berbew | ebd76551b0ad597daa9e8ddf3189fe3856e7c068412d50afac75afe4bf811c9b

Analysis

max time kernel
142s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebd76551b0ad597daa9e8ddf3189fe3856e7c068412d50afac75afe4bf811c9b.exe
Size

60KB
MD5

287f57eaae0a955254cf9cd0abf4bb14
SHA1

70eeb8f0f8e79ee35758adb7c24a9cd521468292
SHA256

ebd76551b0ad597daa9e8ddf3189fe3856e7c068412d50afac75afe4bf811c9b
SHA512

d328b1b43579f9e47e4092e41827ca1ecf51e9e8682f776d2b456e56d5bafce41a67b54add13bd72321864cabbbc05cfcc990845c9d2a2dc6540c057f45ebf30
SSDEEP

768:DoGOt6TKn3HXuKLUQfXEtPYI9hrw4VfgbkIbNwSDqc8/1H5WB+XdnhMl/Xdnhp:Ddc6KNYtQI9m4ao+j+AB86l1r

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4456	Nnqbanmo.exe
4312	Odkjng32.exe
3260	Ocnjidkf.exe
3088	Ojgbfocc.exe
4764	Olfobjbg.exe
4776	Odmgcgbi.exe
4824	Ogkcpbam.exe
2028	Ojjolnaq.exe
3696	Olhlhjpd.exe
2276	Ognpebpj.exe
2728	Ojllan32.exe
4060	Olkhmi32.exe
1580	Ogpmjb32.exe
2804	Onjegled.exe
4612	Oddmdf32.exe
4572	Ofeilobp.exe
2612	Ojaelm32.exe
808	Pdfjifjo.exe
4984	Pfhfan32.exe
2560	Pqmjog32.exe
1068	Pggbkagp.exe
3908	Pnakhkol.exe
4684	Pdkcde32.exe
4972	Pgioqq32.exe
608	Pncgmkmj.exe
3164	Pdmpje32.exe
3800	Pgllfp32.exe
4148	Pnfdcjkg.exe
2444	Pmidog32.exe
4804	Pgnilpah.exe
3488	Pfaigm32.exe
3748	Qnhahj32.exe
2268	Qqfmde32.exe
2160	Qgqeappe.exe
2424	Qnjnnj32.exe
3432	Qqijje32.exe
3656	Qddfkd32.exe
4560	Qgcbgo32.exe
1932	Anmjcieo.exe
3324	Adgbpc32.exe
2144	Ageolo32.exe
4896	Anogiicl.exe
4220	Aeiofcji.exe
4160	Afjlnk32.exe
2252	Amddjegd.exe
1364	Acnlgp32.exe
2616	Agjhgngj.exe
1320	Amgapeea.exe
4276	Aeniabfd.exe
208	Afoeiklb.exe
3892	Anfmjhmd.exe
2308	Aepefb32.exe
3296	Bfabnjjp.exe
4760	Bagflcje.exe
2116	Bganhm32.exe
2260	Bnkgeg32.exe
368	Bnmcjg32.exe
4208	Beglgani.exe
816	Bgehcmmm.exe
3728	Bmbplc32.exe
1092	Beihma32.exe
3084	Bhhdil32.exe
2916	Bnbmefbg.exe
3652	Bapiabak.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6076	5984	WerFault.exe	186

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebd76551b0ad597daa9e8ddf3189fe3856e7c068412d50afac75afe4bf811c9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4456	3968	ebd76551b0ad597daa9e8ddf3189fe3856e7c068412d50afac75afe4bf811c9b.exe	84
PID 3968 wrote to memory of 4456	3968	ebd76551b0ad597daa9e8ddf3189fe3856e7c068412d50afac75afe4bf811c9b.exe	84
PID 3968 wrote to memory of 4456	3968	ebd76551b0ad597daa9e8ddf3189fe3856e7c068412d50afac75afe4bf811c9b.exe	84
PID 4456 wrote to memory of 4312	4456	Nnqbanmo.exe	85
PID 4456 wrote to memory of 4312	4456	Nnqbanmo.exe	85
PID 4456 wrote to memory of 4312	4456	Nnqbanmo.exe	85
PID 4312 wrote to memory of 3260	4312	Odkjng32.exe	86
PID 4312 wrote to memory of 3260	4312	Odkjng32.exe	86
PID 4312 wrote to memory of 3260	4312	Odkjng32.exe	86
PID 3260 wrote to memory of 3088	3260	Ocnjidkf.exe	87
PID 3260 wrote to memory of 3088	3260	Ocnjidkf.exe	87
PID 3260 wrote to memory of 3088	3260	Ocnjidkf.exe	87
PID 3088 wrote to memory of 4764	3088	Ojgbfocc.exe	88
PID 3088 wrote to memory of 4764	3088	Ojgbfocc.exe	88
PID 3088 wrote to memory of 4764	3088	Ojgbfocc.exe	88
PID 4764 wrote to memory of 4776	4764	Olfobjbg.exe	89
PID 4764 wrote to memory of 4776	4764	Olfobjbg.exe	89
PID 4764 wrote to memory of 4776	4764	Olfobjbg.exe	89
PID 4776 wrote to memory of 4824	4776	Odmgcgbi.exe	90
PID 4776 wrote to memory of 4824	4776	Odmgcgbi.exe	90
PID 4776 wrote to memory of 4824	4776	Odmgcgbi.exe	90
PID 4824 wrote to memory of 2028	4824	Ogkcpbam.exe	91
PID 4824 wrote to memory of 2028	4824	Ogkcpbam.exe	91
PID 4824 wrote to memory of 2028	4824	Ogkcpbam.exe	91
PID 2028 wrote to memory of 3696	2028	Ojjolnaq.exe	92
PID 2028 wrote to memory of 3696	2028	Ojjolnaq.exe	92
PID 2028 wrote to memory of 3696	2028	Ojjolnaq.exe	92
PID 3696 wrote to memory of 2276	3696	Olhlhjpd.exe	93
PID 3696 wrote to memory of 2276	3696	Olhlhjpd.exe	93
PID 3696 wrote to memory of 2276	3696	Olhlhjpd.exe	93
PID 2276 wrote to memory of 2728	2276	Ognpebpj.exe	95
PID 2276 wrote to memory of 2728	2276	Ognpebpj.exe	95
PID 2276 wrote to memory of 2728	2276	Ognpebpj.exe	95
PID 2728 wrote to memory of 4060	2728	Ojllan32.exe	96
PID 2728 wrote to memory of 4060	2728	Ojllan32.exe	96
PID 2728 wrote to memory of 4060	2728	Ojllan32.exe	96
PID 4060 wrote to memory of 1580	4060	Olkhmi32.exe	97
PID 4060 wrote to memory of 1580	4060	Olkhmi32.exe	97
PID 4060 wrote to memory of 1580	4060	Olkhmi32.exe	97
PID 1580 wrote to memory of 2804	1580	Ogpmjb32.exe	98
PID 1580 wrote to memory of 2804	1580	Ogpmjb32.exe	98
PID 1580 wrote to memory of 2804	1580	Ogpmjb32.exe	98
PID 2804 wrote to memory of 4612	2804	Onjegled.exe	99
PID 2804 wrote to memory of 4612	2804	Onjegled.exe	99
PID 2804 wrote to memory of 4612	2804	Onjegled.exe	99
PID 4612 wrote to memory of 4572	4612	Oddmdf32.exe	100
PID 4612 wrote to memory of 4572	4612	Oddmdf32.exe	100
PID 4612 wrote to memory of 4572	4612	Oddmdf32.exe	100
PID 4572 wrote to memory of 2612	4572	Ofeilobp.exe	101
PID 4572 wrote to memory of 2612	4572	Ofeilobp.exe	101
PID 4572 wrote to memory of 2612	4572	Ofeilobp.exe	101
PID 2612 wrote to memory of 808	2612	Ojaelm32.exe	103
PID 2612 wrote to memory of 808	2612	Ojaelm32.exe	103
PID 2612 wrote to memory of 808	2612	Ojaelm32.exe	103
PID 808 wrote to memory of 4984	808	Pdfjifjo.exe	105
PID 808 wrote to memory of 4984	808	Pdfjifjo.exe	105
PID 808 wrote to memory of 4984	808	Pdfjifjo.exe	105
PID 4984 wrote to memory of 2560	4984	Pfhfan32.exe	106
PID 4984 wrote to memory of 2560	4984	Pfhfan32.exe	106
PID 4984 wrote to memory of 2560	4984	Pfhfan32.exe	106
PID 2560 wrote to memory of 1068	2560	Pqmjog32.exe	107
PID 2560 wrote to memory of 1068	2560	Pqmjog32.exe	107
PID 2560 wrote to memory of 1068	2560	Pqmjog32.exe	107
PID 1068 wrote to memory of 3908	1068	Pggbkagp.exe	108

C:\Users\Admin\AppData\Local\Temp\ebd76551b0ad597daa9e8ddf3189fe3856e7c068412d50afac75afe4bf811c9b.exe
"C:\Users\Admin\AppData\Local\Temp\ebd76551b0ad597daa9e8ddf3189fe3856e7c068412d50afac75afe4bf811c9b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\Nnqbanmo.exe
  C:\Windows\system32\Nnqbanmo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\Odkjng32.exe
    C:\Windows\system32\Odkjng32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SysWOW64\Ocnjidkf.exe
      C:\Windows\system32\Ocnjidkf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:608
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        49⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        57⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        64⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        69⤵
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        72⤵
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2652
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        91⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        99⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 216
        100⤵
        Program crash
        
        PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5984 -ip 5984
1⤵
PID:6048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
60KB

MD5
7bb99c02dc9d3ed7a92ca92b5cce0f4d

SHA1
f711019bb5e08243158c03f87e253095630cf2da

SHA256
4beb46afaa27adb743830e57625a21a6b3a9ff68ec3d3a5096db06211bd4c7a9

SHA512
1b92bbc635efd2b8ffbc73f1163ab9f8ab2649c5778f4fca4e8c8a8828764fc4bfd013476a3e7f3512c92d677c4bb5b0141c3efc7158a7b8a791747d9bddfeb1

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
60KB

MD5
575f98a0d09b0b6f8cebaebd48f79ede

SHA1
bb4af5c9c11ade595358c853af9c5293db24e2fd

SHA256
8fd21e0a26928eec7fb1eeaee9f68a9f02554e0bdcc4e998c6da8a2249d99b18

SHA512
eeabd6a229d5ddf7d654870913848faf59bedbc20d12ab5c50ef67147fabf7ca2a1630a4f471644f2b342238d42ef31d21f41e5afa46ab4a679910336bd7d75e

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
60KB

MD5
345cd39ccd3c01842db415a8413428ac

SHA1
30df8feb4165d89a8d01842458ea571bd5c4bc2d

SHA256
fc7b6cfd71a3b4e509ee9a09792cd3fce0ff2526606b18014ac0b82e572033a7

SHA512
d9c92ef9c1dead63e800994cd6ffe3e1fc868713d91ab672e94c605523b80835e3593bdecb66ef8c20b3af23739c499df3f137727cb774ae65ed84f6f181bb70

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
60KB

MD5
86ee5a5745ebf6c257348516a75ed8e7

SHA1
d3aac7000a281d8bff9ececd47783b6dd159da4e

SHA256
84d49d52c3a61fe9045b5c78d42276c05b12724183e0be2fdb5ce63a265b0c0a

SHA512
2376de84e7392fda597b431941c5a562bd8bd3ea1f6290db15b52b6c7db5a81acfcf63314cddb32b1868e3c3645096929e2c5e689f9a95cd632b8eba0ec668fa

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
60KB

MD5
db06b91f6d70549b57d6d487225cb46d

SHA1
1d9f4707cdbcefd8930f776621b2b4aad047f6bc

SHA256
4a406cc9b9e08ae523569fcf0e5001c6fed2272391ff5dd1220527a8309ab818

SHA512
a42b7f7d32e9e46360d81f86149cd4b702f8a61c16817fb503f68e7f8dab65a7ed42598f72f5b2f46d15524747ed0c171c4c31512b4bacc274daf0f0adacfc7e

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
60KB

MD5
1795dac23e2bf55b748807dc722eb6ab

SHA1
0760b26d85e7c81623d0447d3bd15ca87d9e5cc4

SHA256
b6621cb717a8907215d2544959f5df56400252faa5667ab15bf1e6f0cb03fba5

SHA512
7d543f69b95446d6b30200ac4a00a1aeb2549f01a7ef3da525eb5de53fc15f4bf494a69e8e07c53cd09d9f59ba785f33cd6627d6ce83d0ca8f758b582e5f13f4

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
60KB

MD5
28bc837da9633684da9c67ba624a19b1

SHA1
77cbcd8685536001bf2cd4c7c0a0b206ed2082c0

SHA256
1214bdecc596beb0b4682069516ac3694b942fab14bb24f9ebb45ff6f389035e

SHA512
e77e59dd99c9e9d251231c4e7e56658c43273ab1cc55c91a5045fb2443700c7172d91778918f5dd30747f6fb4d961c5c5d8d46610dabde9a765caeaa22c0ea73

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
60KB

MD5
4d073071ae7c4a68e9897c2c775865b3

SHA1
adb1a92e4934b821c3dfe9b7d06c6cb788c44598

SHA256
fc0b8d3a114dc248454cd743269988179d584cc50dce41dc51aecddae975a1ad

SHA512
bcdabcc75f663419d1f8d34a777b9fb43f8f50a72f02273438204525dac76608e36330fd732e17267baa3ec718b9e856ac616952e99b8c1515d8c21e8a631489

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
60KB

MD5
ba301b840f7ea146eae3ee29f452533f

SHA1
02b611ac30dfb3006b57fa70f160f4ea8c553101

SHA256
1e61781c49f447bad191fffd1bec14f4ea383be047e44876592b90743b58b1f2

SHA512
54efef4d59f9e87952f3ac7750ce5746fbf2f98bd0f08ae592186da333adad1bb2e9baa1fa5f2ea68143662a892911262a55c5b75f26da937b69e86391c06f6a

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
60KB

MD5
df8efc73cdbd4d3ed1c5bd091126ff17

SHA1
5d94048f0c10b957d68e3c4d818700f2068581dd

SHA256
6516b72bacf7cf9f6a39ee134e9c9d6761c0ef693512179548f844bd9b67fc95

SHA512
8c80cb7f2aa69fe63c4ebfef1e5d568c7ba770ab6ac53b3e5ad9e2e074b39e1aed0b39b729df709274121ea6d21dfc6e705e258109440811bb4d2e42e6694909

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
60KB

MD5
77d25301fee3a32ab5687d5264d5447c

SHA1
2ac21a268c2858a6ef9fe1be28753410d4684cc4

SHA256
1904ef495006959e28e2eb1d4cd4c573f77e7ef032e8ef8f362fa0b773803d99

SHA512
8547a2ec9b59e6535423d1215271fcebacfa4783e542af6d71fe4f3af71036dce102eec38d8dd5aeb0bfefc50a943fb351f4e21241628c5ee3e671a5f45d3bab

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
60KB

MD5
354ae6da4df10ce32cc0d17f4964d63f

SHA1
e9804e6c16c03b96aa49d163eea0d46e417d4513

SHA256
ba26146071e86146d35b43a6b785af5e093c4a33cae5be8666c51bf7fa8e05b8

SHA512
acbe7665ab9c5661797e9a9cf6e2bd7eba350371ebb3bdda08e4d04fcb71f489b13814f29d5516a144fd801e59606a1806d3ecc0cb55599daf81de414bbd1942

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
60KB

MD5
b4d890b9a5abc6263b98245cd7524bd4

SHA1
4bbc7a5dee7ff3180f1f823e73442b2d838ee1c7

SHA256
7d74c9f75e90667793d7a10d7b47fb5d91301e20c53af5542be425cbc3734f88

SHA512
db90375eb0b01510653f4a3ff0e8a88ba870b6ffa9b039de0eed51e4a1223ffa46d4cc1492d254a30b6c302eabc275cb57279a8deb017e3cbd9244aa3e134d31

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
60KB

MD5
304c9488e1beef1d97c1ad1c56093733

SHA1
b5937407e3a53ae5e6fbd652fd1ee2bd3573648a

SHA256
416c347dfc43c809368d8364720e425c0d290424d473127564c8befddc676b86

SHA512
0e757c432bc9fe9eb949bb353b2e889b57b70caae767d1206b1660b0333b7222c42a7b01c9c8690bcf57e9646a2321d5fddbc21d529a5940b65d5b5c629ae5eb

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
60KB

MD5
168088b1d9f2dad7e1db63af3fd604a2

SHA1
86117d72cad72337daf08c9066f02989b69de732

SHA256
d0b8815a90b248a0f04edc4ad48ede81e2d84489d118d396fe3844e0975bca19

SHA512
06893d48bf97333efa74bce837f234f35727e71a0fedb874862c7b4a80d795ff6fe856d478a2b758d0404a101337f915fa8eb0c1d2695a39a644589d4a9f307e

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
60KB

MD5
ece891be3f90ed7b967a1b24211aed97

SHA1
653353d470339d270eef37ff05c476ef1bad0842

SHA256
fcc8a2199d6e35771df67b3c8dc8e7f62a0edd35869ccf1b50e0f8014cf567f6

SHA512
97a0d15e0fb71ca04cc7a9427d5a09e5bc2f5341a3fe1ec26af769bfa2c9e05c34b745678d700a61d77cb859603e1478dcb12c474d866579f1f4d79f7d13d805

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
60KB

MD5
6c7b0d9d01887de926b6732985798862

SHA1
8b42f997337a19a15a8f87b533408e4199b2a803

SHA256
d3b4eacb15d3338844841d7c6dd7686af0cf7705118fcc80d19f0e7e1aa6ae21

SHA512
6ab28ef57ab6a808538b315fffcfe257784814ea7fac1bbd1e5ee4c04dc8aadc29ec3bd156cbbea77fb80c332fa57906462cbee8c1ef9904bd75437787250a94

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
60KB

MD5
bb11114d47d49d3b9b8a6dd90c505d87

SHA1
7c0b46f828d8d8d1ba55cf64cc37d8f5aa83bfd4

SHA256
f1b3db7bd1cda9fc21f548141ff32ff0ba9a242ef73648cc9ac3d6a47c00db4f

SHA512
77ba0613e0c860de0be5d746918aa3a71c1fa2da26f1a4105c50b55e842676178f124429fc0c0e8dec61197513a10a4c83fe2a4bc0ad542278a865c61b5baa5d

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
60KB

MD5
c85b0c91f4368997e978aa8b7769cc71

SHA1
d8cf71e42c420073cbe2b361766522c462eaef30

SHA256
75c8bab254a814f38ad797e1d323dea166599cd10c6f7c22337770fdfa690d01

SHA512
ded739129921d07899049439e9f2cc5f6e4711673a98d0e9343d64aba5d6e845adc955d565ca52b508fbf23340616d2414b02edaad48dea6288d1a06ba569249

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
60KB

MD5
50ad89343a76d53724744ebfb529a64e

SHA1
840f2390869df6e2159b1fed79a6a0482e948fc5

SHA256
bf6758da9f75ea9e4886728abb31a712da87c36bf1a142dfa38a3019b5c10b89

SHA512
0d3ac093fa4546cae0644c330a95adf9bafab0a32206b6d355bdc150ab0faa4914f25a182322f629d66a8f1066b44a552124921e7050adca1173cc00652b2f79

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
60KB

MD5
6cb8d256b9c5ae72ea379278220d3b11

SHA1
7e1c7004f6b9ab28c2b7caa0cba88e58b944cc63

SHA256
738f39d1530138411b127e94bece454dd673ec6ddd1afaad714bf2ee51962772

SHA512
7e019443b292d222aa47d2f5b123db8da4b4558eea878fc5dfa26319235586a85d1f07ab090e339e206b03d5cf672c15ae59fdc3141ac1d9b06462bbb6e18c63

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
60KB

MD5
c7a6d4822c9cfbbf59b41a2908509b10

SHA1
38c5384ec8678aef3eb69d6aa3d20fe34eef3a82

SHA256
77658dbcd40865a92515d99688d58439fd62e71205ac9297bb7501da8c8504ce

SHA512
0a72cdace54efae68492989f6a0daceb44209bdcfc3e423c610be16dfaf599cd49d32fc1a4457e9910b7e78c6e3c2ef51270082d9a39c0e356ae911847af4820

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
60KB

MD5
52cdecc6c01c67e3944c58a55ef3e944

SHA1
af2b2960991a376e50df64138fcf6d044db2bef3

SHA256
6c3938967965a75aa91a7503abc4c541546b4f05f51621dba1613a06aaa70ee0

SHA512
24fcd86175d9317548f691842da4af3b09f434a97ba54aaf3e51aaf66fd12292da535c768aad33b9bc08a493649aa43cedaa9638a9e8e215082c1bbc7f3e0505

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
60KB

MD5
fd09a5888d640e6720110681ffaefb20

SHA1
51524eb3d191c8044510a2ff83dc277603217bae

SHA256
3301074b963d118e90d06f97d584aa3127469e54a24a74a5ab7029f556d40d2b

SHA512
4809e972c771fbf5c50e61bc8b958910e5553e13015d247bb1312f98b447ab6e07a4b8f74e4504438d995924b445228ae3cd8b578b4745667f62f089e8d26bf2

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
60KB

MD5
cdb89d945668b15b17d204fb828bfc7c

SHA1
bdd12566d514c562e3b91069cb03b6cbd32c85ee

SHA256
2b833a96a1a20859a0d0e2859d4f10aa34ff6549a2a8433f90fadc9a08e17ab8

SHA512
970f139fe8bbca27b300bb0284440aa926871d2da6fba6123616392ce5cf14e0f471d248888dbad76f88e2bc05def3ac91e105f0470646574b268fa798e25019

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
60KB

MD5
f990fce2fa1fc360e995eefd44f24957

SHA1
085ab33a453e5bf1c03a632e7f16f6b0c5750efb

SHA256
a5ed255dd87a174db191e46b534f21e6ad64a9d5e0bd9b3f95915e8ff690de59

SHA512
079281c3ad831b19d09025955c65f3d081c5505228d928bdb60f65d3c05791492d8b88a36ec084d831ec798c07891eb033bac0aec4d92c2903d4d5d395796fb7

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
60KB

MD5
8fe80593619e81ce4d1f69eb1d4073c4

SHA1
f31ffbadba17237aee0f2bd3b827b6c6abff5218

SHA256
919b4be5446becf57fa7794d7e3859467a1456ff5a0e20b534f186414379619c

SHA512
f566e952e46bc827553e4037237dc3a1701a069b3a66a2f9f49c8d2594bfe179a578dcfac196c5778329e67a4d367804af32aa5226a5e2849365e512200d8275

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
60KB

MD5
e78c24e12eb78bbf167bef68511bd9a0

SHA1
c859c99ec9ce81047e61f5d547030a93f7768696

SHA256
f1fdea2fca4ea8f0fe1823a3994ce04005596161927f76f73a7f29a03794f6ae

SHA512
c17c43f22e206c16fe5ca53a4409f8256acbebe2463a18ade002ef504295f13cb9543679b50170ff152c3664d3a3edd7ee8a5ef27b51fe3844b987bd0d3915dd

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
60KB

MD5
0e5aa22acb3a8680eb0892a41ae98f36

SHA1
bcee5f59eecceb8cf92251c93d20fc966a37d903

SHA256
e75c793870c86be20375913643d1b93dc4d46b96c55db464b33ee646ad9f24eb

SHA512
320b8efa9a57f1b8298e2aac92cd343cde3a27551e389627eb4614288cb12e5b05ac1bded0f463586516cb619ea1e58a392b5e28702553f9dcd674424fb6a1cc

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
60KB

MD5
dbc9dbccf4324ad093a0f5ad750d6ad7

SHA1
837572a9e05ec2a83330e7b650351e682b69c341

SHA256
983a14cbc9c299e7a93fb70024ec40c4c8abf6708be990bbb133657b9722640e

SHA512
85a47d67aeb03a9733a325aa94f3d0fbed6f4b1fedd5c3ca65d1fcf4b5a4e1fd444ffecb535d778474c97368cbc717fb94e9ed05db979fc0a2b4c8a82481632e

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
60KB

MD5
50148ae646cc94808bbbed6ee90d4865

SHA1
da09c672a8c5ec25e9f6b6d66ba225dd0088a38f

SHA256
7e03709fb26e4d95e91080b3bfa2799e6b3cc51910e51f6952a934d3fc1030a0

SHA512
e06976cacb2a2f9a474c5c0ae6c4c86874723e0bf127124b7f295e01b3f6e86d4b3f99a777845d9c18df673857cb660f027f09c4ecb00b4f6ecc4ab94694f06c

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
60KB

MD5
1cefd2968ef30f8f201056307eb8ef5b

SHA1
e49ee5643b05dbca8ca1c82bf6af5595857ffc0c

SHA256
574bddeaad3e8d220f50d8648f49c37551e1216d1ebb58cc8f84670ea20ebd35

SHA512
b1dcf2b54d990bc90dec73b79f404ed464b9cc3a86415bb687cf29c74a2c3f2ab8b322bf65cd4afa2be734d5f25524f20e9e68320c5ebb06abe14e748a0a204f

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
60KB

MD5
458169066086224fab32fc36716b561d

SHA1
2de3d90f11fd1ebe73ef0e3b26eac2189a686c0f

SHA256
af946b7c1ac43e340ca07dcc41a8c53a8a21f511eea97df6382e7e1cb12867e1

SHA512
6a6e64c8249996d19dcb1d12724b589ef44b40f727b7c9af6490576d36c3a59f0165d79ea0a9b6aeaa340e1c2990108f3291b7679402b5f295ef136146797055

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
60KB

MD5
8b1035233ac3ec56611a1651902d70e4

SHA1
de3f81359e10d19f04784b92c7134ff37f722b00

SHA256
15fc663b641c1f05f692ebf5b8c2027430946c42f02c35e57ffdae8209c8d206

SHA512
015d05c1d8a1204fb390a992e4929350e61997222265ce233dcdc35c03d01114e7453be4f69457126fe429b8d801dd87228b0949a8eec9ec94d54b8571f530c2

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
60KB

MD5
fc3ee9123d3026fb3df34e8e3ed5c2c0

SHA1
527026141c0f6569da060f44414bb645da84de9a

SHA256
efd531fe65c0d3a15e8576eb5a1bc060a512ee7b3bda92064700b8394b298244

SHA512
b29b360f3e051a31f5c95d269431442edfe142093712f47209dc46684342f8db5ea0ea43f59e131071f3e73524e2770fdc8a810e78d0f800f83af18eee5c77da

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
60KB

MD5
91c04a0c8fee07daf220f22873d209ba

SHA1
b12719ddd6db632decc96d81281b09ef9ea360ef

SHA256
324954d6979daf284835753756775db67a4ca8e82cf7290213bb351f390774cf

SHA512
849afbd8b940be97b341d79307c04795a840251e17cf27ee3bf6059ea8421b50fbe59e1957a8858a6b632550440bc5ed9764dcbfb99201df7e63003713443c17

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
60KB

MD5
c9cdc6e7066b80e929c07bdb254d279b

SHA1
54a1b6a6d2b8acc3e22c12389f246d4437b8ae06

SHA256
a739902c3c86e3fd2068d72075c9b497aa4951d341d520dd004db82bee1fe33e

SHA512
362f45f72e67e598f5f071ff621399aef9da337c38193290bfe4e53c7b25e1bd60ceea6ad7032a6275850d92ed00d923b6be5adfef58e4ba13f15360465196da

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
60KB

MD5
09a7689ea057413f7270fbebe873b979

SHA1
2a3e93b9a1f121a7622e483cf0b52519dfe98097

SHA256
26b974f02076ace5e5d8b4c56b3ab2600b7edaf950492dff87fd63a5d32ae69c

SHA512
0abcea3b314387aa5ec4813a93f924ed218624a5881b5f6d7890077d72c085b8c1cf5174199c40d8a016e453bef1c003fd0f421c7fc70b4d0188a66760002977

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
60KB

MD5
bc55b325d068f5245c2663b5dcaef79f

SHA1
3f31135c8614c0133a2347fdf073f76b2ba12bbd

SHA256
5d3b586c478630c8c9abcb9d2fae6ec63819fa1ca21ad18febff349dd9f8fb88

SHA512
5ee92fd54348840786b44b9da007f9be3c9d8e31385c49474257d21cbd95b51db61e12ac2a16e28d23451e8337ec77130ddfbdd060780ccc5219a3182f749535

Download Submit
memory/208-397-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/368-443-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/608-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/608-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/808-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/808-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1068-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1320-449-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1320-384-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1580-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1580-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1932-325-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1932-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2028-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2028-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2116-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-343-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2252-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2260-437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2268-285-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2268-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-169-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2308-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-378-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-178-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-118-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3164-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3164-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3260-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3260-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3296-417-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3324-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3432-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3488-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3488-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3656-312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3656-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3696-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3696-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3748-349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3748-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3800-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3800-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3892-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3908-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3908-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3968-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3968-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/3968-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4148-318-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4148-243-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4160-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4160-423-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4220-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4220-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4276-391-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4312-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4312-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4456-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4456-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4560-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4572-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4612-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4612-214-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4684-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4684-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4760-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4764-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4764-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4776-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4776-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4804-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4804-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4972-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4972-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4984-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4984-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5852-733-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads