Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 04:32
Behavioral task
behavioral1
Sample
8f355a952b91eb078c4ee147069fcef65656620862f6c8dd67ea750d2521a23dN.exe
Resource
win7-20240903-en
General
-
Target
8f355a952b91eb078c4ee147069fcef65656620862f6c8dd67ea750d2521a23dN.exe
-
Size
337KB
-
MD5
b382e12b0485d5c778e565402f1431d0
-
SHA1
9d3bd969ca676e508cfadbc663113a62a4f2711a
-
SHA256
8f355a952b91eb078c4ee147069fcef65656620862f6c8dd67ea750d2521a23d
-
SHA512
d074daf6103fbe98bc5f3b3c5b76850f1e599688f30c40140283dad43fac54e8ade3112b04bb5f04ae69fb5204d6a96629b17136f76e79c4cb6864602dc18c5d
-
SSDEEP
3072:Do6nEQEWKUrNH3hnQZigYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:D4QEWV3CZi1+fIyG5jZkCwi8r
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmajipb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepefb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeoaapl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daqbip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageolo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfajjoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqppkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmndlge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beihma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeiofcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadifclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgcbgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffbbldm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhhoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpcfdmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhlml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmhck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgehcmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqdqof32.exe -
Executes dropped EXE 64 IoCs
pid Process 3992 Pgioqq32.exe 3404 Pjhlml32.exe 4020 Pgllfp32.exe 1908 Pfolbmje.exe 3500 Pqdqof32.exe 3944 Pcbmka32.exe 4112 Qmkadgpo.exe 4268 Qgqeappe.exe 1488 Qfcfml32.exe 3480 Qnjnnj32.exe 1380 Qmmnjfnl.exe 3080 Qcgffqei.exe 964 Qgcbgo32.exe 2108 Qffbbldm.exe 4416 Anmjcieo.exe 712 Ampkof32.exe 2652 Aqkgpedc.exe 1992 Adgbpc32.exe 2304 Ageolo32.exe 2348 Afhohlbj.exe 4144 Ajckij32.exe 1444 Anogiicl.exe 368 Aqncedbp.exe 4536 Aeiofcji.exe 452 Aclpap32.exe 4188 Agglboim.exe 2112 Afjlnk32.exe 2020 Ajfhnjhq.exe 3152 Anadoi32.exe 1320 Amddjegd.exe 4836 Aqppkd32.exe 2920 Aeklkchg.exe 1344 Acnlgp32.exe 1704 Afmhck32.exe 3688 Ajhddjfn.exe 1400 Andqdh32.exe 620 Amgapeea.exe 2212 Aeniabfd.exe 548 Acqimo32.exe 2736 Aglemn32.exe 3384 Afoeiklb.exe 684 Anfmjhmd.exe 392 Aminee32.exe 1800 Aadifclh.exe 3084 Aepefb32.exe 3180 Accfbokl.exe 1948 Bfabnjjp.exe 2892 Bjmnoi32.exe 3484 Bmkjkd32.exe 4372 Bagflcje.exe 3616 Bebblb32.exe 2628 Bganhm32.exe 1016 Bfdodjhm.exe 320 Bnkgeg32.exe 3968 Bmngqdpj.exe 3780 Baicac32.exe 4748 Beeoaapl.exe 5048 Bgcknmop.exe 1376 Bffkij32.exe 2820 Bjagjhnc.exe 4076 Bmpcfdmg.exe 4964 Balpgb32.exe 5160 Beglgani.exe 5200 Bgehcmmm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ihidlk32.dll Baicac32.exe File opened for modification C:\Windows\SysWOW64\Bmbplc32.exe Bjddphlq.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Bganhm32.exe Bebblb32.exe File created C:\Windows\SysWOW64\Jijjfldq.dll Bjagjhnc.exe File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe Chcddk32.exe File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Qcgffqei.exe Qmmnjfnl.exe File opened for modification C:\Windows\SysWOW64\Aqppkd32.exe Amddjegd.exe File opened for modification C:\Windows\SysWOW64\Aeniabfd.exe Amgapeea.exe File created C:\Windows\SysWOW64\Abkobg32.dll Bmkjkd32.exe File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe Bfhhoi32.exe File opened for modification C:\Windows\SysWOW64\Daqbip32.exe Dobfld32.exe File opened for modification C:\Windows\SysWOW64\Qfcfml32.exe Qgqeappe.exe File created C:\Windows\SysWOW64\Kboeke32.dll Ageolo32.exe File created C:\Windows\SysWOW64\Mbpfgbfp.dll Anadoi32.exe File created C:\Windows\SysWOW64\Eflgme32.dll Bffkij32.exe File created C:\Windows\SysWOW64\Ndhkdnkh.dll Bhhdil32.exe File created C:\Windows\SysWOW64\Flgehc32.dll Chmndlge.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Dfiafg32.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Anogiicl.exe Ajckij32.exe File created C:\Windows\SysWOW64\Pkejdahi.dll Anogiicl.exe File created C:\Windows\SysWOW64\Anfmjhmd.exe Afoeiklb.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bmpcfdmg.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File created C:\Windows\SysWOW64\Belebq32.exe Bmemac32.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Dogogcpo.exe File created C:\Windows\SysWOW64\Dhocqigp.exe Dddhpjof.exe File opened for modification C:\Windows\SysWOW64\Ampkof32.exe Anmjcieo.exe File created C:\Windows\SysWOW64\Dpmdoo32.dll Aclpap32.exe File opened for modification C:\Windows\SysWOW64\Bagflcje.exe Bmkjkd32.exe File created C:\Windows\SysWOW64\Beglgani.exe Balpgb32.exe File created C:\Windows\SysWOW64\Cajlhqjp.exe Cfpnph32.exe File opened for modification C:\Windows\SysWOW64\Dhfajjoj.exe Cegdnopg.exe File opened for modification C:\Windows\SysWOW64\Qgqeappe.exe Qmkadgpo.exe File opened for modification C:\Windows\SysWOW64\Anmjcieo.exe Qffbbldm.exe File created C:\Windows\SysWOW64\Echegpbb.dll Ajhddjfn.exe File created C:\Windows\SysWOW64\Mmnbeadp.dll Belebq32.exe File opened for modification C:\Windows\SysWOW64\Bgcknmop.exe Beeoaapl.exe File created C:\Windows\SysWOW64\Cjinkg32.exe Cfmajipb.exe File created C:\Windows\SysWOW64\Deokon32.exe Daconoae.exe File opened for modification C:\Windows\SysWOW64\Daekdooc.exe Dmjocp32.exe File opened for modification C:\Windows\SysWOW64\Qgcbgo32.exe Qcgffqei.exe File created C:\Windows\SysWOW64\Ageolo32.exe Adgbpc32.exe File created C:\Windows\SysWOW64\Ghekgcil.dll Ajckij32.exe File created C:\Windows\SysWOW64\Leqcid32.dll Bnkgeg32.exe File opened for modification C:\Windows\SysWOW64\Pgllfp32.exe Pjhlml32.exe File created C:\Windows\SysWOW64\Qoqbfpfe.dll Afhohlbj.exe File opened for modification C:\Windows\SysWOW64\Afjlnk32.exe Agglboim.exe File created C:\Windows\SysWOW64\Bmemac32.exe Bnbmefbg.exe File opened for modification C:\Windows\SysWOW64\Aepefb32.exe Aadifclh.exe File created C:\Windows\SysWOW64\Bjmnoi32.exe Bfabnjjp.exe File created C:\Windows\SysWOW64\Ldfgeigq.dll Bfabnjjp.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Delnin32.exe File opened for modification C:\Windows\SysWOW64\Aeklkchg.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Gmdlbjng.dll Andqdh32.exe File created C:\Windows\SysWOW64\Iphcjp32.dll Bmpcfdmg.exe File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe Bhhdil32.exe File opened for modification C:\Windows\SysWOW64\Dodbbdbb.exe Dkifae32.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dhocqigp.exe File opened for modification C:\Windows\SysWOW64\Pjhlml32.exe Pgioqq32.exe File created C:\Windows\SysWOW64\Afhohlbj.exe Ageolo32.exe File created C:\Windows\SysWOW64\Aclpap32.exe Aeiofcji.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4612 2792 WerFault.exe 196 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjinkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgffqei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqncedbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadifclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkjkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmnjfnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhlml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andqdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgehcmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdodjhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqppkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgapeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepefb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagflcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcknmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amddjegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjddphlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbmka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banllbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabfga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfolbmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajfhnjhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqbip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodbbdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeklkchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeniabfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aminee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiofcji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoenmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoeiklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmkadgpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkgpedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgbpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjlnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfcfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddjfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmhck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmngqdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbplc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglemn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll" Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmnoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll" Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amgapeea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmpcfdmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndikf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" Qgqeappe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeklkchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodbbdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" Bjddphlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dodbbdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll" Aqppkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baicac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqdqof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll" Anogiicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll" Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anfmjhmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll" Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll" Qmmnjfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qffbbldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll" Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfnjafap.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 3992 1212 8f355a952b91eb078c4ee147069fcef65656620862f6c8dd67ea750d2521a23dN.exe 84 PID 1212 wrote to memory of 3992 1212 8f355a952b91eb078c4ee147069fcef65656620862f6c8dd67ea750d2521a23dN.exe 84 PID 1212 wrote to memory of 3992 1212 8f355a952b91eb078c4ee147069fcef65656620862f6c8dd67ea750d2521a23dN.exe 84 PID 3992 wrote to memory of 3404 3992 Pgioqq32.exe 85 PID 3992 wrote to memory of 3404 3992 Pgioqq32.exe 85 PID 3992 wrote to memory of 3404 3992 Pgioqq32.exe 85 PID 3404 wrote to memory of 4020 3404 Pjhlml32.exe 86 PID 3404 wrote to memory of 4020 3404 Pjhlml32.exe 86 PID 3404 wrote to memory of 4020 3404 Pjhlml32.exe 86 PID 4020 wrote to memory of 1908 4020 Pgllfp32.exe 87 PID 4020 wrote to memory of 1908 4020 Pgllfp32.exe 87 PID 4020 wrote to memory of 1908 4020 Pgllfp32.exe 87 PID 1908 wrote to memory of 3500 1908 Pfolbmje.exe 89 PID 1908 wrote to memory of 3500 1908 Pfolbmje.exe 89 PID 1908 wrote to memory of 3500 1908 Pfolbmje.exe 89 PID 3500 wrote to memory of 3944 3500 Pqdqof32.exe 90 PID 3500 wrote to memory of 3944 3500 Pqdqof32.exe 90 PID 3500 wrote to memory of 3944 3500 Pqdqof32.exe 90 PID 3944 wrote to memory of 4112 3944 Pcbmka32.exe 91 PID 3944 wrote to memory of 4112 3944 Pcbmka32.exe 91 PID 3944 wrote to memory of 4112 3944 Pcbmka32.exe 91 PID 4112 wrote to memory of 4268 4112 Qmkadgpo.exe 93 PID 4112 wrote to memory of 4268 4112 Qmkadgpo.exe 93 PID 4112 wrote to memory of 4268 4112 Qmkadgpo.exe 93 PID 4268 wrote to memory of 1488 4268 Qgqeappe.exe 94 PID 4268 wrote to memory of 1488 4268 Qgqeappe.exe 94 PID 4268 wrote to memory of 1488 4268 Qgqeappe.exe 94 PID 1488 wrote to memory of 3480 1488 Qfcfml32.exe 95 PID 1488 wrote to memory of 3480 1488 Qfcfml32.exe 95 PID 1488 wrote to memory of 3480 1488 Qfcfml32.exe 95 PID 3480 wrote to memory of 1380 3480 Qnjnnj32.exe 96 PID 3480 wrote to memory of 1380 3480 Qnjnnj32.exe 96 PID 3480 wrote to memory of 1380 3480 Qnjnnj32.exe 96 PID 1380 wrote to memory of 3080 1380 Qmmnjfnl.exe 97 PID 1380 wrote to memory of 3080 1380 Qmmnjfnl.exe 97 PID 1380 wrote to memory of 3080 1380 Qmmnjfnl.exe 97 PID 3080 wrote to memory of 964 3080 Qcgffqei.exe 98 PID 3080 wrote to memory of 964 3080 Qcgffqei.exe 98 PID 3080 wrote to memory of 964 3080 Qcgffqei.exe 98 PID 964 wrote to memory of 2108 964 Qgcbgo32.exe 99 PID 964 wrote to memory of 2108 964 Qgcbgo32.exe 99 PID 964 wrote to memory of 2108 964 Qgcbgo32.exe 99 PID 2108 wrote to memory of 4416 2108 Qffbbldm.exe 100 PID 2108 wrote to memory of 4416 2108 Qffbbldm.exe 100 PID 2108 wrote to memory of 4416 2108 Qffbbldm.exe 100 PID 4416 wrote to memory of 712 4416 Anmjcieo.exe 101 PID 4416 wrote to memory of 712 4416 Anmjcieo.exe 101 PID 4416 wrote to memory of 712 4416 Anmjcieo.exe 101 PID 712 wrote to memory of 2652 712 Ampkof32.exe 102 PID 712 wrote to memory of 2652 712 Ampkof32.exe 102 PID 712 wrote to memory of 2652 712 Ampkof32.exe 102 PID 2652 wrote to memory of 1992 2652 Aqkgpedc.exe 103 PID 2652 wrote to memory of 1992 2652 Aqkgpedc.exe 103 PID 2652 wrote to memory of 1992 2652 Aqkgpedc.exe 103 PID 1992 wrote to memory of 2304 1992 Adgbpc32.exe 104 PID 1992 wrote to memory of 2304 1992 Adgbpc32.exe 104 PID 1992 wrote to memory of 2304 1992 Adgbpc32.exe 104 PID 2304 wrote to memory of 2348 2304 Ageolo32.exe 105 PID 2304 wrote to memory of 2348 2304 Ageolo32.exe 105 PID 2304 wrote to memory of 2348 2304 Ageolo32.exe 105 PID 2348 wrote to memory of 4144 2348 Afhohlbj.exe 106 PID 2348 wrote to memory of 4144 2348 Afhohlbj.exe 106 PID 2348 wrote to memory of 4144 2348 Afhohlbj.exe 106 PID 4144 wrote to memory of 1444 4144 Ajckij32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f355a952b91eb078c4ee147069fcef65656620862f6c8dd67ea750d2521a23dN.exe"C:\Users\Admin\AppData\Local\Temp\8f355a952b91eb078c4ee147069fcef65656620862f6c8dd67ea750d2521a23dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:368 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4536 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4188 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3152 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4836 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3688 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe40⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:392 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3084 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3484 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4372 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3616 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3780 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe64⤵
- Executes dropped EXE
PID:5160 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5240 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5360 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe74⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5600 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe76⤵
- System Location Discovery: System Language Discovery
PID:5640 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe79⤵
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe80⤵
- System Location Discovery: System Language Discovery
PID:5808 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5892 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe83⤵
- Drops file in System32 directory
PID:5924 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe86⤵
- Modifies registry class
PID:6116 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe87⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe90⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1132 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe93⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe94⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe97⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe98⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3172 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5608 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe103⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5560 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe107⤵
- System Location Discovery: System Language Discovery
PID:5912 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe108⤵
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:6072 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe111⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 400112⤵
- Program crash
PID:4612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2792 -ip 27921⤵PID:4012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
337KB
MD580a056817d2d1c67c5b0a0a28ba74aa6
SHA1448f7cca908131c4966ca0a0a5ab2e2b964e295b
SHA256c8639b82515b2fdceaef9af06d2989d2e6777fc8b49a1e8de674a0f7a5315bb8
SHA512d164f4f8331d61292bc1d3e02c5146ad83216db5c181451601f9d81390ff62a44ac7e03e077e979140703d199b9b7c77eb1d6b1726e4afb33a548216020c0a24
-
Filesize
337KB
MD5a74aef4369a0953fed44aa358b836d24
SHA1044cdff5bdea1564e234997d86e28bbe3ba3c088
SHA25610c223628d28b7d837210c94631751a9ca20d39de7cb9694b8b08e0fa6b06c20
SHA512898604f12fbc33fb7b440753896dc693cfc712ee027dd9c864b544cf0b1c342c51e739ad8036406fed6a93b3c0673a1638ca5c1e0c62091e04f16ab9bcee9edc
-
Filesize
337KB
MD5d621da71222e8ef4c7d2def23b7d32a0
SHA1172d251aed2ac3a9bb579fa8fa691f75675d8b84
SHA256863d356e9b66beeb5849662583463169ff19e39a3d335065d243f1b0cf2a3ed9
SHA51246ff583a7a9d184e3f245e60ed9b3c6bf40298ee4c43d485194e01a4a1737baf53c8315d9893659ecf02b202340557e3db38df8876238733ae8dd43576416958
-
Filesize
337KB
MD50ba6fc3bb1cda8f02e133c1d086297c6
SHA123f29f3c27b7a2794c215f23dcf7369972ebd751
SHA25684dd5fc0e8e7a21ce43eb87870a47db9b10a1b56674a5052d6e197a52abed505
SHA512f719ffab9682609600e90acb16392164c309caf0f57b5bf36b0775e892274f31db15dbcf56b8e67007b6e00dbf8e62aa2fbcf9ecd9e96922949c654e518c7b51
-
Filesize
337KB
MD5caa69ffceb363a5a0d28e3953166318a
SHA1df9817802979c7b6dd84303bd4430cc186c8e3c5
SHA2569dc704a15b7183a0dd603568c87ee3190f99ee4e99512b8777da119eaa672e73
SHA5120e2835eadb6525e4f4dcb2ef0eab95f604c3ae1f9e3d54aae575c5152f35c20c698a557ea8fd864297458f821f5dc41c64ac577046067023f9216523e481b652
-
Filesize
337KB
MD5824ce0d0c131d4835e0fecb3141e2789
SHA1e0a8db5031364ae0d339e759a319f57981d8e13b
SHA256cd0dcea7e872de1bb4efc2f4bca9263c1c3e3462c47fa365f304fc2311f57e1d
SHA5121829470f80ea6507a76025f0e987167db273ccf25feb0d4e5a6b5220ba7a0745a3c5b40c24b74769e7dabc93600cf64db88780657bbe47882d652055fdf1ac8c
-
Filesize
337KB
MD5fa5e346ea1594a57ea81f3632fd94792
SHA12c88e62c788ad6efe51eeda1d7f5f8afd3209b66
SHA256b89c88e32ba9354c342a5eae4d878cbdd439c04c1376ff2b78e9662bd15dcb36
SHA51239197f57f94729535a8009798d113b50ac82b1c065b78581151bee936f048656296eb10805d00f34f9b51115b7c753e786a13fea79815fd8a792702c29509c07
-
Filesize
337KB
MD525fc2f4fd5fb885549569546fd304a1d
SHA1e862e5bd05ad3b71a9f466796cfb41da041a7d5a
SHA256b92b0a42f2c4534fbec77325fe2bd7f478b7cd32c9e1bd4475e62685f25c39c8
SHA512aa5d358b7ba73bfd68d4df2426b1bfa0f1cfa0068158a749a08039c40b03ff7b2bde342791ce25d557eac8563a73ff4f0ebb4885d0ae5c6221e9afda28f8906f
-
Filesize
337KB
MD5ff8d2e6c20f2cef5db254814e97e5272
SHA1bdcffcda9dcd5f9107b893a2dfaeb50448db51e8
SHA256aafdf6decc08533b875ebee1b6cda3dd75f4aaad6f758ffc94a11e9f67013a74
SHA5121ad17157cfa097e4802e57af4cf8a76cac1b82d6413bdd7d0da2ee2eaeb0fde018b0770e3527fca771cd24e6ce64974c86ae6b2f443291938f8571ee4bf75e26
-
Filesize
337KB
MD52e6de8e5650e8d95a5ac66d4ac5859ae
SHA1344b33df10c7b14cae9c31728c668a1f7b2c4b26
SHA256d82eecbd030603a652125bbdccfa036c2321f43c5d30c561dede56c8a76dc88d
SHA512a107a48e8e2acc59769e2ae8fc9096515f3be1f18513937243c6c8bb7a8cf43de2d56a74944c65270b616437bba6f6d08a2a6732fc265654bf544d4fa7379c06
-
Filesize
337KB
MD54ec30d58c92ca3bba7deed6f1735c540
SHA105aad9731c50d239ac37685caa349880da24dbc0
SHA256c1abaf1ae82b10dd06b439f573c1a7d981e23023b4dabd5866f10e48cec05561
SHA5125c684105e32cf95f27ae98cc5fddf77736282c769e03a8d6332a7229dd6498f9ec84f0007a99ecf1e8c20092f80497e19234240d4924770e69a626c8f378e1c8
-
Filesize
337KB
MD562d65437e8725a90a834f36cc040e730
SHA19c72ae6edbec5fae1c4d8376709494dd36b89840
SHA256d291a329aa1368da0ddbdd1157eb063a5c39d92261bff340f77b93f8a42aa229
SHA512f9adfa06e38cdd8a4c56b18590ed2128f003e5d57ad1045c5c7846e1e172ec1fc6269d6818d2ef2f041d06fbd4b87d54e3d97656424e1cae4e76e892b9ee9f5a
-
Filesize
337KB
MD5278de2a67e50e810e3bc7af6a36c6178
SHA126537faa85d2bb711b9dea9f25ad63563894ffc6
SHA256a88f44b987448f72bfc741a06e4fb5132874ced729fd5375bbb52dfc783038e9
SHA512feed70f10e3dd76855366ddcf1e2c9da945393452cfc761192ecfc36ba757bcdc6292a73646a82bfed49f4599eb26109cce743c65ae4d05fde82d7d8175a7152
-
Filesize
337KB
MD56cb4e9a518d71049662f0eabb413dbd5
SHA183c536e3c7ab506693de41e130e96b74ce6f1a28
SHA256aa80d84e9208caa3b5d827bdb4015ad960717e1f79af212dac87be8c58f8d321
SHA512719e943e689e2a4e9770a05a90d0b6b3a9b93eafc398970d191c482d675f4485f2b85f00338ff8153f5b3becb9ea511364642007684f9fbb8fa83c2bdf9fb93f
-
Filesize
337KB
MD59f973fb4908c44ed7682a8fc45a0a3c2
SHA185612dc7402653a250da2dbade8b0ac1539c72bf
SHA25674935f7a5e2b1f980c72fbf6258282962232c13f72a13ee41dd4c6c984ad9a4d
SHA5128b6dc891677ec39625ac58beb6a3622116968818050be6e3f60832214d8721b0c26a9698506c633071bddb55f2a292144ddd658e46ade8d560bd91a821b602ba
-
Filesize
337KB
MD52c736bea60f3b20fe7d9b3dc55d141ed
SHA16fcb1e71f90e1222332b8598485788f39e7e6428
SHA25652fabfe4700f70752c1828db3c5653ca4bb34d86ab442cdfdeb5cb7b1128f319
SHA512ab694885d6359e8fc6a1dfb3c451d51835df4985f8531a41ad5394066d17bd1e704ae1661227bdcbcdcdac6bb14083674bea322dea106f3bc563f5f5c3998d64
-
Filesize
337KB
MD5d22ae9ab29fc538f3e02984c1899eb25
SHA14938b39b64ef6fe1fc36fc1518646e13794998e9
SHA25653fb210b4bf3ffb47c032b2ead9000c8b45cbc356cf79cca200f87ebbcbab3e9
SHA512d15df00de08a3dce01c52381f973daf48333e98c2fb5a6e9128db14188c5c902f536b6056261b62fdfdd0028a80710f24667de5abc61893464b4a2eed61d5b60
-
Filesize
337KB
MD5f5ad8a27db7cdf354a3728778d6ae3f0
SHA156411403a4b541b96eaf83f0b3d0c4ebf789dd15
SHA256a7e83891cb683b9df723bfd5cc8a87a5cd69dd8f257044bdf65a006e05111099
SHA512aa2d2bf8e849912446142d86f803e80c512f2f2023437ce03f1f04c8e3a301403e7e5b78fb1224d1567a729a23d96933d12780be84a42592a8ef9b26029d3eec
-
Filesize
337KB
MD51abc7c79e60f251bd403ae1fbeadb2e4
SHA1b2e205515215cdc86096f7750ae0eaa4b035c36d
SHA25641d86cb9600551f226cc1ab99726b012ab5fc1a8b0ebd4c8b8d19ec51ec110e1
SHA5123fc6d6a7812887f4edb9b879be99e38c847306f344fdce74f61c13b574f8aedec48a108ed454f93ebf21a9e4f0a433e23abdcfca7a3cb883167e7c34d8ba8319
-
Filesize
337KB
MD53925af7b35f331d9f706ebb9515593a5
SHA13cce77a7109eed46fdf9bb6746769631abf30993
SHA256503c3584499da12ecbdadeb53b1c74e1cdb3dcadd01dd20dc177de45a5882de7
SHA5123805958a6c2d67c7d345cc5273ace2abc8eeeb76ed95c46486202d2cc2b3df5bc5124cd54059bc530540651977d50e2c4cec1d7690ad458226f881751ef92b4f
-
Filesize
337KB
MD5fb4bc12d09618d80337cc18e2fd2b272
SHA13bd6658166fcb9c2943f2d7c8787f4c1b64f1136
SHA2566a75e54ca21f883da71e414b2cdd2f88849d3bd17cccad620dc4ce15437337fa
SHA512c9d62f555553537f30b633613a4b7f2cbb79f0caf04a2f63bbf2d40300fca90a541885c7b5abe8ec8fc41df8f8074de343a1e049c3a125eeee57a12e23e7e692
-
Filesize
337KB
MD52f9273288331180f5b0665bb5054a4fa
SHA1e5fa8c616bb83bd1f25ee42c78b9e87b9eaae795
SHA256fcec007cc5d613ddb7da902ea7c66085187c28df84eae794506181207e898c96
SHA51216f1374c9c374deff31d675c69ffe28639b5d42581f8bbada2cae8da7c66fff5e8ed1d592de8c87cc4feb2c1d4209637e9fc8fc8402e3776a22c33e5850ffea4
-
Filesize
337KB
MD5e63428a1eea89a36646472dbc63e162c
SHA16f6229aa31dcd6df61e206a0a962c5603cb49249
SHA2569419a55354b5ab7f5633896ee21984cb9f276c3b18f2c2a45e4505f33e889494
SHA512cde2eaef21473d8a12e1a14a70319b7d5ddd7219c9e6d8f40d3b337c6f9a501ab82a786aa30b529ff9dca386027266d561ed3350d5e678fbf771563569f4122d
-
Filesize
337KB
MD54f7c8ae23e140e3d3694a6967b7a5731
SHA111ddb64edd481aaec88e197ee7885167ddea9e57
SHA25610e0af5907bd23f72df297520a7033ce358af37c47f36c93eecf24dd61c768bf
SHA512e25b7316609981228af9e947f800d7b6b8450ee3a68c532923789a342f3e97c142a0f74543573323335b6fb607904c3e1ae7abddfa694cea45b61a30c37db3b5
-
Filesize
337KB
MD51eb9a52a35e5b14f044f45069ba959c3
SHA13468129279aa4131a72fad11d87e9f8470d42c3b
SHA25664c190a2ee765597d9fb2b29c8744620b2155332811e35cfa73d55447d4b3300
SHA512b57dac732a7d1aaadf7d4e04fcb68ae9fad91bbd7d21b581e0c0eeb9278a97c91b54ae9e0a4023fe13b360fa05158ae2fd95ac49a3405ff0c02624795dd65de3
-
Filesize
337KB
MD53ca4b926d77d23e2d0de61b0e8962ffc
SHA1e401537de09d202c64eae0500243e0de61fe69d2
SHA256cd7d3bd43095802d238b46708345162890477dbf2c88d57f2ad9ee94ddb5075b
SHA5124c9db1c444625e0a796092025571843729e8947ff929462a85fcb50e5b04d057243a4d9ce9808b4e6c4c5619750837ace7934eaf237926a5329c49d4d8f0aaeb
-
Filesize
337KB
MD55d5ba81b916cdd87a9f71c8ba2da6d13
SHA1ec66f34c5f27fd1e55537ee5e37a1cd015111927
SHA256542f8cc9ef579bbef73438aba43763daad6c797b3b638023b6b85d3311fc16c2
SHA512b365391f44d9ae486b3304b7d248e987f8192d6f790e9c02f54ba872e38ed7abba21be0a91323b62a8ce162e39202f5619d65c86431f7bcbbf0743f21f31632e
-
Filesize
337KB
MD53e457f3938619678bdf1369e337e5469
SHA1637638049dd8a7d657a35f7beaa710e4a1afa128
SHA25606e7532ccbd48ee64f8c1783f3bdfaaed8c6b3bec06a2e3a0b80c3c6bf3044a3
SHA5125b1f6915a2f7c00049e83337aba0d929345f747633653bf154474c077ebc486329db49e86457c9363402c5281949779d18dcca073863a2b1b2d27e36f274be3e
-
Filesize
337KB
MD5c7490334ff29355396f34025faf5a13b
SHA148ecaac1eb189b244a1f1371c471dfb94ca2f783
SHA256a5b8643ce263a50a928234f4a50a264fca0074b85d5af4df36ed48edad43027d
SHA512037f97e576dd56b201c56920898941a70b1162d8ef9a07bdcb3fb5bbc56da52294d12d8486c9d53911e16d68c7d53f99434c53c2ed5399ce0194a14db99ad04a
-
Filesize
337KB
MD5085b96c7ea46cfa29dca20d201b0085d
SHA130f7b3cdb0627c812487fedac49318825ead657b
SHA25632237e88420a666eac3aa80b84ce5b00e66b9c5c4c35b7dece867ed72ebaf448
SHA5125ed283825cb7057eb44f4e796da8d54700707aaf6d7671fb20393054b88d9177ed8bbab8bf6be011ed39dc694da755dc383f58f1ab13d8ae4c786d7eb6dc81b6
-
Filesize
337KB
MD559b74e3520cffccb967b94889a64d1c0
SHA162fb7bf10c597da2ae394c32b2c3e873698d87e7
SHA256971ba34f24a9e4e44f7fa50a851ba9adf0e26cc5fd6eb7c7b415e24081830837
SHA5120451e7dff3ba745bd3f4c3b5aad0b1107e555fa5eccd15290149075937b794cd8b77291ca9028822ffc1e8c583b6e26a10d6a22942894ec4dd6f20c5c74c067e
-
Filesize
337KB
MD56d9e01b431a7fb76d8da42475b11521f
SHA128298d62439272464f9fb4fb8ae2d8c4cb86f6a4
SHA256ac7c1931c62f3f1641a9d935f8b6325b0b18db9744ab356b38a90c9d9baeba1b
SHA5129ed4026fa58a7eca7aee191611ac5779664f8ffa4bd089bb6a0533dad3286291ae4d4b29542641ea1db08255fbab167c3b05abccf04763648c5d901b91ae55ca
-
Filesize
337KB
MD515aa431658482568b94a2b9235c09625
SHA1fe3e54c2be09a8ed0b32f04fa4cbdeaa9938474e
SHA25652df9694acfe8fa35bdebe336d7a7bd0b6ba72afaf6a934a9d6bbadc3a69b25a
SHA512462b079fe8225bb7112122a13824014ef6cc8d8aea6a0ffa8464e6b24bdfa3c482e477af6ae0d6cc3e29f26b0bf24ee2f7cc59021710ec3afdd578cfe20b9cca