Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52N.exe
Resource
win10v2004-20241007-en
General
-
Target
74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52N.exe
-
Size
79KB
-
MD5
7d1bae68bc206ddc26b2f8409a1ef810
-
SHA1
d12f052757263a883b62025ca594fc46c070d162
-
SHA256
74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52
-
SHA512
d1162f6fcfd36c1f514da8057b589ba7a373c1d1a902f32536c99c30046eac4bc353edb8aa0c7469bfc46f38893a369400eb90222144e77b267e8d6bf9f7d553
-
SSDEEP
1536:tGpIw1Kjn3BERQMSwZZUEwaiFkSIgiItKq9v6Ds:Ccn3aRBZUEwaixtBtKq9vn
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampkof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnlgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkjpgfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiafg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjokdipf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeiofcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqppkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambgef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baicac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabfga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anadoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgcknmop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmhck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpgffpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Belebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmiflbel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baicac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjkjpgfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbmefbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnlgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclhhnca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aminee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpppgdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjmgfgdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfabnjjp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2708 Qgcbgo32.exe 3692 Ampkof32.exe 1712 Aqkgpedc.exe 4316 Adgbpc32.exe 1948 Ajckij32.exe 1168 Ambgef32.exe 2000 Aeiofcji.exe 2916 Aclpap32.exe 1248 Anadoi32.exe 2812 Aqppkd32.exe 1432 Acnlgp32.exe 3468 Afmhck32.exe 2320 Amgapeea.exe 2364 Aeniabfd.exe 2068 Afoeiklb.exe 4460 Aminee32.exe 4580 Accfbokl.exe 4864 Bfabnjjp.exe 1424 Bmkjkd32.exe 4732 Bcebhoii.exe 3480 Bjokdipf.exe 4384 Baicac32.exe 2332 Bgcknmop.exe 3372 Bjagjhnc.exe 540 Bmpcfdmg.exe 2184 Bcjlcn32.exe 2020 Bfhhoi32.exe 2224 Bnpppgdj.exe 3968 Banllbdn.exe 2360 Bclhhnca.exe 312 Bfkedibe.exe 220 Bnbmefbg.exe 2192 Bapiabak.exe 5028 Belebq32.exe 2960 Chjaol32.exe 4524 Cndikf32.exe 748 Cabfga32.exe 3136 Cdabcm32.exe 3236 Cjkjpgfi.exe 2308 Cmiflbel.exe 3600 Ceqnmpfo.exe 676 Chokikeb.exe 932 Cjmgfgdf.exe 764 Cnicfe32.exe 1580 Ceckcp32.exe 3088 Chagok32.exe 1876 Cfdhkhjj.exe 3204 Cnkplejl.exe 868 Cajlhqjp.exe 1864 Ceehho32.exe 4312 Cffdpghg.exe 4040 Cnnlaehj.exe 428 Calhnpgn.exe 2008 Ddjejl32.exe 1368 Dfiafg32.exe 1744 Dopigd32.exe 424 Danecp32.exe 2684 Dejacond.exe 4896 Dobfld32.exe 3908 Daqbip32.exe 2984 Delnin32.exe 1012 Dhkjej32.exe 4600 Dodbbdbb.exe 1564 Daconoae.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bfhhoi32.exe Bcjlcn32.exe File created C:\Windows\SysWOW64\Ckmllpik.dll Cjmgfgdf.exe File created C:\Windows\SysWOW64\Ceehho32.exe Cajlhqjp.exe File created C:\Windows\SysWOW64\Alcidkmm.dll Dejacond.exe File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Cmiflbel.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Hfanhp32.dll Calhnpgn.exe File created C:\Windows\SysWOW64\Aminee32.exe Afoeiklb.exe File created C:\Windows\SysWOW64\Bneljh32.dll Bjokdipf.exe File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe Ceehho32.exe File created C:\Windows\SysWOW64\Ceckcp32.exe Cnicfe32.exe File created C:\Windows\SysWOW64\Cnnlaehj.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Daconoae.exe Dodbbdbb.exe File created C:\Windows\SysWOW64\Daekdooc.exe Dogogcpo.exe File created C:\Windows\SysWOW64\Hjlena32.dll Amgapeea.exe File created C:\Windows\SysWOW64\Hpnkaj32.dll Danecp32.exe File opened for modification C:\Windows\SysWOW64\Delnin32.exe Daqbip32.exe File created C:\Windows\SysWOW64\Bfddbh32.dll Afoeiklb.exe File opened for modification C:\Windows\SysWOW64\Baicac32.exe Bjokdipf.exe File opened for modification C:\Windows\SysWOW64\Ceehho32.exe Cajlhqjp.exe File created C:\Windows\SysWOW64\Ajckij32.exe Adgbpc32.exe File opened for modification C:\Windows\SysWOW64\Banllbdn.exe Bnpppgdj.exe File created C:\Windows\SysWOW64\Calhnpgn.exe Cnnlaehj.exe File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe Daekdooc.exe File created C:\Windows\SysWOW64\Dnieoofh.dll Ceqnmpfo.exe File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe Calhnpgn.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Bnpppgdj.exe Bfhhoi32.exe File created C:\Windows\SysWOW64\Kdqjac32.dll Cmiflbel.exe File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe Cfdhkhjj.exe File opened for modification C:\Windows\SysWOW64\Doilmc32.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Aeiofcji.exe Ambgef32.exe File created C:\Windows\SysWOW64\Hfggmg32.dll Bfhhoi32.exe File created C:\Windows\SysWOW64\Cdabcm32.exe Cabfga32.exe File created C:\Windows\SysWOW64\Acnlgp32.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Bbloam32.dll Cjkjpgfi.exe File created C:\Windows\SysWOW64\Afmhck32.exe Acnlgp32.exe File opened for modification C:\Windows\SysWOW64\Aqkgpedc.exe Ampkof32.exe File created C:\Windows\SysWOW64\Jlklhm32.dll Anadoi32.exe File created C:\Windows\SysWOW64\Mgbpghdn.dll Aminee32.exe File created C:\Windows\SysWOW64\Agjbpg32.dll Dopigd32.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Delnin32.exe File created C:\Windows\SysWOW64\Ambgef32.exe Ajckij32.exe File opened for modification C:\Windows\SysWOW64\Aeiofcji.exe Ambgef32.exe File opened for modification C:\Windows\SysWOW64\Cabfga32.exe Cndikf32.exe File created C:\Windows\SysWOW64\Jbpbca32.dll Delnin32.exe File opened for modification C:\Windows\SysWOW64\Bnbmefbg.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Qoqbfpfe.dll Adgbpc32.exe File opened for modification C:\Windows\SysWOW64\Anadoi32.exe Aclpap32.exe File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe Bclhhnca.exe File opened for modification C:\Windows\SysWOW64\Chjaol32.exe Belebq32.exe File created C:\Windows\SysWOW64\Ddjejl32.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Acnlgp32.exe Aqppkd32.exe File opened for modification C:\Windows\SysWOW64\Aeniabfd.exe Amgapeea.exe File created C:\Windows\SysWOW64\Mkfdhbpg.dll Bfkedibe.exe File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Amgapeea.exe Afmhck32.exe File opened for modification C:\Windows\SysWOW64\Cjmgfgdf.exe Chokikeb.exe File created C:\Windows\SysWOW64\Gmcfdb32.dll Daqbip32.exe File created C:\Windows\SysWOW64\Ddakjkqi.exe Daconoae.exe File created C:\Windows\SysWOW64\Hpoddikd.dll Acnlgp32.exe File created C:\Windows\SysWOW64\Hjjdjk32.dll Bmpcfdmg.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cajlhqjp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2096 1616 WerFault.exe 156 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmgfgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajlhqjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkgpedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoeiklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjokdipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmhck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjlcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkedibe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkjpgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmefbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdhkhjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgapeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpcfdmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqppkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnicfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeniabfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcknmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banllbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqbip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgbpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclhhnca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chokikeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chagok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodbbdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkplejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapiabak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnlaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcebhoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabfga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceckcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52N.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll" Bapiabak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll" Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll" Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" Cjkjpgfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfdhkhjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll" Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cabfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" Cfdhkhjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doilmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Bnpppgdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffdpghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll" Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll" Aqppkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodbbdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll" Ajckij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll" Cnnlaehj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anadoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bclhhnca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amgapeea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afoeiklb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4788 wrote to memory of 2708 4788 74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52N.exe 83 PID 4788 wrote to memory of 2708 4788 74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52N.exe 83 PID 4788 wrote to memory of 2708 4788 74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52N.exe 83 PID 2708 wrote to memory of 3692 2708 Qgcbgo32.exe 84 PID 2708 wrote to memory of 3692 2708 Qgcbgo32.exe 84 PID 2708 wrote to memory of 3692 2708 Qgcbgo32.exe 84 PID 3692 wrote to memory of 1712 3692 Ampkof32.exe 85 PID 3692 wrote to memory of 1712 3692 Ampkof32.exe 85 PID 3692 wrote to memory of 1712 3692 Ampkof32.exe 85 PID 1712 wrote to memory of 4316 1712 Aqkgpedc.exe 86 PID 1712 wrote to memory of 4316 1712 Aqkgpedc.exe 86 PID 1712 wrote to memory of 4316 1712 Aqkgpedc.exe 86 PID 4316 wrote to memory of 1948 4316 Adgbpc32.exe 87 PID 4316 wrote to memory of 1948 4316 Adgbpc32.exe 87 PID 4316 wrote to memory of 1948 4316 Adgbpc32.exe 87 PID 1948 wrote to memory of 1168 1948 Ajckij32.exe 88 PID 1948 wrote to memory of 1168 1948 Ajckij32.exe 88 PID 1948 wrote to memory of 1168 1948 Ajckij32.exe 88 PID 1168 wrote to memory of 2000 1168 Ambgef32.exe 89 PID 1168 wrote to memory of 2000 1168 Ambgef32.exe 89 PID 1168 wrote to memory of 2000 1168 Ambgef32.exe 89 PID 2000 wrote to memory of 2916 2000 Aeiofcji.exe 90 PID 2000 wrote to memory of 2916 2000 Aeiofcji.exe 90 PID 2000 wrote to memory of 2916 2000 Aeiofcji.exe 90 PID 2916 wrote to memory of 1248 2916 Aclpap32.exe 91 PID 2916 wrote to memory of 1248 2916 Aclpap32.exe 91 PID 2916 wrote to memory of 1248 2916 Aclpap32.exe 91 PID 1248 wrote to memory of 2812 1248 Anadoi32.exe 92 PID 1248 wrote to memory of 2812 1248 Anadoi32.exe 92 PID 1248 wrote to memory of 2812 1248 Anadoi32.exe 92 PID 2812 wrote to memory of 1432 2812 Aqppkd32.exe 93 PID 2812 wrote to memory of 1432 2812 Aqppkd32.exe 93 PID 2812 wrote to memory of 1432 2812 Aqppkd32.exe 93 PID 1432 wrote to memory of 3468 1432 Acnlgp32.exe 94 PID 1432 wrote to memory of 3468 1432 Acnlgp32.exe 94 PID 1432 wrote to memory of 3468 1432 Acnlgp32.exe 94 PID 3468 wrote to memory of 2320 3468 Afmhck32.exe 95 PID 3468 wrote to memory of 2320 3468 Afmhck32.exe 95 PID 3468 wrote to memory of 2320 3468 Afmhck32.exe 95 PID 2320 wrote to memory of 2364 2320 Amgapeea.exe 97 PID 2320 wrote to memory of 2364 2320 Amgapeea.exe 97 PID 2320 wrote to memory of 2364 2320 Amgapeea.exe 97 PID 2364 wrote to memory of 2068 2364 Aeniabfd.exe 98 PID 2364 wrote to memory of 2068 2364 Aeniabfd.exe 98 PID 2364 wrote to memory of 2068 2364 Aeniabfd.exe 98 PID 2068 wrote to memory of 4460 2068 Afoeiklb.exe 99 PID 2068 wrote to memory of 4460 2068 Afoeiklb.exe 99 PID 2068 wrote to memory of 4460 2068 Afoeiklb.exe 99 PID 4460 wrote to memory of 4580 4460 Aminee32.exe 101 PID 4460 wrote to memory of 4580 4460 Aminee32.exe 101 PID 4460 wrote to memory of 4580 4460 Aminee32.exe 101 PID 4580 wrote to memory of 4864 4580 Accfbokl.exe 102 PID 4580 wrote to memory of 4864 4580 Accfbokl.exe 102 PID 4580 wrote to memory of 4864 4580 Accfbokl.exe 102 PID 4864 wrote to memory of 1424 4864 Bfabnjjp.exe 103 PID 4864 wrote to memory of 1424 4864 Bfabnjjp.exe 103 PID 4864 wrote to memory of 1424 4864 Bfabnjjp.exe 103 PID 1424 wrote to memory of 4732 1424 Bmkjkd32.exe 104 PID 1424 wrote to memory of 4732 1424 Bmkjkd32.exe 104 PID 1424 wrote to memory of 4732 1424 Bmkjkd32.exe 104 PID 4732 wrote to memory of 3480 4732 Bcebhoii.exe 106 PID 4732 wrote to memory of 3480 4732 Bcebhoii.exe 106 PID 4732 wrote to memory of 3480 4732 Bcebhoii.exe 106 PID 3480 wrote to memory of 4384 3480 Bjokdipf.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52N.exe"C:\Users\Admin\AppData\Local\Temp\74bc076d498d8545ecbbeb8220f67bb5f1c9ba27de03a47a37c7ec8790933c52N.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4384 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3372 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:312 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3600 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:676 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3204 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:428 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:424 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3632 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe72⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 40473⤵
- Program crash
PID:2096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1616 -ip 16161⤵PID:2036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5d3dc2a8dacb02cb798e891e8f7efa292
SHA198cd17ccc8535d576e23b7ac84dd61085bef09f9
SHA2566fda5bf158d76e253973ef488c73b13523e4ebf8e99f272d0675331cf9426f86
SHA5129bce3ecc1790a815b317b10323a521e62c1cf8e7a4067c2be7bf260dc890a6d729994e47520144e5421157884dd7082de4aa4c5261f6d3295e0a8be61c7b9ee1
-
Filesize
79KB
MD54aec853a7d4757f2f4975f2527b1d39b
SHA120da371d1a2c79a9c89d477736c4d068c0f2325d
SHA2569feec282107dabb373fe401b3509df4fb5eec3e5a01efc6f117bbd63cdf36e29
SHA51243fa7d924d1361d411b29dfbd1d4eb4ea33114006487491af2017812e1b02f3dfa53853e3a575a15ad10d3070c55360016e9e3c866b7a29fb7fb6b77effde3f9
-
Filesize
79KB
MD594942ba4060064ecbb918bb4ca29a7cd
SHA145de9f57c46ee0118a44d88be9f9c46cdd464df5
SHA2567d32da904645d812643c6427374fe341170c13f8dcee37fbbf3d21a726c36d86
SHA512707c0d6bbb3ef087a3b7cb3ad2cc7d6f17cf6297de7a8c0c327b83b438394744e2a4e44c58d9d8d2aa2250844afa1ff8a77a48a1d027a02e6facfd271a30180f
-
Filesize
79KB
MD542edb990117fab77e807f440a9d92796
SHA1ac94525b8261613d5e99174bb8f1560340ad71ee
SHA256eeb0495b259d21dea0c40ceee90a341acc128ce4e44e25bbd0c2b8ad248d60ae
SHA51206226b7771a970fbe3b9568014e8e00f3e8215658a5497011ac536f67917b07a1be21d21aefd59305e2612fb603f737ffbd7e1957957baaeb07e06e68c19c3d1
-
Filesize
79KB
MD58a32f5b114e8bd35d34dae3466c512de
SHA19033137101acacd1d0e6e53c32d71c38288b642b
SHA2561ce020c90f6b35f822569895ea22d814bf9b1713937d9d14101044aaf7de08c5
SHA51265aaa7086e1abab4701f56ada91809495d0a945d2f63ffeb4db76a08228d11c23bd5a5a12a5afeaf5306f96e23876231bb2941938bb4d852cc02c006b38337bd
-
Filesize
79KB
MD5a1a4b9e1a26745cdb628a4cfda5a170a
SHA13baeeb7c708c5f0cd198920f523f4452cd9c6e66
SHA256d4cefaedf380d388a6db99176dc9616ef6839c4ca6093ba49b158b13a300d5d9
SHA51216ec9525b817b98bad4d06a132ca0c82a79c9b685a24e369c3c26270e13fffe4b07d221c010dcf0eafc64a14cc85ed6696e55c8e1c27685c55b6e81dffa976b4
-
Filesize
79KB
MD51519dc40d7637bd400e51e69f9b0077b
SHA1a159c2c4665edc58a048c6414cdb232f0220ea56
SHA25694fc88cc7962670369ee0d96d0f33be38c5b223cd7dd2e1af0a001821c11713f
SHA5125885099fbe26e4c6596050b98203021dd00293a5f820bcf151c3c27a6b257f36d84b1dcb1e52702a9f997f710a26ecbe52cce49f95af8fd01803df522f939c5c
-
Filesize
79KB
MD5980f63677d032db5737fa397d6cf9f73
SHA19effad9032acf94c5b200e618b7903df948592f9
SHA2565ef76d78711ac6980586720e5414d86da0bdc2f1740d342d4ff499b39a269a33
SHA51297b6b00b552ff4be7a81436173515e4617d2ec193fc7f4afaa9d07ba285055e00b117bed73ff5d4cde7b2e9c7c9abd8ec9cf40b396ea02d6ac760f5b4b6b5421
-
Filesize
79KB
MD5634713b40762a511fd42703599f7c774
SHA1612b34327bd8546398f7f1d73607076983b560ee
SHA256daa7222f3a9192316192a3541283f1eb1342f173eb15da8581bebe68f001936f
SHA5122515cd33440110c8a52e944b2d9f2a164dfdf581008c14183b810b6b64d157822f6eb8e9bb8b768a428ea2a0731159342868c6a299c6407de54c98ddd432d4e8
-
Filesize
79KB
MD54e1e13986e988831b78efc2dbb27322f
SHA179fd5fe191fbcd35b92aa57bed5136f9e3827b7a
SHA256d1fdb55cc325bccb906fcfdb2cd863a2b42326960c6a849a9226f35345933c04
SHA512cbed29aed6cfc976c13f78d1e571db5575e52fe6851541f32c9ef1bf65bf53724f674ee6025fd0da7b148c84f5f4298d10048b19bde9e7629fc05a9705404fb2
-
Filesize
79KB
MD504e543d2d07a1cea56f469bdc79fc2b2
SHA18a750f7eb6fb0a98bae896675c1e9c051158a527
SHA256e41342ed2fe9879c041722f5e3c8dbd1bb8652f7ddb6f647d163c0700977a1eb
SHA5123003aa899a36382f57a5566f9efc88f0396abe01865ce9557d514baf07d6654ba9a4a761ac91693b4bb2a9e56781c215e9c26816258fefb079d78536af928013
-
Filesize
79KB
MD54cfc4028656b547a6d3c0dbb6d14ae5a
SHA18f0dfa26a2459041438716c176768dcb34eaf0f5
SHA25603a60cbfbce8a244ebec151cd8ec61a78a4c1ca6f410c46d647e1387ff1fe2e1
SHA512375a019758ba7efa5d690ecb81ab2ae287da6aff5f0595223e2bf79868840431f1d93e686ff1c12ba117adf0f997d995d92880d858e7a26b559dc68064181a4d
-
Filesize
79KB
MD52c3a34a445bd53f648d3a4073872044f
SHA16c6c9d2d3d941a9ed446f3f5dfe5df8a7f159184
SHA256505ae844de960530bd3e288181a4816c1acdcfa583468e8830089f13e8dac543
SHA512ce59d73f3449d16afaf33bd9099f7f4f2f40d172d49dde9606cc37e3f422057ba6ed314966b97e0a2c71487a6d9ef36cc7159957110004c841b4778eec38f4dc
-
Filesize
79KB
MD5f38f906c1373e0295ba9e635816dbea9
SHA107f0eb3f77006ef632e98f3140218d9b33c23761
SHA256b3969cd004d4cae99e43e68b22b380bdcfaa4a5d1a92b9f59d16ddcbe5521499
SHA5120a00c4f46401a8e529c6afb86dea5f8071be6137aa2df9f49997a945b6973695aaca2a97e041e888596c2e78545b874c0796c83c444c96c52d7cd5534881a615
-
Filesize
79KB
MD5e435bebba45d1ef2d4907aa1d397a292
SHA1b52e142e39e3facb240608e68f26081d26e6e009
SHA2568a0164e321210272ee6d6575777c0c6ef752c3d11073c917f041ee61e79cd42f
SHA512f9b1f15282efdf6f21ce06264d89e60832c677961e4a352e6321001bc7aa2cc202f07a887a408d9e2043ef60d67a5e0c282788e200dabb6a0aea7c1e798dfde7
-
Filesize
79KB
MD53b1080ae96d7854926d302d92a0c0fdc
SHA19087d037f6a38e36db0b70fc716d811ee3350c71
SHA256ca0da3492d1bc715880c2265961c8196496568b5367453df517345b7f73f1198
SHA512c679f1ef7a734249f02956ec83bf10fe6a78b2d209870b8a5bd35de5dd27afb083c766448b6d5be69a074c3fc7a632e9c19b536cd4d320d642c621a00a74d3fa
-
Filesize
79KB
MD50234203cc4dd8ce0dcf79499d21d96d7
SHA17e41adffe0678c8851c3589650587f3ac711a090
SHA256890b6b9663138984779a53c197782c44891285039700754b15442683a9d65214
SHA512da64506b9b3e70be281c0b9f27a3f43c90ce3453e16c56c6a63bdcfaec750057b12f13a774727e3479577f34d704906d22ecbeb62e26260080ec8fae8c1999f0
-
Filesize
79KB
MD5821cd8383cbe3465781319668adb46be
SHA1ca10ce291f6a21f927366e9227e72b78b07fe7e6
SHA256dcfed2a9c79fa2ac491101a6fe78603a5b946e808e82152031f07995cbb97439
SHA5128d956b98f490e83ca7503c904072aa3a3cf3dd2c7676e2e6a022dc088c50f4484964bd8dd537a8bc32b7486eb39b9e69df4d9609bf9ad5b47ef64c2b18b5f575
-
Filesize
79KB
MD582002370de5f99db5263b4ce2f336391
SHA1d116255e48dc720c6d88a32d8b92c5a990ae1dd9
SHA256a16e53689158994b2fc5950f40a340d01942fb5eb5d2c7ab63f0fbd081e0a163
SHA5124aa9d5968890cdbec80d0a465dfbadf6ab3b1938cc1e34d183d8f4bb730bc952a6f0ec0293a78b70e0bd4946fc7273c75feeba6e5a856f9cd4748c8fee7a07ae
-
Filesize
79KB
MD5fecdb9b422d81b838e8c620f40ff05a5
SHA122974f6fdc49aa203fae037ff683074abe664227
SHA25650d9ace272f615db095c41615e59ed095c55fc5e8611b5d97cc351068e805ce1
SHA51287cca93107bb4c94738bbadf6e8c8ce1c7e66ec4c98fb6842a217f2f6fa6fcdd1f15bf3e7082337734db882dbb32b26283e6afeff84ab5ddd18ae0d2b8593289
-
Filesize
79KB
MD5334f3129950d12dcb65687c87422a0a0
SHA10845c90e22b967622ab5005b6c172439bc3bfd5c
SHA256e917de885d4774636efbf55dbc26bf1a20d9c3605dbcbc5846442a22a8c299c4
SHA5124a010eb637459720eb2115e4672d792357e3e09b98b8f0700eea29cc60cd1daeea8df6aca9ce4aa280bb26dbd15a56fb2d8b0d07e31ddfb617b9c31e11174289
-
Filesize
79KB
MD52b7efdc7cd76b2ea0e9624def26d7d8f
SHA11c194cbe09ac77d31a31001d48f47d31128c1a34
SHA25642e4351f2d3e33e47d0833be8b78b7bd8c810f233eb5ac13f15a47387636cf55
SHA512d023c3f7f1db6931dbacbdcd54b1a52d8e278a4d8f9d44b27606b2e326ac97c81006e75dc852aa15d8fc4b1a9ecf930a71c60cb4f9843a517bce04be97801899
-
Filesize
79KB
MD5e2ed2d04b4ce110646b85e21230ac8a1
SHA18e04be95d9e30d41f498e6eff48865bc1a280f8b
SHA256b51758b47d1744608aa4795b10cc2f97e9f14a89cb99c6111bfd7109a1a28f97
SHA512f73fd4c743b71cd1fb67d466d3466e60b7a0cf32ad9e4160c13273c295924045f1b3c081b2d631d42772007ecd83a806d0d4ec3f26a0b5bcb2662afbd97a19f2
-
Filesize
79KB
MD53edf3e127df26779d57257eeda1744c5
SHA167d20607afca81c1b0069a4b254ebd7337978e73
SHA256ca87281b03051f5a37695c936b1a5fcc8a5caf862e4ec6281414bfd7f597124e
SHA512719aafd92ee93b77980f7732c855211fd63e417c2727e0452f3e4c8169e085602598094d62fe4bf3d0ae91a13acc537803627d418e448e208e73ebd2bc05b7a3
-
Filesize
79KB
MD5e67349241ed870429dde8dcef3ebd8ba
SHA1452d0686c5a0da24ad8fcbd2ccd3c26b1e6e72d1
SHA2562181a75bd308f96d291619e7644287318be1a2d0dea23b5a0cedd30e20648f50
SHA512f12fe3831f50475b7ab4348d39f5d53116196ae8861d22222dd3d8c5cad7c1f9ace5e2740fcf50f8a70e79f9d3a352cdff38bf578132bd2e8678efa2dbc068e9
-
Filesize
79KB
MD5f23d2164b0b55f5978050d545facb320
SHA15c4c14d4dfb87db81d47ac582caa91a6f66eb8d9
SHA256a32778fa3b28e38bd34bd488dc251f57c1017dcb7a0b23e27772ce0741573886
SHA512aff284409716ccea11ea5b8a298d5af1ccfdb986f958245d1596f0e2241eafc5ab6abf5d3e41161be67fb2725e4539c5c35effb6be2103513807726c2e6b6ed7
-
Filesize
79KB
MD5b3017d3685c963520ae87d9529d505a1
SHA16171a4730e279c756a04fd7e1a040147a944c081
SHA256e9d61167ac899e7402ed91758178067f24724f58d7c8c4a3dc33318542913999
SHA512bcce973cf1a08c9a57ca98fe94859cffd2e2e5e9944399e714e1561053b6b386564d67be0351314035122d6a43bb89d3424a820fcfde0caf50438351ab78c1f0
-
Filesize
79KB
MD5f4c2a75a1dda6e70ec09967a59a4775c
SHA182547333f1889865f49492b460105bac08e95962
SHA25677989b07f49013ea2059f2494be26abe8a35252dea12421ff14aa5e10abc1679
SHA5126a94aa9a3697da0b39cda1d5817af8d55af74da08a5bc3f25e721c4acfc43a2619eba9a649bc37d11fd53318c42511c3b8777cda98d5fcaf82e8ede201b6098a
-
Filesize
79KB
MD558497438b5d97107ade18072c4f9a39e
SHA118dd38972bbb35ac049b94ce81378bd4d31c24ea
SHA256ad40b964a0a236bee379eb5c754f6b3081da12f2b1e2a71b9ebebdf4255b8bb9
SHA5121b9bd94eb09ddc8751275c4b30c454fdc4867ad6b47c37d417c8d1c66343899d9c1a1911307105f32fac7b2127a16f68ccce2cb023d579fbc086f16bff29066b
-
Filesize
79KB
MD5e292aba80ebbc8ccc2ce9473a4204597
SHA1e025385561780cf17396498fe4a003153702be86
SHA256fabd84a4f568398a82170592af20b6145d03156819cf494da75f2e35e7adec1d
SHA512d67440f4e4d89035b8094762bf1935b148759cd06148ce96025699c8be40728e00ce10f1a149476073e0afe8c9bcac379a461893cb455e36697b391244dd88bb
-
Filesize
79KB
MD50df7c1cc1380d32bbe38c30a048eca28
SHA1c5a3926db65210b5885adeaf7dd3b87b4fc4ead9
SHA256b07df1e19aca395a405b479f341b6b42c28f349872c0d53c9b52f243119fd534
SHA512fa6c9c57eea0282453534d0e5bc50925e302f1dbb098f81ae8ccf47cd29ffe6bd95e454b75526de06ba833f7202d77aef2e19c11c3daee2069d8c92bc8ec3eae
-
Filesize
79KB
MD59258557a2cd1a2fad4198392358292e3
SHA11b5f02f1c58e52afa3be77ba3356dbbd85b86914
SHA256a003882513bfa77bcf7022ed748bb69e3aec090bd77add0a9d2cff5f475a840d
SHA512be1bd0fc4a4c1808492e4ba17cf02d36e4b533369b6f16fea0ec6bbe3c9f32abf398e7b27c710a61e332f2f20779bc92a95a41182d04054a5dca203cb7ed2e37
-
Filesize
79KB
MD52fb9472e63f974889c03c0c4364dbaa8
SHA137f6fc4ab6d7497acdbffb32727223908ee8e70f
SHA256d4745002639d73dd0f2de370f5cd440ddda3fb77df458649d9a666b2ed83a924
SHA5129d7bf7f340b6b59a1eace272963b9687aefeaf3015bdbfd5d7811c2c32c9d0f51644b64c86caf4e02294b5339260224426fd170626dc95c5dfd1c251f90479ac