Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:09
Static task
static1
Behavioral task
behavioral1
Sample
0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe
Resource
win10v2004-20241007-en
General
-
Target
0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe
-
Size
72KB
-
MD5
939f7121aa8ca10ca3e19def80283c20
-
SHA1
a4dcfec3ec730873d7a3724292c366248262fd46
-
SHA256
0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0
-
SHA512
74644988d344607288c32c16f38efe287d29f9e076d1a27e0e0cc972d43e1d5db4e26e2062e9b25ad5ae74ef935075431518db0f7e6d1ebaae18e721c4121058
-
SSDEEP
768:pWkHJRYeNipY/M9i4dC9nGCaT/tqaYSHfuf4fRSaaa0DDDDDDF/10mEu/1H58uU/:M4Y0J1vi1qgW10mFyPgUN3QivEtA
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqppkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceckcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdkch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beglgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofeilobp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmgfgdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopigd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdifoehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnlaml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afoeiklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beglgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofeilobp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgioqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfdhkhjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andqdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogpmjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgefeajb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfdnhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdfjifjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmeci32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3628 Oqfdnhfk.exe 3136 Ogpmjb32.exe 1056 Ojoign32.exe 2124 Olmeci32.exe 3876 Oddmdf32.exe 616 Ofeilobp.exe 3080 Pnlaml32.exe 1916 Pdfjifjo.exe 2096 Pgefeajb.exe 4972 Pnonbk32.exe 2512 Pmannhhj.exe 2904 Pdifoehl.exe 4112 Pnakhkol.exe 4236 Pmdkch32.exe 772 Pgioqq32.exe 4588 Pjhlml32.exe 3676 Pdmpje32.exe 5048 Pjjhbl32.exe 1768 Pmidog32.exe 3044 Pcbmka32.exe 1552 Pjmehkqk.exe 2856 Qmkadgpo.exe 760 Qdbiedpa.exe 1660 Ajckij32.exe 4468 Aqncedbp.exe 4176 Aeiofcji.exe 4356 Agglboim.exe 3656 Aqppkd32.exe 3232 Andqdh32.exe 2152 Aabmqd32.exe 1112 Aglemn32.exe 1444 Afoeiklb.exe 4064 Aadifclh.exe 1988 Accfbokl.exe 4564 Bjmnoi32.exe 1200 Bmkjkd32.exe 4144 Bebblb32.exe 1080 Bfdodjhm.exe 2060 Bnkgeg32.exe 1196 Beeoaapl.exe 2952 Bffkij32.exe 1204 Bmpcfdmg.exe 3712 Beglgani.exe 4716 Bgehcmmm.exe 1576 Bnpppgdj.exe 4380 Banllbdn.exe 776 Bhhdil32.exe 1412 Bnbmefbg.exe 2784 Belebq32.exe 2828 Chjaol32.exe 4268 Cndikf32.exe 2732 Cenahpha.exe 2392 Chmndlge.exe 4472 Cnffqf32.exe 1232 Caebma32.exe 2412 Ceqnmpfo.exe 716 Cdcoim32.exe 364 Cfbkeh32.exe 1208 Cjmgfgdf.exe 4304 Cnicfe32.exe 384 Cagobalc.exe 3968 Ceckcp32.exe 3696 Cdfkolkf.exe 3556 Cfdhkhjj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dfknkg32.exe Ddmaok32.exe File opened for modification C:\Windows\SysWOW64\Pdifoehl.exe Pmannhhj.exe File created C:\Windows\SysWOW64\Ihidlk32.dll Bnkgeg32.exe File created C:\Windows\SysWOW64\Beglgani.exe Bmpcfdmg.exe File opened for modification C:\Windows\SysWOW64\Pjmehkqk.exe Pcbmka32.exe File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe Ajckij32.exe File opened for modification C:\Windows\SysWOW64\Aadifclh.exe Afoeiklb.exe File opened for modification C:\Windows\SysWOW64\Cnicfe32.exe Cjmgfgdf.exe File created C:\Windows\SysWOW64\Bdjinlko.dll Pnlaml32.exe File opened for modification C:\Windows\SysWOW64\Pgefeajb.exe Pdfjifjo.exe File created C:\Windows\SysWOW64\Bjmjdbam.dll Pjjhbl32.exe File created C:\Windows\SysWOW64\Qdbiedpa.exe Qmkadgpo.exe File opened for modification C:\Windows\SysWOW64\Banllbdn.exe Bnpppgdj.exe File created C:\Windows\SysWOW64\Ddakjkqi.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Mnjgghdi.dll Aabmqd32.exe File created C:\Windows\SysWOW64\Danecp32.exe Dopigd32.exe File opened for modification C:\Windows\SysWOW64\Ddmaok32.exe Dejacond.exe File opened for modification C:\Windows\SysWOW64\Bnbmefbg.exe Bhhdil32.exe File created C:\Windows\SysWOW64\Kjpgii32.dll Ofeilobp.exe File opened for modification C:\Windows\SysWOW64\Bffkij32.exe Beeoaapl.exe File opened for modification C:\Windows\SysWOW64\Beglgani.exe Bmpcfdmg.exe File created C:\Windows\SysWOW64\Accfbokl.exe Aadifclh.exe File opened for modification C:\Windows\SysWOW64\Cjmgfgdf.exe Cfbkeh32.exe File created C:\Windows\SysWOW64\Jffggf32.dll Ceckcp32.exe File created C:\Windows\SysWOW64\Deagdn32.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Pmidog32.exe Pjjhbl32.exe File created C:\Windows\SysWOW64\Eifnachf.dll Cagobalc.exe File created C:\Windows\SysWOW64\Hpnkaj32.dll Danecp32.exe File opened for modification C:\Windows\SysWOW64\Danecp32.exe Dopigd32.exe File created C:\Windows\SysWOW64\Dfpgffpm.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Pdifoehl.exe Pmannhhj.exe File created C:\Windows\SysWOW64\Bnkgeg32.exe Bfdodjhm.exe File created C:\Windows\SysWOW64\Nedmmlba.dll Ceqnmpfo.exe File created C:\Windows\SysWOW64\Idnljnaa.dll Andqdh32.exe File opened for modification C:\Windows\SysWOW64\Bebblb32.exe Bmkjkd32.exe File created C:\Windows\SysWOW64\Pgefeajb.exe Pdfjifjo.exe File opened for modification C:\Windows\SysWOW64\Pgioqq32.exe Pmdkch32.exe File opened for modification C:\Windows\SysWOW64\Qmkadgpo.exe Pjmehkqk.exe File created C:\Windows\SysWOW64\Akmfnc32.dll Bjmnoi32.exe File created C:\Windows\SysWOW64\Cmnpgb32.exe Cjpckf32.exe File created C:\Windows\SysWOW64\Ldfgeigq.dll Accfbokl.exe File opened for modification C:\Windows\SysWOW64\Cnffqf32.exe Chmndlge.exe File created C:\Windows\SysWOW64\Fpdaoioe.dll Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Aabmqd32.exe Andqdh32.exe File opened for modification C:\Windows\SysWOW64\Aglemn32.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Ooojbbid.dll Afoeiklb.exe File opened for modification C:\Windows\SysWOW64\Ogpmjb32.exe Oqfdnhfk.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dhocqigp.exe File opened for modification C:\Windows\SysWOW64\Cdcoim32.exe Ceqnmpfo.exe File created C:\Windows\SysWOW64\Ceckcp32.exe Cagobalc.exe File created C:\Windows\SysWOW64\Phiifkjp.dll Bmkjkd32.exe File created C:\Windows\SysWOW64\Beeoaapl.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Chmndlge.exe Cenahpha.exe File created C:\Windows\SysWOW64\Cnicfe32.exe Cjmgfgdf.exe File created C:\Windows\SysWOW64\Dopigd32.exe Cegdnopg.exe File opened for modification C:\Windows\SysWOW64\Pdmpje32.exe Pjhlml32.exe File created C:\Windows\SysWOW64\Qoqbfpfe.dll Qdbiedpa.exe File opened for modification C:\Windows\SysWOW64\Andqdh32.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Ogpmjb32.exe Oqfdnhfk.exe File created C:\Windows\SysWOW64\Ajckij32.exe Qdbiedpa.exe File created C:\Windows\SysWOW64\Jjjald32.dll Dejacond.exe File created C:\Windows\SysWOW64\Dpmdoo32.dll Aeiofcji.exe File created C:\Windows\SysWOW64\Pnonbk32.exe Pgefeajb.exe File created C:\Windows\SysWOW64\Afoeiklb.exe Aglemn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5128 2968 WerFault.exe 170 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadifclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgehcmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmidog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglboim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoeiklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnicfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmehkqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkjkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banllbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglemn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andqdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojoign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgefeajb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdkch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabmqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpcfdmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdifoehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbmka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmkadgpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdhkhjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegdnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofeilobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbiedpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqppkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmgfgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmefbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfkolkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnlaml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgioqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhlml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqfdnhfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdodjhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beglgani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caebma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceckcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpmjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqncedbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnffqf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgefeajb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqppkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndikf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll" Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmeci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmnoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndikf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll" Pnlaml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqfdnhfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmidog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdifoehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll" Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdbiedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Caebma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deagdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogpmjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnakhkol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhkjej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnlaml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Andqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll" Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll" Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cenahpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegdnopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdfjifjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadifclh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4040 wrote to memory of 3628 4040 0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe 83 PID 4040 wrote to memory of 3628 4040 0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe 83 PID 4040 wrote to memory of 3628 4040 0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe 83 PID 3628 wrote to memory of 3136 3628 Oqfdnhfk.exe 84 PID 3628 wrote to memory of 3136 3628 Oqfdnhfk.exe 84 PID 3628 wrote to memory of 3136 3628 Oqfdnhfk.exe 84 PID 3136 wrote to memory of 1056 3136 Ogpmjb32.exe 85 PID 3136 wrote to memory of 1056 3136 Ogpmjb32.exe 85 PID 3136 wrote to memory of 1056 3136 Ogpmjb32.exe 85 PID 1056 wrote to memory of 2124 1056 Ojoign32.exe 86 PID 1056 wrote to memory of 2124 1056 Ojoign32.exe 86 PID 1056 wrote to memory of 2124 1056 Ojoign32.exe 86 PID 2124 wrote to memory of 3876 2124 Olmeci32.exe 87 PID 2124 wrote to memory of 3876 2124 Olmeci32.exe 87 PID 2124 wrote to memory of 3876 2124 Olmeci32.exe 87 PID 3876 wrote to memory of 616 3876 Oddmdf32.exe 88 PID 3876 wrote to memory of 616 3876 Oddmdf32.exe 88 PID 3876 wrote to memory of 616 3876 Oddmdf32.exe 88 PID 616 wrote to memory of 3080 616 Ofeilobp.exe 89 PID 616 wrote to memory of 3080 616 Ofeilobp.exe 89 PID 616 wrote to memory of 3080 616 Ofeilobp.exe 89 PID 3080 wrote to memory of 1916 3080 Pnlaml32.exe 91 PID 3080 wrote to memory of 1916 3080 Pnlaml32.exe 91 PID 3080 wrote to memory of 1916 3080 Pnlaml32.exe 91 PID 1916 wrote to memory of 2096 1916 Pdfjifjo.exe 92 PID 1916 wrote to memory of 2096 1916 Pdfjifjo.exe 92 PID 1916 wrote to memory of 2096 1916 Pdfjifjo.exe 92 PID 2096 wrote to memory of 4972 2096 Pgefeajb.exe 93 PID 2096 wrote to memory of 4972 2096 Pgefeajb.exe 93 PID 2096 wrote to memory of 4972 2096 Pgefeajb.exe 93 PID 4972 wrote to memory of 2512 4972 Pnonbk32.exe 94 PID 4972 wrote to memory of 2512 4972 Pnonbk32.exe 94 PID 4972 wrote to memory of 2512 4972 Pnonbk32.exe 94 PID 2512 wrote to memory of 2904 2512 Pmannhhj.exe 95 PID 2512 wrote to memory of 2904 2512 Pmannhhj.exe 95 PID 2512 wrote to memory of 2904 2512 Pmannhhj.exe 95 PID 2904 wrote to memory of 4112 2904 Pdifoehl.exe 97 PID 2904 wrote to memory of 4112 2904 Pdifoehl.exe 97 PID 2904 wrote to memory of 4112 2904 Pdifoehl.exe 97 PID 4112 wrote to memory of 4236 4112 Pnakhkol.exe 98 PID 4112 wrote to memory of 4236 4112 Pnakhkol.exe 98 PID 4112 wrote to memory of 4236 4112 Pnakhkol.exe 98 PID 4236 wrote to memory of 772 4236 Pmdkch32.exe 99 PID 4236 wrote to memory of 772 4236 Pmdkch32.exe 99 PID 4236 wrote to memory of 772 4236 Pmdkch32.exe 99 PID 772 wrote to memory of 4588 772 Pgioqq32.exe 100 PID 772 wrote to memory of 4588 772 Pgioqq32.exe 100 PID 772 wrote to memory of 4588 772 Pgioqq32.exe 100 PID 4588 wrote to memory of 3676 4588 Pjhlml32.exe 101 PID 4588 wrote to memory of 3676 4588 Pjhlml32.exe 101 PID 4588 wrote to memory of 3676 4588 Pjhlml32.exe 101 PID 3676 wrote to memory of 5048 3676 Pdmpje32.exe 103 PID 3676 wrote to memory of 5048 3676 Pdmpje32.exe 103 PID 3676 wrote to memory of 5048 3676 Pdmpje32.exe 103 PID 5048 wrote to memory of 1768 5048 Pjjhbl32.exe 104 PID 5048 wrote to memory of 1768 5048 Pjjhbl32.exe 104 PID 5048 wrote to memory of 1768 5048 Pjjhbl32.exe 104 PID 1768 wrote to memory of 3044 1768 Pmidog32.exe 105 PID 1768 wrote to memory of 3044 1768 Pmidog32.exe 105 PID 1768 wrote to memory of 3044 1768 Pmidog32.exe 105 PID 3044 wrote to memory of 1552 3044 Pcbmka32.exe 106 PID 3044 wrote to memory of 1552 3044 Pcbmka32.exe 106 PID 3044 wrote to memory of 1552 3044 Pcbmka32.exe 106 PID 1552 wrote to memory of 2856 1552 Pjmehkqk.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe"C:\Users\Admin\AppData\Local\Temp\0ec015989475aecb93d0071e202655348f7a1377946ab7826be7ecde75c0d8d0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4468 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3232 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4564 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4144 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3712 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:716 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:364 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:384 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3696 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3556 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3496 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe77⤵PID:3948
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4100 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe84⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 40485⤵
- Program crash
PID:5128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2968 -ip 29681⤵PID:2200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5153e2ad1a986f61ffb99a13c7a33810b
SHA11edae70138fc732f2c8d6a986e8cb0e261429fb7
SHA256e2e9ae7fdf5a919760e405579346376aa9258d6142402fa6794492356a18238e
SHA512d34feab26419a5bc2094fd0cfa93f00f1586671a048d20759bbde433faae1839cfc0ecd03bc4a0174258491da7eabe30a4dddc7ec15ee9afebad225be7530317
-
Filesize
72KB
MD57307f847a8cb159d3af06e0b92161afb
SHA19cd707ddf60fa3b1404a1ca33fa9343cd5acc1b6
SHA256174e42aba9ca5dd5dedb0ed61df632d44bd1ec5699051f6506aabc7cbca5ce3e
SHA5121125a79264c773b6854153a76007a10d482cba7a7b80768e5f57131e75056c4c7f1e587a673b7e9cbf97aa70105f97a179929b6f61ec17509f513a82b36d8673
-
Filesize
72KB
MD5d8e7702528ff6a0e21dc014c707cedba
SHA1bcaed3148c6992696983e56256ed1aa1f64937fe
SHA256fb9f0639f7f0a1b9304fe952c8a6010c8f1f8e22bc46bed2d2a20347da7c1f39
SHA512bb7deb78398cebd9807a293f6244d7c18e036348611ab76300420e6407672a9dd24a073070dbbf3ead5411c686e2f0d55ce187ded59030777ff16e22a0b55026
-
Filesize
72KB
MD52e8b7d0d7c4f9b43b0c4964524470018
SHA11b07d839f5f38d1d82cd87d03ac5598a1705e933
SHA2562baa5bca410eb08f438afa3b46163bcc070eabaf9a01f6a681415350eda0f30c
SHA512ca38a84be638df5be70fe114bee23fd80edd1435586711ee1144c336640a549fa22e65e15e305470123463d194eee8a4fc1922980a5c69d05f13537e494886da
-
Filesize
72KB
MD5e64f79e8c3be407039bd1bda4ae838e7
SHA154bc203f65de7e740fdef101bf713e4dfcfc7a47
SHA256a3e354fe66808dc8a7030b144b941c8c12e6c24c0f9b1d122afaea67d22d9f2d
SHA5123b3a10960205fe4bd5a2aa896917a01566fadb8f9c3c1facc1bd2188845f9f86d112f45188fe79e22a8b2f44c68de77a92411ce2a4ca8fc652957961e4fc9d64
-
Filesize
72KB
MD5033ce720f347786fe39433f1815873f1
SHA193cf139fa0901143b952783f491a6c8f4022b660
SHA256a285eb07add93c1864fd1ba6dc5cc0161d14cf844637b71a524402980f4f6344
SHA5123e627e3e76199aebbbbafd37dd7a1b3314f801bc4c60e33a24dbc603ecb1b2749a71253efeee8119e5cfc4fbba6c73b603aa0aab50ab4a490a9afd7e06a3bf28
-
Filesize
72KB
MD5f2c5da941ef1294deda714d8bba42fed
SHA109c626653f67c281d5dcacdbea7379eaa374dfb6
SHA2563fb48241ea212a57aec1cde7440a3b2eb2b3ae73df96f12f7d42db50537ed996
SHA512353b04cc9c8d755139b28b5dad766666ac2fc8ae73740f41b85585569383f36ace7352ea3c2cb0383c451645a3bb7efc01b8914b9088bea6120aff59850822ad
-
Filesize
72KB
MD5a23008dc4f416b17fac9e7a302d25026
SHA1782588170f614819c43717f462f69b0b0b196797
SHA2565cebfbb24523e88d3b9b8223c26d3fe652daea39f5825e8f3039feaeb88fa24e
SHA512a33931de690445de0d25212226ebbba7df6ba5499e751cafa13a0cb6248fa0d95442e4e01437b11a1846f5291dec7a2d3c330d83575387d3a674e9ad682b188d
-
Filesize
72KB
MD509b27a2a59ebc1b0a198229e2d6d6277
SHA10995d6fdce0310a4153c52b00c1fa35ed77ba455
SHA256da8e3072b9799e0c5e21e2a754d58fe31f6af0152d137d02230ced042d803502
SHA5120091a1f52b0360ccf2009e12033eba6ae0e8c7a040b5496226556afea7bcd8b3024a0b2b49e2ec0aa63f36b7f4d82749499c63c75e860bebee2a52efafc6dcbe
-
Filesize
72KB
MD5fe446685d4f0b6d134257ab1ddabe083
SHA14690f225b440f246babbce5d2cae4e61450e7c14
SHA2564d17305a53b1eb276a6ad5105c1ea0b100fa76054dbb2c445666a1acbb106f0d
SHA5125cab2121115dbc0af5f73e8decbbd865b30bf97d5caf63d56e5fc68c3f211a7694fdd339f3a44f97d4fcbf69511472c3978fc2ede4cc8e922f5721a711025ca6
-
Filesize
72KB
MD59c9c889c0c090620ab9682fd54c48b8c
SHA1fb068e93d48fd2a0f17210d350675407ac328b03
SHA25622f86e2da8fe849b6bf126a66b2a3f7160de53aab7d15751e8efb104e28f8980
SHA512da9e2efc27922d7ed7725561d85fcb9db1d68a9bf4ec5b59d3bdc0703c22bb9af3887c4c31d323ab05b688aa09aef9dbe9c6d493518a9f843e8013bc63ee8d77
-
Filesize
72KB
MD516f165d77e66e8524d03cb4b5bb9f3fc
SHA1bbd9cd592c825f0c985e7e1aaf10d4356182a7a2
SHA256224e4a9cba108cac3b4bd7cbbbb2b1cd4915e3cd127e146cf3b045c041aea536
SHA512b2b62d657bfa6763eef87abec8f50f33e643f30f7d571f0bc0ad7db8d8e0ab30e1e9691acbeac6bac0661d8308237263cbae5fd3fdfc4bfcc6fd7185cd0beecb
-
Filesize
72KB
MD5e678d4f8b3adf07c328d297d333a6e2a
SHA1295d9eb88a06b59e40d2e7e41836329e5285b07a
SHA25660067f00c6aaa1b03d0783b52b5a5ce5e99f870282b25199e575abe779e769be
SHA512b1a4c3d9664313c4a763246a36a896394bf7517e0f58a7a949876187d42e500c5c22b59f22f23e294e70792f1341e5573a33a16dfe316ab511620363ee2524bf
-
Filesize
72KB
MD5d1a7f9eea2f9c68d21cce4414bc17a0e
SHA126d57cb8948c3b8320c1e8995263bd49c827408c
SHA25656c35d14ec7fa67bd9b5af62382daf79b56d82b9afccff6fc023f9b96e6d1848
SHA512ffed4e5a27010b9938da7cd30635a75eca76beeb6531d5b02e2bc39bd1635b4a1e11a9e559a59ab0a4c5a583d79c868a2c56c072a1a091116af56d337a9aac32
-
Filesize
72KB
MD540badb415dd13d2705ecf0680774d460
SHA12dca83ef329546618254f96f356cbd8cc912b4a1
SHA256c84855a464ff7c2ab1dfd85ebd4e2e3c3bc6d7fdf4985b53b63abef913e5ac5d
SHA512f6592c62b9f74dc38939094310b3f942f4789b8c1805cd85a58d5c4b9641c6b54e0f6f4cafb7300f7a331674a613ddc2feb9b127be488d0fba3e05805a9b23ad
-
Filesize
72KB
MD5214482b37b3a5bfb50e37c91bb9350eb
SHA1d815a8ce9ff383cb0b9ee1409b8aea2732f97709
SHA25694b73f02c2b0650ff413f40635f156e56f1832308990ea0650b67bcd00d0af89
SHA5124eacc18a0749f62f3aa415e6609f3b70131efc2c0100da2482d7f45a8e2c82754dc1f04a95a26885d239ecf56b1fef128e41a29f0ab9db81277f60479f0c5e05
-
Filesize
72KB
MD5de6aa0cf51626353765ba069ff28bf32
SHA1193708f16a47972197ded5f40159100e499fc441
SHA256e4c9bb757b42706709a10b4828053b9733dadaa7a4b7f64c535d0fc9f4fe97ed
SHA512b1b0d2c22f6f53eb3a64061a4a54097e17b517fde5daf2f44b9f1138ed0adb66c741a0534071810fc12eac9b565e89d4e5e3fcce354328372ef407fc7ecc9301
-
Filesize
72KB
MD526872ab759c09ad711d967788db3d884
SHA12f36a8d7a34071158baa5d2eae31f220ca91f410
SHA256e1e3633ccad69b37ddf9a14c1b7cc4cda3c681defb449dad9054a5a587440796
SHA5120eb0281d632513b0dfcb2c901793c72df75a2a0f491fdfbb0466292fdd6bbe2ec668b2c456722dad55861cdb1f79baf0a3661625bc1942183ee136c59932e767
-
Filesize
72KB
MD50d44ea9a371becc30cfa354827c4d602
SHA1689d5d92896f4554d3a72b1d44777e52907788c2
SHA256ab2ae71790e58187b8f6e11cd21f1bbd59b6d7d75d212e73833d03943ae5dd2b
SHA5121e4899db2e89720a912462f1f1ad352400a4b7dd383f0751c3674dcb95cbe5e1c945e064ef2c6aa98cabbcaeb45ec5176234a432d3abf111f48b471281038617
-
Filesize
72KB
MD5e933367e2284d3b3c98942fb0033dbde
SHA14cc4246d5397e2ab43d7b5533a426413b39ae862
SHA256a0fc0fa2f9babfb78efca56a58fdc56888ca5c580eda6c7061b0f551e5827e10
SHA512a168bb4e9f7a52fd8d82730f9a14f901e2c2f05b5934403c397f1d7803e420f27fcd07535aceed1a6e5f22de70c4db3e6177429ec81ad02ca6d5ad953c111736
-
Filesize
72KB
MD58ac59940c2754a574da49a2cef2a98d8
SHA184f46232de221e7f6b6fdd0a34c9e322157f652f
SHA2561b3a9e9cfb0478161ebcf747a34a17015c17f294aa8aa975a5db23cb37c254c7
SHA51255f3936315344333a1c2e5ae7fa5b3e904f79c4e2b225e444db17ad2312b05bb190ffb531e170531235dd2cf5504c9f746ccae7ad1a3466385859bc38fc64ec5
-
Filesize
72KB
MD529f22bd38b97e9a9e61a009dcc0242b5
SHA1fbb400414a9fb6105f74da3ea43f30302198745f
SHA256569af4831ed3c64ba02d1ecb09d400a222d6d53ef87fe26d3a24d6df64abfe4e
SHA5127deb944b98200c85df4c825a46c38e0559ccff430acc41043d2a84b6bf6fef8246310b3435a93da5f74f3c51316739d5cfe872a836eedeecd0c16ef415c2ab04
-
Filesize
72KB
MD54820836928d2b473cd6823eb259911a3
SHA13e91abdcb019230a4daf5cbd10cdae6818493afd
SHA2561cedb714083729765c77a9b31c29e0ea50ece4bc4eed5e3823e0f560042e4028
SHA512f347c450bdf3d31189554e87e02d2190b288bdfc762a8d5c5a0e78edd1036e76bbfe6efaef36b33b83490e341964d280a45bb722eab0f1dbd3442c51a53dbd8c
-
Filesize
72KB
MD5e1697f93ca33ca21c0b8227d041dbdd8
SHA15ddb1f899cd5a92b8dd40d09763612f984b24764
SHA2563ce2dd810e58cf82ff00967d57d8b52fdb884008ffddad049a584ee199f06ebd
SHA5126185734b0cac87c0127ba47ad497fd8ba1d2d6cb56d4fb2e3e994c4332ac1985a9ca1e6d8f41e2bbc19ffb7d091b898bae7a94688297675d060ff6b345630186
-
Filesize
72KB
MD52e52dbe3e9dc629a6b902795061f19cb
SHA177a7bd5d22ed97d5a2e6658cc59edd1c1d806d06
SHA2562aa0d9ce4eabbf52997d94b86abe1e53d8170c669ef7e69b726b03018ebfb640
SHA512de5bb09af369080d7bc9e7bed6cc02be98286ee4788cd0fc335688ae8a3143940399e5214c8f1bf9abd3602ebf69f00d094d1c2ca9e7ea83eb8d113e59842818
-
Filesize
72KB
MD53ef7e09dab5067a072030062e9501df2
SHA1b8ea6b8ec733d6e25fbf2467ef3d61292ef1c7ab
SHA256a67f6e0561fbd9d4f9f75b8d2fc481eb8af30efbbb5d87f1f2dfd2b54bce636f
SHA5128b60c2c02f6c45b6ac55cee7feddec206bdebb95e47c0863ea879dfbfbe8e6d4617b9bf1a26e089057a56e244f7fac2035abc2ccc5a4a05a2935fb900284c4f6
-
Filesize
72KB
MD5f1a2636f983b357347d0617d57f5bd57
SHA118fb514b98fad8e9e27be1deffdff87164604b70
SHA256ef474a85e7acd9eb979668d7a930e25af019f22ffd239f3bd4d7b68f4adcbf71
SHA512aadf296ccd6d10b4de3b5ff4eba7ecaf1a04456bc4deeb1199259395cdc3d59bf67f0893c57421a5542327f6ed7cf5c9dc4d697cf4160cd20792aed92266dd44
-
Filesize
72KB
MD5eac07f8bb2af33c8b739a4f7e67c2daa
SHA10304dbab4984e45fe473c92940f50d7a88edf322
SHA256fb54249727f4a4e98f1393face467386fbb5f8a2f06b20d8fb57ece43aec68af
SHA5129cdf229d88ed822ab8bd04217b798f18054f52b790de04442260bf76f7de394cda0bc1b24e03ca3d1552dd279e806aa667e5aa158134d3ec3f6aeb9a0c5a1076
-
Filesize
72KB
MD52c244276df1797b270e6dc26b56cc7a3
SHA1caa34b2833204dfc10bd5236f8de155a537bfa28
SHA2561d3968430eba3f05e4c811aa484e2787ea439e0af82d21ede853c33adbafea9d
SHA512ca5ca22a66062181ff6bc10e661453559e65ac754492d6cccf1b8a4bf71c2714b96411d9e3d82c73559f7f174342b69e508ba4a1aecbbb4405c5a4becd119c57
-
Filesize
72KB
MD54d2fbccf7477b614719cd99de8884e30
SHA1f9d95a888effb6523cb45c2bf6fc46be30a3f67b
SHA256f9f5517fe544c7bf2c0beef5856b2af39180ca1241a1cb73edf7a7979c2cbe13
SHA512414221e2584737578400ff01cb2093f1ab57fc2c3259ef1973e81ba69458d89d2ef02969130c90bacb4038fd255d45689e87a3dc2309fec11a75732a424e4377
-
Filesize
72KB
MD59945063951ebe61ed38caa85759a3ab8
SHA1b3aa6b896c89c1f8b3d0a32c142c3803297c198b
SHA25611dd1b6c567b97d0f121a80c14c130e0f84bcbee2281bb173572b781896b187c
SHA512ff4ab50b9dd8c9221eb76f4003ff94f12948c95197ae3a36fc37fbe724e89903ffda1916e9d76583f8679117800180cae85b8daafc240854baead8290444a726
-
Filesize
72KB
MD5fcf6825bd2d4d33e04b032c932b07a48
SHA1fa0babb3647f852e250bd1ca04b6a492bf3c86d2
SHA2564be080352983535cc4df6317567e74604729f4a6affa844a19619efd2112cff3
SHA512cda0e1a58e5ca84d890795b5c6fa713983f73a7de1fdb817872f20c771e586025508d243dc66fe8fb3b5100522ab35a695e5c09a7fbfd7e83b3fdc472c246dc3
-
Filesize
72KB
MD584249c89c4491524bb2e2ba62fcaa185
SHA11343daf374d1007f407e09060d7aeba013ca9e50
SHA256d768dd7cd28be5d3dc764addd2fb97cde12aea9d82ad1463bd45254ef9cf6a46
SHA5128ae41dcfc3663704303fb913201558d0a33d4b9bb562ad9268fdf43280eb816466307e3d6e0e98fa64bfefa8d3d814376c26fc53f4e6c12eb9b00dd366411276
-
Filesize
72KB
MD513980af571e02e5924a47b411c178794
SHA194354d71bd25c407c1c20351f4f41b60079e78b6
SHA256c702e2502fff58da86f246512de343deb0f50b2a275047414c209ce814f59f5b
SHA5127e886333573764121022eaa5736ea24804668af61cc73ac245f20e27b7275a8c8777accde1127a80a558afaf24329112028a5de80e45fd847f1da69233957883
-
Filesize
72KB
MD5a3cda09d4f13e34074bfeec38b07832d
SHA1d31283f406eab4b9fc6088956eb5b9bf13906af1
SHA2566aac4e7b701d46ec5c463998139aa9ef9967bde6d5922654e11b9196843e81fa
SHA512f4e7f367d2f87eeb35a37a2e8a4e14dcb1a7356e92d064972c592330f834fd60595f903d7982b60b3b3763e7f4a405753662442a2bc7b832a390e0b15e2e4a2f