berbew | 1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c

Analysis

max time kernel
94s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Size

208KB
MD5

287db9475f35361a4314acacef65fbb1
SHA1

879b289585d31e0f07e122af08813bda46470ef1
SHA256

1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c
SHA512

759404e5eafad079f90fc7384829f27856c19db448b24330ada0bd261b92cea2f360364963229bf0ccd348f74840a4586c0ebc7c86429e80afe4482706558ab8
SSDEEP

3072:BTI8C5gD2/QHZpRJBmrg6+oXO56hKpi9poF5aY6+oocpGHHQnNJuIb:1HZ9BQh+Eu6QnFw5+0pU8b

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2984	Miemjaci.exe
4956	Mlcifmbl.exe
5024	Mcmabg32.exe
3496	Melnob32.exe
3516	Mlefklpj.exe
3880	Mgkjhe32.exe
216	Mnebeogl.exe
1564	Ncbknfed.exe
2028	Nngokoej.exe
2316	Njefqo32.exe
5076	Oponmilc.exe
1864	Ocnjidkf.exe
2536	Oncofm32.exe
1840	Odmgcgbi.exe
880	Ofnckp32.exe
1520	Opdghh32.exe
4908	Ognpebpj.exe
1508	Ojllan32.exe
2504	Odapnf32.exe
4732	Ojoign32.exe
1984	Oddmdf32.exe
4372	Ojaelm32.exe
1336	Pmoahijl.exe
4824	Pdfjifjo.exe
2980	Pfhfan32.exe
2996	Pdifoehl.exe
2708	Pfjcgn32.exe
4760	Pnakhkol.exe
4672	Pqpgdfnp.exe
1184	Pgioqq32.exe
1056	Pjhlml32.exe
396	Pncgmkmj.exe
1628	Pcppfaka.exe
3896	Pmidog32.exe
3636	Pdpmpdbd.exe
3700	Pfaigm32.exe
1280	Qnhahj32.exe
1952	Qqfmde32.exe
2928	Qceiaa32.exe
2180	Qfcfml32.exe
3088	Qjoankoi.exe
4944	Qqijje32.exe
752	Qcgffqei.exe
1832	Qffbbldm.exe
1392	Anmjcieo.exe
1836	Aqkgpedc.exe
1468	Ageolo32.exe
620	Afhohlbj.exe
4840	Anogiicl.exe
4452	Aeiofcji.exe
640	Aclpap32.exe
3008	Ajfhnjhq.exe
3816	Anadoi32.exe
3352	Aeklkchg.exe
1996	Acnlgp32.exe
3024	Afmhck32.exe
4928	Andqdh32.exe
3644	Aabmqd32.exe
1592	Acqimo32.exe
3152	Ajkaii32.exe
400	Aminee32.exe
3540	Aepefb32.exe
2508	Bfabnjjp.exe
1516	Bnhjohkb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Melnob32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5336	6080	WerFault.exe	202

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 2984	4868	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe	84
PID 4868 wrote to memory of 2984	4868	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe	84
PID 4868 wrote to memory of 2984	4868	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe	84
PID 2984 wrote to memory of 4956	2984	Miemjaci.exe	85
PID 2984 wrote to memory of 4956	2984	Miemjaci.exe	85
PID 2984 wrote to memory of 4956	2984	Miemjaci.exe	85
PID 4956 wrote to memory of 5024	4956	Mlcifmbl.exe	86
PID 4956 wrote to memory of 5024	4956	Mlcifmbl.exe	86
PID 4956 wrote to memory of 5024	4956	Mlcifmbl.exe	86
PID 5024 wrote to memory of 3496	5024	Mcmabg32.exe	87
PID 5024 wrote to memory of 3496	5024	Mcmabg32.exe	87
PID 5024 wrote to memory of 3496	5024	Mcmabg32.exe	87
PID 3496 wrote to memory of 3516	3496	Melnob32.exe	88
PID 3496 wrote to memory of 3516	3496	Melnob32.exe	88
PID 3496 wrote to memory of 3516	3496	Melnob32.exe	88
PID 3516 wrote to memory of 3880	3516	Mlefklpj.exe	89
PID 3516 wrote to memory of 3880	3516	Mlefklpj.exe	89
PID 3516 wrote to memory of 3880	3516	Mlefklpj.exe	89
PID 3880 wrote to memory of 216	3880	Mgkjhe32.exe	91
PID 3880 wrote to memory of 216	3880	Mgkjhe32.exe	91
PID 3880 wrote to memory of 216	3880	Mgkjhe32.exe	91
PID 216 wrote to memory of 1564	216	Mnebeogl.exe	92
PID 216 wrote to memory of 1564	216	Mnebeogl.exe	92
PID 216 wrote to memory of 1564	216	Mnebeogl.exe	92
PID 1564 wrote to memory of 2028	1564	Ncbknfed.exe	93
PID 1564 wrote to memory of 2028	1564	Ncbknfed.exe	93
PID 1564 wrote to memory of 2028	1564	Ncbknfed.exe	93
PID 2028 wrote to memory of 2316	2028	Nngokoej.exe	94
PID 2028 wrote to memory of 2316	2028	Nngokoej.exe	94
PID 2028 wrote to memory of 2316	2028	Nngokoej.exe	94
PID 2316 wrote to memory of 5076	2316	Njefqo32.exe	95
PID 2316 wrote to memory of 5076	2316	Njefqo32.exe	95
PID 2316 wrote to memory of 5076	2316	Njefqo32.exe	95
PID 5076 wrote to memory of 1864	5076	Oponmilc.exe	97
PID 5076 wrote to memory of 1864	5076	Oponmilc.exe	97
PID 5076 wrote to memory of 1864	5076	Oponmilc.exe	97
PID 1864 wrote to memory of 2536	1864	Ocnjidkf.exe	98
PID 1864 wrote to memory of 2536	1864	Ocnjidkf.exe	98
PID 1864 wrote to memory of 2536	1864	Ocnjidkf.exe	98
PID 2536 wrote to memory of 1840	2536	Oncofm32.exe	99
PID 2536 wrote to memory of 1840	2536	Oncofm32.exe	99
PID 2536 wrote to memory of 1840	2536	Oncofm32.exe	99
PID 1840 wrote to memory of 880	1840	Odmgcgbi.exe	101
PID 1840 wrote to memory of 880	1840	Odmgcgbi.exe	101
PID 1840 wrote to memory of 880	1840	Odmgcgbi.exe	101
PID 880 wrote to memory of 1520	880	Ofnckp32.exe	102
PID 880 wrote to memory of 1520	880	Ofnckp32.exe	102
PID 880 wrote to memory of 1520	880	Ofnckp32.exe	102
PID 1520 wrote to memory of 4908	1520	Opdghh32.exe	103
PID 1520 wrote to memory of 4908	1520	Opdghh32.exe	103
PID 1520 wrote to memory of 4908	1520	Opdghh32.exe	103
PID 4908 wrote to memory of 1508	4908	Ognpebpj.exe	104
PID 4908 wrote to memory of 1508	4908	Ognpebpj.exe	104
PID 4908 wrote to memory of 1508	4908	Ognpebpj.exe	104
PID 1508 wrote to memory of 2504	1508	Ojllan32.exe	105
PID 1508 wrote to memory of 2504	1508	Ojllan32.exe	105
PID 1508 wrote to memory of 2504	1508	Ojllan32.exe	105
PID 2504 wrote to memory of 4732	2504	Odapnf32.exe	106
PID 2504 wrote to memory of 4732	2504	Odapnf32.exe	106
PID 2504 wrote to memory of 4732	2504	Odapnf32.exe	106
PID 4732 wrote to memory of 1984	4732	Ojoign32.exe	107
PID 4732 wrote to memory of 1984	4732	Ojoign32.exe	107
PID 4732 wrote to memory of 1984	4732	Ojoign32.exe	107
PID 1984 wrote to memory of 4372	1984	Oddmdf32.exe	108

C:\Users\Admin\AppData\Local\Temp\1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
"C:\Users\Admin\AppData\Local\Temp\1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\Miemjaci.exe
  C:\Windows\system32\Miemjaci.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\Mlcifmbl.exe
    C:\Windows\system32\Mlcifmbl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SysWOW64\Mcmabg32.exe
      C:\Windows\system32\Mcmabg32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        29⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        37⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        66⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:644
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1844
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        77⤵
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        84⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        99⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        108⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        110⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        113⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 240
        114⤵
        Program crash
        
        PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6080 -ip 6080
1⤵
PID:5180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
208KB

MD5
c79010e9239e4ae5529b32287f36762c

SHA1
c7eb0f90e1fc5456db3c6f8d9a857cbf6c72caa6

SHA256
1f06c4c462193100bf4c6373229b7a0bbe32891625e6697aca3d889990f915d6

SHA512
cc712b9894949d6fe93847129b306f7aa9a907de370574799669d266c4a638b692b6eef77e364f0e05432019397fff0d079f3ae6bd38d67e300072339c6544e4

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
208KB

MD5
eeb88bae53d793e26c4384cc0bf96b7a

SHA1
438efde84e2401c8cbb34b8a3da662da16c68d07

SHA256
bb08f6b2eb947ff005092108364f1a1f1aa54a4065d99b739d90228e88c7254c

SHA512
3560ce5fea8c681b76f43972c0b6c3b1cafae50034640ad8dcb33322725dddc6530341f62696c21bd4af3127859978a852a2bbd787f0cb863dc549668c7da976

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
208KB

MD5
fc3647b67f5a00be97e1c73039ae740d

SHA1
666c345669d47aa9398271875efdd5046e27ec42

SHA256
7237992ebfa2eaecf722a6bfe12a51c9d31b6380b35a4413a1db9363fe5c6fb7

SHA512
1a012712652f8f991f3fa27aadbef35d0c49942e0256df67b20bbe0c9d10e0a8fb7304f016f7843e5180583e1b2fd7aa9b2ca66b7bb2c500ef49e5c3353881a9

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
208KB

MD5
0ed0a5da5d2dfefbfa9b11e95ea38c11

SHA1
1fff7c0627e745ec3c4e2ce3a2fa3f11dc621240

SHA256
00e77e3c3c5b97f8b5ae80be9eaaf8bc59cdec1bf8e350036dcb68a4c29a7b3c

SHA512
8c929ec27435b56ee7b5533aed5e2f822f164459d461755e75edbbf83eebad8fc027f137baf3be4fbd62a5680dad33498d8bb740c66c20beb82b06fd375fb765

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
208KB

MD5
5262ef36072ce9375454b65bc17a19ac

SHA1
c8430164acb3a9a1230387d91b82eb4fc001a217

SHA256
f164e5adfe4be45f63a29b05cd50738403edf76178c2417bad851d8518c9ae83

SHA512
33792a14b3b26c815160fb377eb4767328d53e9b16e066855ad8cdbd817744c70027c01a0845955696d53c81f6a1466205266648483c765c9aaed93e8c0674bc

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
208KB

MD5
9f9dbc9019dcf8e1c71be0bd5bdb3373

SHA1
6ce3afa8f1b6a5e943a5b58a9ff205806e22e96b

SHA256
c523fed1f39f971b0411c47b7111e27ddf8c9dc8e02b0cd3eae69ed6e3c5055c

SHA512
6ad409fc90f488cae41aab83289ea55cc24d57639338b7f0783ea348206e9ccd830b2bad1e2bc94f51349b71a213164a1f6d8673d85b5904572f6d1fd06f2133

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
208KB

MD5
c05840e50c32d7655bd3c62c9595336b

SHA1
74fb0576cff143ac1e5ba897e3bd3d09b672e69a

SHA256
ffc043d7d55af43dfad7ae78293979b2fcfd2097eac69382f710ab17f20997f1

SHA512
26b6e7e09a258a5769f63a94533551296d29ddb91a0880908582c556bc0e177cb48c53c828d7f3d0582118772c7be40cf9a84abf950e0fe96d8026e521fa2d40

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
208KB

MD5
92e07338d27a53ab20f8df46201464a5

SHA1
bbaf9f53ad8dc687fd131fb36168baa8a88b3f52

SHA256
6e4eb43a98fbf1c7bda74cb903933b4012d8fa4a276806e114f3a41a47a836f6

SHA512
d80e8f7ecfae215558f1a2dd54d7e86433bfe428a7f4fd157d878e7d9bffd0a24523a7f4d7c68267209d96dc1c46fd37fbeb28e9e52edea3020277a4907f173b

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
208KB

MD5
9a47c6e9a31fd2905514d49732e7dded

SHA1
4362954d8dad29f3ffa61a8a75a018cd63cca994

SHA256
7a65e859bdcacf9e833849f31e73debb8714f0e0dd3bf110b0f79f07b47b05f8

SHA512
95c15cb83e6002637f483d37edd5177af0d0ee51a5609835b0eaa3bcbf3d208cff6bdeb5473ec82b817f3b7f42566e80af9b33f92d8bbdb3c2c5066a5f2fbe61

Download Submit
C:\Windows\SysWOW64\Kjiccacq.dll

Filesize
7KB

MD5
6a6a77b690b4c0d480d9274d79b5fdbf

SHA1
463739394481931522926feb4a4dc70dfdfc21bf

SHA256
f84e4d584706593e982d2d62b9657cc94173ae914fef18f318fd526915a520ae

SHA512
d373edec5f893bbfb7988054c0cdf7af1552fe57788e15542b86716b4fcc900852bac0b4cacd95b32f12c3b01323d3ad6fc4397b72bbb298fb0bfbef8dc186d2

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
208KB

MD5
f68822f033442af0c5feaa668f206aec

SHA1
258b67bb77b036bddb6307905ebdc97204bed3c6

SHA256
5a97524ada8f564e24244b803e965a4c3f8975711ecdaaaf29798183afe3bdc1

SHA512
6a6f6c424c524944bfefbc27908119a30437a837d8ac008ad56075949452a64b0958030643898eedcf2a5b86659cdd70faa84ce833add1d30ed93fdce6049281

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
208KB

MD5
2313c4067e313b0961de5cfa5fb7122c

SHA1
76de175aa502dcc451c9102e40ade5bac2b2df1a

SHA256
ec24ae393e5e7fa8b6f0ff1dc61e788f45a9b2f9e757718b8aef9e23b1d498e7

SHA512
5dbeeefd9ae86f77fe7e70beb2f52e3037f11ca9137a007ed1bbfa3fca29ec4b067ac60f3b3402236716280d03dabe11aa1bb365b3c436e2e64ad19b4dc5b58d

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
208KB

MD5
ce10c9f3f880e364f2352105cb2fe5ef

SHA1
df4ec0e29872ca5ae7b0e444da1b0e3b0c78e612

SHA256
4d0eee46a20266f6d2856689e88498a824e02b7d0c7ea148108df0aeaea2da5f

SHA512
0eaf9bb5b819e2424a1dc7fa4f49666d7b1ec4c777425e063c667dcc4c739ee45ad7444762a0cd0dd75303c1fbb19fa018f98db418f7e2c7c6c36ca8c754f547

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
208KB

MD5
2548777d91dc94f786d62ee6d64ed80d

SHA1
405d97b53a3266695db55579bd01d2a3227d3d81

SHA256
c7ace3602fb638373c68f04806259bc5f2b263aa455ab7be334304b43104aec0

SHA512
66f884b32bca8e246ddfd011e991289184cf2dbc76aa3c5d2a540223200855549d13264b68700d1f3310c23f29485145b5e07e145b44242d91a03c21e490b8ce

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
208KB

MD5
93d590b5f0aa74094a1e21775e8856cb

SHA1
f9ddbf09843933903446742eb12788edd1bc18bd

SHA256
53395019eb21ebcecae5a566c7c5e3b8ca6889eed346b5a757f5a4529464cf4c

SHA512
e81f2b381fbe238b53b74c28f14db83e776987ce2bcc0ada379cee70d17c8929149fa2c3b4a6647e994654b54a53def10fbaa0ef5e9c7c71b05ed6f561ee52aa

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
208KB

MD5
2b5ec2e5e966e65ab59e33a709cef9ea

SHA1
1fed68e0fc753a3977be5851affbb8e892a2499f

SHA256
8e93488dd1ed2a895626b301664550abfde542d4646256147a024b63d4660dd4

SHA512
77dffea1a3d45c15f0e11751c708eb92a25d45fd1f5da8ba4bb39e6c3f808582a4836b1c65735e217bdfd240f20f5bd403c355c8751cdf06a8fa546f2bca7787

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
208KB

MD5
f4578f6a893e7ced74fc107a777125f7

SHA1
d1d251b4e7dd3c33600bde12ece86411a07f5aea

SHA256
fdfb61491cc394ad082c616f24f9cc19906fddb2f95a76fbe3619f511a904331

SHA512
988be34270641b917bbbf1cf2c8285b3b99bef4065c08920fd1984d03a6a8e571b69519d071ab3db049b726b881d1401179c2e772cbfa0362298f58c7e460fad

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
208KB

MD5
ef05f91eb8f7ba701ea5e9970e6a2f50

SHA1
0a105b2578ea017dd6896a428684d4a5d80617ad

SHA256
53e5740a04ed530e068cb8935d29673276254a5a4b6da5d4d70339489dcab5f6

SHA512
488e078f77ebb218fbd02fa8dcd7475711215257997e5047b5e8cb682d6cf017b0eef33914edc75af4792b0187b5a246fd284ba2d560a2b30f18ef769a857b47

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
208KB

MD5
097f7d8cd0244c58ee87467207c48bb0

SHA1
8deb94179a654bef6a3488a3faa58ac5f0c5366f

SHA256
1e93f6239ea72e4eef39232cc503859194636e377dc3d34f0cd4297ae5d9b10d

SHA512
1155ba936139692abd34453570d497c7e4ad034b24b81c4896a49ed2bf6afc52e6e9c71507d80c63a53385ac101453c28eb5c87fd14bafe88d0d9e2a38105f16

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
208KB

MD5
6986edf499050a18b7ed696193976d86

SHA1
92408cbb4e66ffb069c909305ed2bfaca8b22e92

SHA256
9cfc9ae089b68f81e9ee2a379157c100a3e429312eaa3c27c854140f9529393d

SHA512
a37f7ae5384a9f1525540df61da2a83a8fcceb6734f3f1d08975289960a9c9f8a91c942f0633463d2fe877707a472ed4308e3f5825dcc37d91f8abd1a7d08c9d

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
208KB

MD5
eccad5abf7820cc907fd854c853b937d

SHA1
6e29703023a4348fc4c4c6d90ef08fe6cd128a18

SHA256
ff9ee046229451c8785ad2fc1667eb3fc9216b645076906a8604c9edbbb265e3

SHA512
dfda94449f5074149a583fc9b45fc3b8a09e1fe027dad7caefad3ac7a7d9d6b88d81ec6c8db4294ca8975434b18abdad2b45334d9087a4d1c570212e8bf5979c

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
208KB

MD5
69bafbc4e64f11490033b018a6854aec

SHA1
1f835cb4cd252417c7d0add95c2cdd6264592999

SHA256
c513e1f58dcea875accfa243da88ef94cdd5ce97bf0aa0bd8333ccbfda943692

SHA512
8df2f46590f94dd610202a84000f0e0759c3de7b6252e62a17705f6152b8322095fd4a9db9ac665313f54c2eea102497abf618ff59ee0e1e0a8bf163d617dcf7

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
208KB

MD5
a555ac656a7b165156e3a252d0626247

SHA1
4d85963b3c17ef826a5b73f95a325170609fe14f

SHA256
4df8dbe645feb716fe2ab45cb1accfa66b8814e0ab962137da91b1005c73e837

SHA512
0f1c21eaf1f035468407df0668104f491ef2ae41909e01068a630246536c310f43303d9469b8467088119feb06620fc4074b71e69a0e270579b48b5599b6b749

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
208KB

MD5
b012f4f25cfdef3e25711ca2291cf4a6

SHA1
b9f91a428c1f82041093a06578175c746d018c8b

SHA256
83bdfcc19b152023f2575146da155ee365e141103cee16e97b3e0b8947fecbda

SHA512
293fbf1340d7eb3a1e962c8f703526776c7403fd112788ecf68a6904c67c515ea2bbaa97bcaeb3ee39bdab7bb6485a4a95d19753686c707b24f7daabd86c0a1f

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
208KB

MD5
bc68401adc011fddabb4c3da014147b7

SHA1
99f7956c59fb397053bc5926c5453bd2d740e038

SHA256
e52de6e63db0ee4e447ffcfe4858b9009c92ebbe103885b2a111dc79efe09661

SHA512
8c94eb0b14ab40866cb8aad1ac2adb812fe4c371a326211c85fffeb5a4895bc58198f0db75f6e2fb851906482084270eff071182430be8db757d209cc3880d8b

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
208KB

MD5
206ad05d9235a1c6222ef7e38d1002ef

SHA1
d54f6988e20e3055c5079d83724a5afeabfb9c01

SHA256
71ef7945571821b802f8d053832ffbadaa0b65fd318438235c7efe07ce26cd62

SHA512
48f673dae1581f3db65b36997c23b1e2a3dddf80a5f6d6ff757528eaa8285b9ddb426691f8cc0e5a68c32f30002ad37f7ec1ac1237b13aef5e6e40900cc955fc

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
208KB

MD5
366c32664a6201e747360b6b615d9d25

SHA1
d9f8d2d63da4625087dd5009e39f17d78ac28ef2

SHA256
7f65929be84990e8da3b020120bcb76ee2494eed708a16d9d009eff6893d471f

SHA512
8de99f549359f65aba9e346272ecc44a9226b1ecbc803bea9901b6a0d1e97d6bd59b901aaecb0cc86c5d131a76e7603cb3c3cce64d93a7dbc0bc92a2601aa9c6

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
208KB

MD5
d90909c246fae0a1ba3807a96e757065

SHA1
849ec28538871f17a3b226a0a7632e0ef77605b0

SHA256
31c3e7570e2679b705fe96ca38cf2812425e88ab1de07d9cd45f263e2482b035

SHA512
e508e16aa4f96fe312bad2b673189fa6b75cf3b8677eea5b24e860f51fa776fbdeef033f21856742eac2429d82a7c699faa77c8c6952abf9b77a0a6eea89f20a

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
208KB

MD5
6d3dc216319f487b94e793c2ef2758ea

SHA1
c935dbe41c3466d044374e2e513eaa5f9c335fe9

SHA256
60bc24cadc455de32c7b95c868b9209f3e214260a9e4946b5a919d14f5f872e0

SHA512
a982a045d40b7556377f9a02b74eb12cfb1748e939205f70f5eb20e86f0253328fdd7b4504ffaa4e410af31b4ddf6a08de704fdd377fad0e20e98746d2c1c265

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
208KB

MD5
9e7f5de068d2a91283b2d52dee450f55

SHA1
14e0001fdb0d0a9d3b552d38d261d8d4b1490a20

SHA256
e35e4c1ac94cf1271f6128722b69298e278cdd19babad008fe2c573b8ea60b4d

SHA512
aac750fb5c9dd8cca33b1670a18eae3e7275018e8abadd48e6696b093548eb8b2f3a6248d21904b48027ef9f1eb0cbcb11fa0a42e46855045f2f6d4566eabaa8

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
208KB

MD5
934c634f11caaf5ffb12f67138b17f51

SHA1
4f083c63799b3ffa497cdd70c01caed46f9f2258

SHA256
3e6817a08052702dfa8cf6ce63396a41188c29b5f88d13cabf2e8e6d3467603c

SHA512
207aec181c904643bfc1fedcb2010fc8035e6597d0823fc16b4d72edbd6c3f927bc26d4021c5b23c3c81c6321b28cb63cc79f9496514d145bec82cfb00f9920a

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
208KB

MD5
5aaf9d9e46e6233b430c9c5ab9805539

SHA1
d91a13bc70f7e9ffc3e83b6bac761979285dc7a6

SHA256
39ff059783348e37c47b9b903325f5d046cfc48a3365254ed2be348e69db493e

SHA512
e8d33d22f42897cc58c895a697d66a990259b6366434784376c1c81b621671bbc4863a62ce292b8715534757059dbf98c6ec27eccfb4eceb345a001a99df6abc

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
208KB

MD5
70672e68b9ea9d6f10af101ee59ee543

SHA1
dc7f78d4f33c780d603e99dbd2e1aaa07c49d2d1

SHA256
7a6c7339fbd59cbf3231ab5e85083b9f6f399357b33a7b64b7e7a2e6a4c9f9ba

SHA512
c3a3706f9e6d8170d733ea7c13275c9a9f46ccdacdf1427febb8f8d33a3a6fc4671026e2383e64a390e1d6cda3c9b0c681194bacaec14f42ded6c32273970c31

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
208KB

MD5
37214bf2c5d517ba76adbc8d7806ba07

SHA1
492f487751f69327059564d21b0b37630b4202b3

SHA256
0b40b6cda1170ddba316b01fee55af9c7ac28f2e7ddda8d018be9cbda6f16e99

SHA512
a9a97440276b48270bf54ff8a2381cac9d154271a7fc957fe38f153ab742dc4c06932c3ea99033dcb0a066f24d0c41b2db532cbb88206c14bc09cf2a0164f1d5

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
208KB

MD5
91706c2bf66f0ae753395b8657158f37

SHA1
452a5fd25314499f75743994928db7701ad6780c

SHA256
b8ead21130f222b7ff2d35ce4cfc21c478a5beb049894d9bcb17899e4c6a6788

SHA512
2d0b601d75b950f095b25020c37986d8ac2f1f35e3ef229ac435502ec9a7e2a6dc251c0f4a36207133ca4d96a02a19ef6d6d069525ed08e62a5ac59acc817b9c

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
208KB

MD5
f5c333a10aabaac8616a9e801a381ad2

SHA1
3e92c3bb9d2ed2734d0eabaeeedd04718968c58f

SHA256
dfa57d91cf75354fcf2b0d59a6fa2653e786b3d26a726645369fdadf09a6e920

SHA512
90e329144f3144a0a2fc99904d7beafef6c98f424bca242b1bae81751c7f5fd9732126b6e2373109233a913691874fd54f210f319fa3eb9e13a56f1daa4051c7

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
208KB

MD5
5e4d6765a39b15f1a638e9dfe85ddfad

SHA1
532beedeb9dff82ae7c447e9211a537c2d1a8842

SHA256
90ccf8ffe3d0ab69976f5583fd2955577c17cdd0a4a3e81ef8b34ddf4502ca71

SHA512
23ab6fc3691f06eaa0c2d410f540688691e4246db15394496ac1d4630c371cf2365b7bed6f188670715c50e4d11a5623f51e5bf71350b35404766da5fd75db16

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
208KB

MD5
8c311db179bb7af04fc2a0ed5ac9e574

SHA1
537a045eb5a7915e6ca59974fe1c3c662bec48e9

SHA256
38dba4a21ee84e7cdad7393c2b1636d900ea943c8b2f4510ba0f3dab62a79d9f

SHA512
1c81c15acc751b0673ace56e3e229c63be06e6651b8c6a3aeaf4112de98d76f974baf68509be1441f61495f009afc21fd463fe157d8786108f1a2427bc906087

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
208KB

MD5
a46f5374105412467b33f347d255b124

SHA1
56dd804c7df95a457094d89f8aee36f91145d5ef

SHA256
5c72724e362c59ac830e5b1d413d50d91ca0959149d587fa3bb2a236810bb862

SHA512
3da83e496636331cdd3ec1c45e2b235434b335257b9158befb2d135c86feb9ba89958a4765d6420a74a22fb94d32df8a7cdab0407c2dd46335b09d7d9ff4a443

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
208KB

MD5
f4ca1a7253158a98b01897cc836343a2

SHA1
ebf8bf479ce5c5632c7bc71fb05bc59c8e0637d5

SHA256
de3c1e667f657b23b68bd21863bcf35e98702568fb1f43f95d8abe17ee7101be

SHA512
5ef17ad0dfa3c248843a2a1df294885a16d89638ff3c087795216c8cbdf5ad17b4ad3f839db9cdb707c6ed9a1fd0cc7af4f51c84951f98105bd89b3b6cc9484f

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
208KB

MD5
08e9c0f47bcfd1280fc86da49d146130

SHA1
04559122da570300f7a508f42180dea88380fbc3

SHA256
7058b1336cbaf03b7843a1dbe19e5516ead64ff3ae469cc5291560c11a756961

SHA512
879efb82fd55fb189eec104ba553a8ec465ed9f2ba690e7007cf4cdf6927c5e6c2a9e0aacb3ff11ee7dbfec7ef1574fc33fea88c65ff20025bfb41b255c0ec69

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
208KB

MD5
75722d5aa8b2c27039f6e5a601ed6b32

SHA1
4787aab7a0dccd7cef29884584a0a2d0d9a77688

SHA256
2bce537cbd90d5d05ef4976c723ec0a40e9e8169c25128a6a6993a3ccb1f2992

SHA512
b8e618704a48de38ccdc419e02e61b64a7699fc9cf8514d0802c78df57f87210670071683be951264d5c40b1461aa91b4625de33e88868b8328d2589260f823b

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
208KB

MD5
f5a791e5dbd7fe3939a64f31a5251598

SHA1
579881a804fbdc2b968010f1a7fd0e4646c4f609

SHA256
f67855aa27d21680003fc50b4e39ed4e43f9c54925f4d40044fe5d02fd1bff8e

SHA512
6a4a1a49dfc04401b0b7ef08dc279d31d6e661526f9b74ce082d11fd96c9c7b68898c4d7263c3ac65fc78deeba3c77b6eb67a8d99a68a6f6a079c75da10107fc

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
192KB

MD5
aec919a79a243cc6fbd5d54951fa9fcf

SHA1
31ac4974dbc45e0e8e47eef6b3555086abf3d1d5

SHA256
c8179e6ac069145431652dd213fa5cff36d5735c365652387e514db381f68e99

SHA512
fc1fdc4beee29665df9d47987dc1cda70f9790ed433a5b4d67e6334724479d7758f049b2f06e4fb09692dab267ada9092b5a71c1d7b92c2a0699ce073e4801d0

Download Submit
memory/216-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/216-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/400-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/556-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/620-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/640-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/644-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/752-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/880-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1016-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1056-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1280-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1336-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1392-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1832-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1840-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1844-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1952-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2180-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2928-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2996-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3024-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3352-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3528-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3636-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3644-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3700-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3708-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3896-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4372-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4452-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4672-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4824-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4908-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4920-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5124-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5168-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5216-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5260-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5304-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5352-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5400-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5444-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads