Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 03:57
Static task
static1
Behavioral task
behavioral1
Sample
27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe
Resource
win10v2004-20241007-en
General
-
Target
27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe
-
Size
90KB
-
MD5
aaad31929265f91483e12d98de3c9d20
-
SHA1
f504d7efb132d1e7c79a10031e349bb421b831dc
-
SHA256
27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3
-
SHA512
e3b7f71568e81862b409c336a8e84953d72c8db6051074a12ef8bb34ccdf1d083c5a09b6796dc6e2a177ed8d0843643e94d7da20735999b61428d977ae22c837
-
SSDEEP
1536:q/Pwg1Iq0tBdht/ElWHp3miypGRjCA7Hg4GDjlOtmVKbGNu/Ub0VkVNK:JtTTMsJmzAmD8trGNu/Ub0+NK
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdpmpdbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qddfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnonbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhlml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhacgdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdifoehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcdmikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmagine.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmfhig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfolbmje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmajipb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npmagine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npjebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffkij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfkedibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcifmbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nngokoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acjclpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amgapeea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qddfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndcdmikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmidog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhohlbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnlgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepefb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjeoglgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beihma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfobjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amddjegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffdpghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngmgne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlaml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhlhjpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognpebpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 5028 Mlcifmbl.exe 5096 Mdjagjco.exe 3004 Mlefklpj.exe 1388 Mgkjhe32.exe 4584 Mlhbal32.exe 1856 Ndokbi32.exe 2860 Ngmgne32.exe 1912 Nngokoej.exe 1384 Ngpccdlj.exe 3336 Njnpppkn.exe 2708 Ndcdmikd.exe 4228 Njqmepik.exe 3724 Npjebj32.exe 3356 Nfgmjqop.exe 548 Npmagine.exe 4864 Nfjjppmm.exe 3600 Oponmilc.exe 2964 Oflgep32.exe 464 Olfobjbg.exe 3552 Odmgcgbi.exe 5088 Ofnckp32.exe 3240 Olhlhjpd.exe 4900 Ognpebpj.exe 4552 Onhhamgg.exe 668 Ogpmjb32.exe 556 Ojoign32.exe 1184 Oqhacgdh.exe 4972 Ojaelm32.exe 4212 Pnlaml32.exe 1880 Pgefeajb.exe 116 Pnonbk32.exe 1128 Pdifoehl.exe 1780 Pjeoglgc.exe 3420 Pqpgdfnp.exe 4476 Pcncpbmd.exe 4556 Pjhlml32.exe 3324 Pmfhig32.exe 4208 Pdmpje32.exe 3224 Pfolbmje.exe 4624 Pmidog32.exe 1364 Pdpmpdbd.exe 4932 Pgnilpah.exe 3936 Qnhahj32.exe 2088 Qfcfml32.exe 2664 Qddfkd32.exe 2528 Qgcbgo32.exe 3468 Ajanck32.exe 1524 Aqkgpedc.exe 2164 Acjclpcf.exe 4424 Afhohlbj.exe 2208 Ambgef32.exe 1944 Aeiofcji.exe 532 Afjlnk32.exe 812 Amddjegd.exe 1152 Acnlgp32.exe 2996 Afmhck32.exe 2304 Amgapeea.exe 2920 Aglemn32.exe 780 Afoeiklb.exe 1252 Aminee32.exe 1404 Aepefb32.exe 1380 Bjmnoi32.exe 1280 Bagflcje.exe 2280 Bfdodjhm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Npmagine.exe Nfgmjqop.exe File created C:\Windows\SysWOW64\Laqpgflj.dll Qddfkd32.exe File created C:\Windows\SysWOW64\Hjjdjk32.dll Balpgb32.exe File created C:\Windows\SysWOW64\Caebma32.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Cnicfe32.exe Cdcoim32.exe File created C:\Windows\SysWOW64\Doilmc32.exe Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Njnpppkn.exe Ngpccdlj.exe File created C:\Windows\SysWOW64\Ldfgeigq.dll Aepefb32.exe File created C:\Windows\SysWOW64\Ihidlk32.dll Bnkgeg32.exe File created C:\Windows\SysWOW64\Hjfgfh32.dll Qfcfml32.exe File created C:\Windows\SysWOW64\Gokgpogl.dll Qnhahj32.exe File created C:\Windows\SysWOW64\Bmpcfdmg.exe Bjagjhnc.exe File created C:\Windows\SysWOW64\Dgbdlf32.exe Dmjocp32.exe File created C:\Windows\SysWOW64\Mlhbal32.exe Mgkjhe32.exe File opened for modification C:\Windows\SysWOW64\Bnkgeg32.exe Bfdodjhm.exe File created C:\Windows\SysWOW64\Fpnnia32.dll Beeoaapl.exe File opened for modification C:\Windows\SysWOW64\Dobfld32.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Pfolbmje.exe Pdmpje32.exe File created C:\Windows\SysWOW64\Pcncpbmd.exe Pqpgdfnp.exe File opened for modification C:\Windows\SysWOW64\Pfolbmje.exe Pdmpje32.exe File opened for modification C:\Windows\SysWOW64\Bfdodjhm.exe Bagflcje.exe File created C:\Windows\SysWOW64\Eflgme32.dll Bffkij32.exe File created C:\Windows\SysWOW64\Nfgmjqop.exe Npjebj32.exe File created C:\Windows\SysWOW64\Pjhlml32.exe Pcncpbmd.exe File created C:\Windows\SysWOW64\Hpoddikd.dll Acnlgp32.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Goaojagc.dll Njnpppkn.exe File opened for modification C:\Windows\SysWOW64\Pnlaml32.exe Ojaelm32.exe File opened for modification C:\Windows\SysWOW64\Pqpgdfnp.exe Pjeoglgc.exe File created C:\Windows\SysWOW64\Aqkgpedc.exe Ajanck32.exe File created C:\Windows\SysWOW64\Bfdodjhm.exe Bagflcje.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bmpcfdmg.exe File opened for modification C:\Windows\SysWOW64\Beihma32.exe Bnpppgdj.exe File created C:\Windows\SysWOW64\Ogpmjb32.exe Onhhamgg.exe File created C:\Windows\SysWOW64\Pqpgdfnp.exe Pjeoglgc.exe File opened for modification C:\Windows\SysWOW64\Pjhlml32.exe Pcncpbmd.exe File opened for modification C:\Windows\SysWOW64\Acjclpcf.exe Aqkgpedc.exe File created C:\Windows\SysWOW64\Feibedlp.dll Ambgef32.exe File opened for modification C:\Windows\SysWOW64\Afmhck32.exe Acnlgp32.exe File created C:\Windows\SysWOW64\Bcjlcn32.exe Balpgb32.exe File opened for modification C:\Windows\SysWOW64\Oqhacgdh.exe Ojoign32.exe File created C:\Windows\SysWOW64\Pmidog32.exe Pfolbmje.exe File opened for modification C:\Windows\SysWOW64\Afoeiklb.exe Aglemn32.exe File created C:\Windows\SysWOW64\Jijjfldq.dll Bjagjhnc.exe File opened for modification C:\Windows\SysWOW64\Oflgep32.exe Oponmilc.exe File created C:\Windows\SysWOW64\Bnkgeg32.exe Bfdodjhm.exe File created C:\Windows\SysWOW64\Pnonbk32.exe Pgefeajb.exe File opened for modification C:\Windows\SysWOW64\Caebma32.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Nkenegog.dll Ngmgne32.exe File opened for modification C:\Windows\SysWOW64\Pdifoehl.exe Pnonbk32.exe File created C:\Windows\SysWOW64\Aepefb32.exe Aminee32.exe File created C:\Windows\SysWOW64\Imbajm32.dll Bapiabak.exe File created C:\Windows\SysWOW64\Dchfiejc.dll Cmnpgb32.exe File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Diphbb32.dll Dgbdlf32.exe File created C:\Windows\SysWOW64\Nngokoej.exe Ngmgne32.exe File opened for modification C:\Windows\SysWOW64\Mlefklpj.exe Mdjagjco.exe File opened for modification C:\Windows\SysWOW64\Olhlhjpd.exe Ofnckp32.exe File created C:\Windows\SysWOW64\Pdmpje32.exe Pmfhig32.exe File created C:\Windows\SysWOW64\Qgcbgo32.exe Qddfkd32.exe File created C:\Windows\SysWOW64\Beihma32.exe Bnpppgdj.exe File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe Daqbip32.exe File created C:\Windows\SysWOW64\Mlefklpj.exe Mdjagjco.exe File created C:\Windows\SysWOW64\Aglemn32.exe Amgapeea.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5288 3840 WerFault.exe 191 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oponmilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkgpedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdodjhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpcfdmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlefklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmgcgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhacgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjeoglgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqpgdfnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhlml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjlnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcdmikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjinkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapiabak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmidog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfobjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ognpebpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdifoehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnilpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagflcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffkij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflgep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qddfkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgapeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkjhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfolbmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjclpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjlcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npmagine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnpppgdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclhhnca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfgmjqop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpmjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojoign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpmpdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiofcji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amddjegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beihma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nngokoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpccdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njqmepik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjjppmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhlhjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnonbk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajanck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgkjhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qddfkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll" Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njnpppkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll" Ojaelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll" Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll" Mlhbal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll" Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dejacond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ambgef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acnlgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmidog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njqmepik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll" Npjebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" Aeiofcji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nngokoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll" Bagflcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojaelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Bjmnoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnlaml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngmgne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndcdmikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll" Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll" Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qddfkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beeoaapl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" Dmjocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ognpebpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjmnoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nngokoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oflgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" Cnicfe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 5028 2936 27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe 83 PID 2936 wrote to memory of 5028 2936 27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe 83 PID 2936 wrote to memory of 5028 2936 27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe 83 PID 5028 wrote to memory of 5096 5028 Mlcifmbl.exe 84 PID 5028 wrote to memory of 5096 5028 Mlcifmbl.exe 84 PID 5028 wrote to memory of 5096 5028 Mlcifmbl.exe 84 PID 5096 wrote to memory of 3004 5096 Mdjagjco.exe 86 PID 5096 wrote to memory of 3004 5096 Mdjagjco.exe 86 PID 5096 wrote to memory of 3004 5096 Mdjagjco.exe 86 PID 3004 wrote to memory of 1388 3004 Mlefklpj.exe 87 PID 3004 wrote to memory of 1388 3004 Mlefklpj.exe 87 PID 3004 wrote to memory of 1388 3004 Mlefklpj.exe 87 PID 1388 wrote to memory of 4584 1388 Mgkjhe32.exe 89 PID 1388 wrote to memory of 4584 1388 Mgkjhe32.exe 89 PID 1388 wrote to memory of 4584 1388 Mgkjhe32.exe 89 PID 4584 wrote to memory of 1856 4584 Mlhbal32.exe 90 PID 4584 wrote to memory of 1856 4584 Mlhbal32.exe 90 PID 4584 wrote to memory of 1856 4584 Mlhbal32.exe 90 PID 1856 wrote to memory of 2860 1856 Ndokbi32.exe 91 PID 1856 wrote to memory of 2860 1856 Ndokbi32.exe 91 PID 1856 wrote to memory of 2860 1856 Ndokbi32.exe 91 PID 2860 wrote to memory of 1912 2860 Ngmgne32.exe 92 PID 2860 wrote to memory of 1912 2860 Ngmgne32.exe 92 PID 2860 wrote to memory of 1912 2860 Ngmgne32.exe 92 PID 1912 wrote to memory of 1384 1912 Nngokoej.exe 93 PID 1912 wrote to memory of 1384 1912 Nngokoej.exe 93 PID 1912 wrote to memory of 1384 1912 Nngokoej.exe 93 PID 1384 wrote to memory of 3336 1384 Ngpccdlj.exe 94 PID 1384 wrote to memory of 3336 1384 Ngpccdlj.exe 94 PID 1384 wrote to memory of 3336 1384 Ngpccdlj.exe 94 PID 3336 wrote to memory of 2708 3336 Njnpppkn.exe 95 PID 3336 wrote to memory of 2708 3336 Njnpppkn.exe 95 PID 3336 wrote to memory of 2708 3336 Njnpppkn.exe 95 PID 2708 wrote to memory of 4228 2708 Ndcdmikd.exe 96 PID 2708 wrote to memory of 4228 2708 Ndcdmikd.exe 96 PID 2708 wrote to memory of 4228 2708 Ndcdmikd.exe 96 PID 4228 wrote to memory of 3724 4228 Njqmepik.exe 98 PID 4228 wrote to memory of 3724 4228 Njqmepik.exe 98 PID 4228 wrote to memory of 3724 4228 Njqmepik.exe 98 PID 3724 wrote to memory of 3356 3724 Npjebj32.exe 99 PID 3724 wrote to memory of 3356 3724 Npjebj32.exe 99 PID 3724 wrote to memory of 3356 3724 Npjebj32.exe 99 PID 3356 wrote to memory of 548 3356 Nfgmjqop.exe 100 PID 3356 wrote to memory of 548 3356 Nfgmjqop.exe 100 PID 3356 wrote to memory of 548 3356 Nfgmjqop.exe 100 PID 548 wrote to memory of 4864 548 Npmagine.exe 101 PID 548 wrote to memory of 4864 548 Npmagine.exe 101 PID 548 wrote to memory of 4864 548 Npmagine.exe 101 PID 4864 wrote to memory of 3600 4864 Nfjjppmm.exe 102 PID 4864 wrote to memory of 3600 4864 Nfjjppmm.exe 102 PID 4864 wrote to memory of 3600 4864 Nfjjppmm.exe 102 PID 3600 wrote to memory of 2964 3600 Oponmilc.exe 103 PID 3600 wrote to memory of 2964 3600 Oponmilc.exe 103 PID 3600 wrote to memory of 2964 3600 Oponmilc.exe 103 PID 2964 wrote to memory of 464 2964 Oflgep32.exe 104 PID 2964 wrote to memory of 464 2964 Oflgep32.exe 104 PID 2964 wrote to memory of 464 2964 Oflgep32.exe 104 PID 464 wrote to memory of 3552 464 Olfobjbg.exe 105 PID 464 wrote to memory of 3552 464 Olfobjbg.exe 105 PID 464 wrote to memory of 3552 464 Olfobjbg.exe 105 PID 3552 wrote to memory of 5088 3552 Odmgcgbi.exe 106 PID 3552 wrote to memory of 5088 3552 Odmgcgbi.exe 106 PID 3552 wrote to memory of 5088 3552 Odmgcgbi.exe 106 PID 5088 wrote to memory of 3240 5088 Ofnckp32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe"C:\Users\Admin\AppData\Local\Temp\27983acd223e8bca7addbcc5107f7976714c44383883b1eb691b1d3449a448a3N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Oponmilc.exeC:\Windows\system32\Oponmilc.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3240 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4552 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4212 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4476 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3324 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4624 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4932 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3936 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe47⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe57⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5100 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4384 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe79⤵
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4468 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe82⤵PID:5132
-
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5184 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5352 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5456 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe88⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe89⤵PID:5544
-
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe90⤵
- System Location Discovery: System Language Discovery
PID:5588 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe93⤵
- Drops file in System32 directory
PID:5720 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5764 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe95⤵
- Drops file in System32 directory
PID:5808 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5852 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe97⤵PID:5900
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe99⤵PID:5988
-
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6032 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe102⤵
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe103⤵
- System Location Discovery: System Language Discovery
PID:3840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 408104⤵
- Program crash
PID:5288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3840 -ip 38401⤵PID:5344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5f78f3af857c51844455f8fe879823dd7
SHA10b7cd0b37ed951a8984db2c5896142c8f47d5628
SHA25698dd30b09331b81a60d4920fcf12ed75977a9c3cbe7e6f33576771f5c41f41b9
SHA5125860c722cc3b01a6f15bcb6bbcb641a1ec319a0033154b4b1cb60862f89661435c216719967e507b9a45bd7a4cfe3e041b57108e80ee9c1beb8463a45fdb88f2
-
Filesize
90KB
MD5dae6380b19b33f644e3e871cb5ec355c
SHA1c91372fc579aaece26914407ab279924aa915adf
SHA256efe8bed294fba8958ae1e81e9cadade36f8e3ce29ce966da37329f0157af683b
SHA512311f493c05d2e65cd1c32a74814eacc2ccfc00f0352b8d97edcb9bbad0c2ff68ab26a296e54b0650417d68a21952c7cbf5ed057e4325d75e4fbd700ce3649cee
-
Filesize
90KB
MD5326e391259b54edfb7572abda2a5642e
SHA17df3b0196cbfffd914d0ae48494d25e54b620bdc
SHA256746436bebbb45fd3084606586b10a07237e889aed1507c6d9eb1e3646b35c410
SHA51237498f5be9b9768e781de338c006be687411a5eef87df58aca3c43568832a4fde974e44f64d5552497147392d2e79ed04fec9c7ab225dc0885d7ad159a9e84e0
-
Filesize
90KB
MD5bf322da7629086ed0bedae9b3560af75
SHA1d6d3b000328fee7acb98e35b433053c2e0961006
SHA2567fba760339b97c219bdf993342ace9b06eb28d2c33054bd276cf2fe3a91f8f9d
SHA5126b74682212fa803edc6afd56bf5c52a9f6f6cda435db968791c7e93a2387c26a9d02e4fd2d008137dc4373012a11b848edaa000de22ca578c98420f754ca2406
-
Filesize
7KB
MD54ec9c78df9050e0b5c070eab45f36354
SHA10b1d7b978de773470a0c880265dd80cacb6b6445
SHA256b18ebfe7129ed4641b27d5acdd4c8f68bc3291f76c726e50464e2ce62eb391b1
SHA5125fa40c6ff67512ca6fc8b975c9de2754f7e99f8e3cafbdef380c8b380bdd6a11dc974bfb77b28980de50fc5715fac072da8fb4405b30efd994a6e9a1dc10e657
-
Filesize
90KB
MD5f7d3400791d64891b5ffeeb35d724b6e
SHA179ffadfc817009c9dec31f405ddc86a930ef00bc
SHA256856965f018365347015af7f59fa9b1dac4a4f75769abcb8b5df1d71a71ded9a5
SHA5128fe83a31cdc58fcaa2369c2c1e93fb04a49c8410b034a04eacc528cd581f09c44e24f5216ae4a0b1f40b9f141254b8c8178062cc21de5dc6eee1bf2086248bb6
-
Filesize
90KB
MD57ba6b0ac57fc84800c68ea0b6f68adaf
SHA130cf435dc589dccf81afbd630384fa8633fe71ef
SHA2565f0febb7fe55fbebf75d559b937fc186aa85fb176b1ecb6a71c29fe9ec890292
SHA5121fa9cccb2770e0937b8439ebc3a284433dd7521abad47e5d14f730a70b4b7de4ab85f3a93bf753f5bd2a596780610702a8061ad0c3be3dfdad0b3b7e6d45148b
-
Filesize
90KB
MD54c7da710633c3b16decf46055a17af60
SHA119be977a83b9125769facbad3598c6fca8b0da5c
SHA256e1ab476573f5392fedcbbb38e4918dfe980719e839ac6c98823dee16fe26e0e4
SHA512e339733592c4d3fa05bf41b8981f1a87b5e21ffb955c082e8b3a1ebbc384f79e26add043d6a919d3287888a707174e006f104e8e51b0e46f3785891ad5150204
-
Filesize
90KB
MD5083f7e687d69db606b6d397495d5ffab
SHA195b1d0d3a7e9df9262118e2ac6e030ffbed434b6
SHA256e803280a576c6e11820bc9372cc2a267f0d85f89267c9037b0bfc274239129ce
SHA512f9f8e1e5d8d6dbfe23540c181502af4ab603abd2450d434726c6bdb6daed316c176830471b12f27277f9baf973db097f5f93df8575fd138539d95121d34d0706
-
Filesize
90KB
MD557d87cb26d104946b1e4495c28f8cce0
SHA1eb92dde0ebedacf707c2c77d1e419ad6595d93cb
SHA256d4889e092656b72df9569d3d5658fdde5bee890bca6e4bc268bfb27e304854f4
SHA5120c7772846e1bff5bcfbc64e8638bceb9d671504abf2aab6e07a1ec135484c9791cfdfc889f064cb8106cd75704de490ffe10792d1b6ad01df120815505aa5026
-
Filesize
90KB
MD5816fea84346960b425eba7ff01fce0e6
SHA10d7452295c9f09981d62e5c4360f4922531b4e85
SHA256256520c93c72fbc75b5bba639c3f0c5ca0eba01814568739e1caabe9a7ee8ef9
SHA51241a1f83767360007dc7a4307c4624c2765e865c0aab794fe96fb797fc729123cca03ae97ede05eeefa3c0da0153e8719fc4d2df93d2ed61f007d2bd7626a651f
-
Filesize
90KB
MD510a7d169425397a4ae9d4c48950407e8
SHA1ad1e5c4c738257f05aa5360784caacfa6c74beaf
SHA256f953456e463e5545710fd2bc12ea8828a60d1f00d3524e3966ff0f99e3f618bf
SHA5123f6a0ba965fc48502793ed18c92ffd599b439e1ca3e94878232ddd487b6d8599a4671644951e64e964e561769ccc068551a8133871c788e753ca3330f0cba824
-
Filesize
90KB
MD5f6f7bf79a95f101133016dd3a288bed1
SHA1a8b779f63086f26992b3eedb31fcaacfb4dcef48
SHA256c5bbf299850890424be5378df6960a2084ee9aee607db303b3b785fd78b06db7
SHA51278c537e0b2aaf4e03d603388fca3664432140d163f31f5aebedb111fab0177d1563d842ec89a1c9b3bd0214aed91536025b57621a722443874de3689fc8379ea
-
Filesize
90KB
MD518cdc09fc74e8c0411e462a701095057
SHA142c8a8ebcc624d65f229c7a0d846dbcbfa0e9e91
SHA2562c73f1d9997b0bc6574e874ab8316eb707afb069a755c9bad972258d0f067029
SHA512daa265c0924ba6c0e1341b2f89ffda64911e0613cc3003552da5f4358eb73aa9058971c52a3e17964e4e870c5a28d6c94aeda35293886e7d73d93f1463b0387a
-
Filesize
90KB
MD5fbca118a01c7006df965972bdbb386f8
SHA1fd09e2a714bc4d932b98d4304ee09396509dc30c
SHA25660d794ede4f35d6d35e84950fe6ac0cdd8cfb78f74e8280fd1a197a50facaaf9
SHA5122b9b39c4593b9e0d40cfc79bc39d9ff2d5c946a2fefadf65e942c855b7aa88bf3de14c035df38d59fcb1fc53bf99c038b446e3fc4050795cfa15dbe03e0838fc
-
Filesize
90KB
MD579f636e7683d811e274a6e42d62cf501
SHA109e02a529360dd960dbf561fe1d16f3654b2f189
SHA256eb78db2b13408f6250fb62dbabf119772e0af97a766a7d11394938f8ba37af14
SHA512c403e032c5647c46e929b850df35122a41c58f9ae032ae88d871114b28dd46140130c502ebc22c40399430b41bd330abc5b2ab4001660da2d31d5447761d0661
-
Filesize
90KB
MD5352305e5ac8d66213a93ca470ccfec65
SHA13f499421442272ad89fa91304516f7830bd019f6
SHA256272ff2027aeccbaeaf0eab54560d7f5ad51b6948e9f096f98622c9c2844bbcba
SHA512ba6d1ebdfd07e157eada0f20ae8c4a276893a7c55f9fbdfe0e71fba9d7d220edae5dd0562fd6316df01d794d52d8c2e32f525e5be2a02745f91c42c7d0df2119
-
Filesize
90KB
MD510eb5584e4d74112dd0de454a6d30247
SHA16fcdfa9453f80c7b90349b068eaf2a6ac3112d28
SHA256d423eda2e6d823a045e2734f3d26594ea2bd70b908b8bedb2a8b466738f331d8
SHA512a9a8f611e4ee5022df9cd2852a5ebc0eb8765db588fbac05f37f9e06cf73b0984e0483862784d3d5bb545ab7e323946cb29aa5940069ef1674f627f26b34f694
-
Filesize
90KB
MD5fbba675ce8be02f08f7bfa9feed2419d
SHA1112aeee0ea253d2088ecc9517c004ad63c6b9f1b
SHA2569c6b230ee2200fe6d56f0c076d22bf4c4bcf2abc7543e5b76cb9f0c003b8235c
SHA512df2b74c54759c068d97dca8bf8ec54d0ee70a2574c9b8fec23896e03cdd9843fee42805a29a0ea84fb998b15c00cf3acfeac90f9455f67cba65d7ce75f9d2aa1
-
Filesize
90KB
MD5d82b253e30d098c6a80db85638f89803
SHA10c2290bee3497e6a38423392bc83b49beac8b17c
SHA2560f3eea9b7b6714c94585f7f332a9f76bb91cd6d675e5e1f947ff4e73a339f944
SHA5120e1eb0217314b3ef8d5eebef1b5643111fd8a3f55dc05d3fd10aeb5bad3d4d40bacca9c788309d4e05bea399a167d6a0abff19ce845ae369ece076be8bbc5ea1
-
Filesize
90KB
MD51c9825bb4cf902d3d0245c855ffd6210
SHA1dfa0f0346bf22b838f6af5c694fb846388c4de4c
SHA256bcbee191cb85d64cef5edcd014533290f8ba3323077e718945d141ceb272fa18
SHA512a1ce1cd35a136588eb4e39ba8632bb1c55e45f4572ab38f411900363a2feb881bd0f4fa23e88564539dc6b33f3b29f533550c669270f78679c2ea5d62e2f3f7f
-
Filesize
90KB
MD5f61fa8a2e300ea82c18a608ff2fe9f94
SHA1b8543b0956abb4e1c7b31db66c973fbc2487f03c
SHA2563991abe486befc4ebbedca8a2f3e3f524fad7eabe613c2adc13eb297bfbe5d8d
SHA512623c82b51a8dbfdfdbb07c7cf6c11edda8ce85889b8c480377f1c8c0054b2d9210086fdf403ec507936fe2a6650ad45063ff340abf441c8ea36adf6f5d9c5b22
-
Filesize
90KB
MD563e22fd69351006b917b87e13cdec73e
SHA133fa9dad39583b2e322817798c362bc88a98ef8a
SHA25660c97b2f6d235e13430fc52a2377d97b678284d3c38d2eca2d065b5f950138da
SHA512c2e99c8d05a6f90ca774bdc44790264f2d55d9ea2375f03b0f1cb4e806a9664b638b702e8b68ed1e9e3fd9d20f6ed337bce64905544a64fe5a4f1e8356e65216
-
Filesize
90KB
MD5b03c2338438fa80dd60803323251bc7a
SHA1d29ff8adf00aa1a3168aa2033a208ae1b47d89a7
SHA256e55c18f38bb1d56582f7c89cdf3aec2432bdde7ba83d682ed6dbb2e72d235229
SHA512dbe00e05a3c6702c6ffb50a86d19cb2795f0c7472e02cbe40cdc4188af85c5e7fec5b97e43e07a961857041fdd95ae66ed68d58798b9d31a7fee9b76dcd2a51d
-
Filesize
90KB
MD567615bb9f3caf5c3599b53eb7240625e
SHA15d6674cc2f4d3ab8cd68d38c88e2a497a5f50b50
SHA25603bd8f48ae1c0675d13c76f35618b8ec94600a2c2de6d1ce316fe9b014133380
SHA5124dae73270f8bc008492eb54aa6e61824f514699fb17e2c3fb928340896be21da57c8297985acc6e71eaa282fc576e5b5ea61a63395acfbd5f944ba294ddcd9dd
-
Filesize
90KB
MD5e8a0399a1b0639d66e53b27258e72c24
SHA1830a66d48fba48321bf0ac120ea9e2a67ab246ba
SHA256ade60297bf6fdcaa0eb8ee8b46a9b22a5bd9ff2f34e119315e6b6c5ef269e5bc
SHA5121814f06ba535ce37b551f6eb1a433e67493522173ffb1f8d9c14bca3612be1a5f1b2ea506f067a6046c021f3e405bea0df916ed6c478510e606ae974377f43e5
-
Filesize
90KB
MD51755f169bab478e8056ac6470a2b6495
SHA12b431dded76058f7259f7f24830a1836bc50f079
SHA2568df8b32f82f2699912dd7b999b16f809e658807991cc85f2b7fb29fcad193a48
SHA51228616b204d99cbb5c3f00f31c769f3302da725607ed6e33be8e082f57cf9a0a15bbbc1809484b24396ca4432007e8e3ed8fc79caa7aac6a7a6e1037989587139
-
Filesize
90KB
MD5caa9d44fd3b763fb97bcd621ded45619
SHA11562297040a60d976382c1755852423e7946416c
SHA2565f4f5d32aeb9c7013fc4fbb8465e97c11172549550ca35b02545ee5a3c9f4498
SHA5127a865b5cb11e07ea87e8f8e51ce1a81018e8e143e555d126ae1c4a32eb974c523c0683e0e177b8790695a1050907ee6a2aa17ce3806d945ff4a4f93bcfc975e7
-
Filesize
90KB
MD5e34ea165198fb4ef75a9d0c3eff995ea
SHA10c26ad188367a968d4edd8b80bccd8991a227fe3
SHA256cea05994ed4a32d3f475d1f426e9085f66564efb22bc7818be0ec9a5a51ef922
SHA51226883b18d89df4206cd9b6203762895d6f078c0398959a8c5c1a92e275ca6c5aaf303c98f754056d93a85ce2c5c8bb8d676ee01ca7ee6d2ff339c864f42671f8
-
Filesize
90KB
MD593c86d116891e50a62f5c11635836d9c
SHA116475470adbd515b4c0b70b824453b140b7805d5
SHA25654d584a5568a5dac7e1a3bc1e182434feccc81cd9697edba43abfc99eabbc2e5
SHA5124efc14477354ec0d243a122f7f1731fb04867e2c063081be0eb80311d1274d5896093da2d839059c9214db7d4b95229805788e211d229ebbf50f8d2e63823dc6
-
Filesize
90KB
MD5f0dea411365175d14046d8507118f0c7
SHA198afce3673f30d221bf42641a385d6a87716f574
SHA256aa3a21a6ad068bf24c01a5ab0e71725b99d04c459901ed5134a5a372565fdb93
SHA5121495743c76c2d4124ebbc80254765556cdd4718a80c2603cb6605947ea9330559f244cc6c87b62fd666fc01a610e744f737b71eca3ab7456370598eedd231b96
-
Filesize
90KB
MD5660a135736ff61a30055c49dfc7801cf
SHA1b1dc0d6e99e4dd6eeca7345759cdd0391d87c3c3
SHA25658c9d38a8222b22a1b8263b64cf0e099b4520a0a0cd5854a21f9034fd92554ce
SHA512139bea9d12af348cea3d4199ecbeddd98d1531bfa00cfbf5b91225a73f9d9214a30c00710d26bbda41b8283dc8f34d2581969d08f6f527949cb0ede13c57ca11
-
Filesize
90KB
MD59c1fa99e6ac75961d168a1bfc55f51f2
SHA1791c2c390ae3ca8bd86888d68077f1ef6cfcf848
SHA25684e10e30b18b3f578d38e41fa55e94318bcf4abdb64213443dcfe8dfc3a20c88
SHA5123472407c73398474de33e600bffa6d12f377abfb90ac00dfa3ba9ef925078bb7422e14620972eabaa63eeee96d53c4e30c00b8baf1db14bcd13a56a46c2b484d
-
Filesize
90KB
MD5c86b4e5e905f2e33a22a0b8ea6e3857d
SHA1fb2a04df303eebd9d1c41d2ef2ecdce560ea422a
SHA25621826837b7a4d5735a9b8ed991ea675e17d23861635ecfefe62314b70791e365
SHA512cc89505a818a69f6f6fab8a2a1453c99ec7ece5f9c45444114223b0dbe08875a6a8f2397f8e3f75f083108c62512dad14334b661eb7febdbddf2dc1f9f02ab4c
-
Filesize
90KB
MD575d794362245201fe2cea34e81c06d20
SHA1b990d49c5c1c64e456aff5a613d1a84f7ef62bfc
SHA256a7bcd2dae81c23ecb2cd9407c0e33cb10d22a6b618ac75948563d8f81b9f32a4
SHA5128cf30be028ad06117446c5b9157e329b2e6ac801549c76d005c8a462ba6234278c0e20bdbfb7bac354cf42e75de21c971178b385b257e81fb6894a4550e26081
-
Filesize
90KB
MD5840a6559768b07a052ea8dc8eb634ffc
SHA13facb44e89c6bc14ad89a3c69293111675c0b8e7
SHA256ff1806f23e20d52edd5a7d648ef7fd1d7383297486a523690bba9e69ce4d2a65
SHA512791a5485c97341c6e9845d9a0e8912249b8dc41bdfbb9e09d5feddcae3857880c64acd144ef40ee159f0e2e83d4cce49c7c72b75316b374fd3b8dad59f648a14
-
Filesize
90KB
MD59da6c68fe58ab0e614af07dba5cb1f08
SHA1f1965cd26863390fe5e0b0486d0819278d80a54f
SHA25687c672a6a2626d2cb9f65d7c4b4dcdbaac94f012b160792ff619059ca7bd49f7
SHA5126e97b4c8a8ab519d5ca7cd9adb5d5437d1974634dc3d4177cc15c9164f8d387215bfeeb8f2e5973edc8f37cf7ae2f84e1a932f92a59fa735e452177ec96182f8