998d069dba29d0a261c6683c0eb

SHA256
26929015d4c140d1ae80a436fdd369167e313d0040277d83123bae4b1cbe80a8

SHA512
42036f854e85d0f0e29dc25cfdb3fc70060aa522926379f70a0f57d44c3802034e6e7dfe78ea866ec0fa3dbfd0251d07dcdbeec59750a504f7b156d08c192ace

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
128KB

MD5
b38234d136476a814ae5f4e91129533c

SHA1
f47c282b4fcd2c4c8c755c140883a5af4e915a49

SHA256
f52d2ad3bf076151b163ebe53f811b0279e3e63915b89f02af748bf5b85e3524

SHA512
4dd6b5328ab56f4912ddfbeddab467f977482281c4c45de5b005b9115c26bdef497aabb4bbf5829ad1804f347a22d3f21c62b02c0427631608aa8de55ff0f6ca

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
128KB

MD5
4f5bdd54de79bb1e4e6eaca116f5b337

SHA1
2c7a65bc01fd0d8aacd728ca8854cd04139040cd

SHA256
939d1cfa422c9715481d5ad066c2f6371fe106679af8442a203631128bedf11d

SHA512
6c51e5b69a653fd47d83d9cb2eacd068ff41436030a9e467876c97b3dfae1728ef67af6767b66bcef7065cf81a2452560e9a3f730f23924b11946cdb1fd61946

Download Submit
C:\Windows\SysWOW64\Okceaikl.exe

Filesize
128KB

MD5
da2ed8f3f62cca39938699c031794211

SHA1
cef93b74362c27cf9cd2a001ab026ef719b66ca3

SHA256
f8d81e07c05b9766547a2d08779041a7eac02b81aeec86162249202473907ec4

SHA512
7be19d2284ac48cd59b75b2fff289f60fb94225c688df3cc8b98a1320897ec855b21fd3281ff69a8bd9a0bd4eb1f88a2641e4f34ef32d6f4fa8dc6def8e15de7

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
128KB

MD5
7d66a2a6d7ed17b4f5447282ca01fd46

SHA1
427df499f68fc7c59fa5ddbfdcc8d7cd15afdf27

SHA256
6ca1a3cec07ec2775a5f6299294fcadfa30b96280ed869bedd71f645fd478cbd

SHA512
b5d2868875f039678777d6e888508b7a1d51efc65fb58d4fb66112a0abf89faebcbc629152793a1c76a7190530f17420e8765e172c3588d3c76ed8dbfd19e314

Download Submit
C:\Windows\SysWOW64\Omaeem32.exe

Filesize
128KB

MD5
4411deb282e836e14449fba63bdcd1c9

SHA1
ca49390562935e2e56b3c1e43d140eb1b91f33c0

SHA256
93d8d1be0974df8d8b3b3fc8ca1f1912ae23e8c9f8a0a314a6a622a6f05eb002

SHA512
be56e17620355617ac8569df335344e79d4385f3ab485b9504e1ae7b4826017113e7d3efa2c5ae5ac43e2a0cebd6713f65761e5aca6f890cd466c182b3894018

Download Submit
C:\Windows\SysWOW64\Omclnn32.dll

Filesize
7KB

MD5
075a7716135ba9475f1dfb4e79a8db15

SHA1
0dc2aa2a626a602134e2a31ae800bcf83f49ab80

SHA256
893a8b3f3557b8bb15939b144eb8a193e13fd91b787a34b75d15954227ef2d9d

SHA512
c961041d3d9196075189395cac48fb76f27602176dfb847ea1a1f1af61d897ca1a0b5982b494d21892293655e55204afe1c7cc0c6ac677530db8943513207db7

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
128KB

MD5
43f32ed514ff2c544c9ed89c635ae9fa

SHA1
3045911dcf117170ad9a069f86c57e1e501b03ad

SHA256
b7445a5c443f4074774e004c151ba157c3198c17977712220407b1679e762b6a

SHA512
049eddab642952fa2e91c08659551daf1af702cdc32ce7f59d810f4fe864a3291a988932ffd74b3d50d4d6ca00fbe7be123d4face6df3420450909660c7efc37

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
128KB

MD5
c1db117711064d8fcdc0be827a4c03a4

SHA1
eb127d9a3d3ddc1af27e23acfd2b942a341823b4

SHA256
042e11b7d927528f9177e8d31c95e6a4a7c4edce71a749612c2c7b4dc40e296d

SHA512
d531885f632ca47fd70076de9bfc8c0681ccb375905701f87e364957e16c6c54a1fd13c4e2a4734f8a1e6cfa6eb15cd6cdd050f80e9995a6fed55f840165c1d4

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
128KB

MD5
81c8e18f2df61ea2ebcb33f3d6b9fc4e

SHA1
06d5112ae0dee1222c72663e3119298b7fb4035c

SHA256
05ca99e0bfe14951623004287d68b8012ba5292ea59bdcce79dad46db1c48716

SHA512
933a5346accab6ee0e3baa06579a00f9124ee2d2afe087b3e5eb0914f2303a031353f48c65e5d9c3960c8d2f06fd16bf30159705fbc456b803902b86c8d69449

Download Submit
C:\Windows\SysWOW64\Pfeijqqe.exe

Filesize
128KB

MD5
7de25ab7992615f911cdbf2f52a1349d

SHA1
67a1b77a03a51cd2de007f37f7f122a2a5d689b2

SHA256
6e865d8f550a5e4ab403570e768f40d4ab9b1d5bd679b262bd0575d3ed0ecbb4

SHA512
8f7c2c383a268da1c2246235d6441b1baafbf68a927abfaae0b9bb48dc209e026b975fa3f542217594b6d6824d0e1d6d8ce7bb7c89fc400fe7b23bf4cdd00eff

Download Submit
C:\Windows\SysWOW64\Pfppoa32.exe

Filesize
128KB

MD5
b21131cee25daac34130a406491c635e

SHA1
514806756cc6ec1c1dec28b6ff0ea965ab6f1623

SHA256
e836cddf873cb2f7afd95f30bedcc8f7490ba24c1cf52563eeff012d1eff4fb1

SHA512
ecd329958f4e91ac49e8385f0946f5d645782040132e95f2cd5f0fd206c0abf46f8b9a6718eb141237ec7fadf890de049f179eefc814bb3120f214f4d717d576

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
128KB

MD5
4f41d21c949dc0592eef916cd9ef4886

SHA1
ac8a6e5e445fd73947c5c546d90c63f19ae6d88a

SHA256
f79d9b94899760290d443cd14cf8d76f47957dbb4891db5b2cc1d7d4e9080925

SHA512
2510b78a09c39601b1310e69cc6718d7ae26f7098e57781302032cccf3fce9fa63c8bf515a3388c4346a33ed5c5391ed282e18b6753926641a99696253465de0

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
128KB

MD5
2506a7482f735e821dafd3e9a0c0c0b6

SHA1
d208e534e2a2bc54a2b1fe9bfc14d94bc0c564b8

SHA256
7d80a9ca856ce5de1eabef58f5f4696eeecb3589969c4dfa3d6553dc2c76e8e4

SHA512
abc17375f48a48919c1f427122522c824d15071ad07d298f35f9fe3ef97163da68f6d9ee6c32da8fc50b3fc2e5e431a2701f3674986ab69552d796705e6c0309

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
128KB

MD5
54814b5b79f5576b0fb1fb7869dcf10f

SHA1
50fa1ca767e0d507adc9cc21733109f591f154cb

SHA256
44b8f05718bffb73cb9d9c1552e11c9c062429d6cee5669c4ba3cd42f9e57c80

SHA512
eff154523f9dd848fe3bb97747327963afff1aa240fee635007006922df9bc54c2a569fda68f98bdded2cb336b536e5e84a08a4405dd028adafc902236ab0466

Download Submit
C:\Windows\SysWOW64\Pmmeak32.exe

Filesize
128KB

MD5
dd557f99eeeefbcda301ff9164dd95ed

SHA1
9094d16c7864fada3f27976b3c0bb8d46297ce42

SHA256
c5778c224e396935208e5dea9827fca6cf0ca6ad7033dc6aedeb8082cb52e2ce

SHA512
622f1832ac7fa894d2e78c58a20801fa0ed32190f9c0709150aabe95d443611c4aa97544944232d5c9413dcabfa232f53cd37d0c8b1ee11f11de00db14e51142

Download Submit
C:\Windows\SysWOW64\Qckfid32.exe

Filesize
128KB

MD5
87a768ca83f5dc3dd8e64cc5d39f6788

SHA1
a90da66e26c5ff86e9def8ac3bd673d3d4cdf377

SHA256
756c38b78536f2e50169d4ece61dfbe09187fe1cd12c4f3a7e6751b1221178ed

SHA512
8d80a31f09b185d4bb21116194d1bc6736b70e53e527b69d8c362f8f2fd5d49107d71111edc4d7e3abfa2d58a4c283ceb051da515a079734422888c2e52a48e9

Download Submit
C:\Windows\SysWOW64\Qejfkmem.exe

Filesize
128KB

MD5
b4194d82541d85dea102053dcad4a013

SHA1
3b483fd02cf7cc2fc11f9d188686b1e89a9314b4

SHA256
e374c8c88f89c5cb0b5bd2eb8ad70d0346d3fdfac8b6809a7ba8e639e5c6c589

SHA512
846e254fbb28bc93438dcc185e2569e7e812673bebfef570a8372ebe719ccae57658baba943b6da73fbb78c7116eea937b853f2c37e6aac50cb6d474d6723aff

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
128KB

MD5
b2ade0934124a32ca7e69ad3efc210b0

SHA1
6ba485406cad6523f52c9601c6311347b2d6ab11

SHA256
6b091a06bfdef713fd69788ae87a7e29d44c9b07266b6114117ed0ba7d546e32

SHA512
98ad0c4f726ea20ff35378d3151309ff98b23255ff9f64f6118d37aa2b5fe66340b797792579f96c65cd1c45eb80a6664dba70fedb66ee1ed152f10bd3fbcb87

Download Submit
C:\Windows\SysWOW64\Qpbgnecp.exe

Filesize
128KB

MD5
943bfcbfbaee7c296ebb603cd73568a2

SHA1
3908337e561a60561977647607d4a06df833aed9

SHA256
7089b5c4d7cee4bd01191243dc77cc8822ba44a17170926f6ce9a492fbe99ed5

SHA512
1340549c2de9af3403ef79ab41b543a604f9ca41b1889da1893e8054887b589cf500f691fcc6dc7bba5e35f708b62cbcf21666461d101230f4273499ce528028

Download Submit
memory/384-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/384-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/784-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/784-271-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1184-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1184-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1492-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1492-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3236-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3288-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3288-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3324-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3324-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3328-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3328-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3388-102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3388-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3620-228-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3620-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3644-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3976-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3976-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4156-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4156-246-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4176-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4176-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4292-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4292-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4504-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4504-238-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4520-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4520-195-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4548-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4548-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4728-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4960-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4960-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-283-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads