Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 15:37
Static task
static1
Behavioral task
behavioral1
Sample
9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe
Resource
win10v2004-20241007-en
General
-
Target
9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe
-
Size
64KB
-
MD5
d141f63c13fc6b16154520ed376bad60
-
SHA1
a914c2c4315e01b8e7a5293c45275be481fef65a
-
SHA256
9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666
-
SHA512
cbdf835708c79077a38f48d0c7ce94f6779a92c4bdcd7d5d5f78c8e7b373693813e2d90d5a5e79597a6e8be8b515f22957cfc3e8e447969ce6c2f7b31421f99e
-
SSDEEP
1536:AmDhOY9ZE2vGT2FCvZgEmK2aQfb+qeWy9rPFW2iwTbWv:Aa97vQ29ER2aQj+bXJFW2VTbWv
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgehcmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbiedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ampkof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anogiicl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjagjhnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmemac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qddfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmhck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffkij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqncedbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beglgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgbnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncgmkmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aclpap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qffbbldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjejl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmehkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmhck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffbbldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adgbpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageolo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3184 Pmdkch32.exe 1264 Pdkcde32.exe 452 Pflplnlg.exe 1776 Pncgmkmj.exe 3340 Pdmpje32.exe 524 Pgllfp32.exe 3700 Pjjhbl32.exe 1632 Pqdqof32.exe 1652 Pcbmka32.exe 2208 Pjmehkqk.exe 4672 Qmkadgpo.exe 4780 Qdbiedpa.exe 2804 Qfcfml32.exe 3752 Qmmnjfnl.exe 5056 Qddfkd32.exe 1828 Qffbbldm.exe 3060 Ampkof32.exe 4044 Adgbpc32.exe 4884 Ageolo32.exe 2984 Anogiicl.exe 2248 Aqncedbp.exe 688 Aclpap32.exe 3908 Ajfhnjhq.exe 4752 Aqppkd32.exe 3208 Afmhck32.exe 4180 Andqdh32.exe 2300 Amgapeea.exe 3900 Afoeiklb.exe 1160 Aepefb32.exe 736 Bfabnjjp.exe 2640 Bmkjkd32.exe 1964 Bebblb32.exe 3144 Bganhm32.exe 3756 Bfdodjhm.exe 2648 Bnkgeg32.exe 3080 Beeoaapl.exe 1540 Bffkij32.exe 4852 Bjagjhnc.exe 4464 Beglgani.exe 1492 Bgehcmmm.exe 1100 Bjddphlq.exe 2128 Bmbplc32.exe 4736 Beihma32.exe 1972 Bhhdil32.exe 3584 Bjfaeh32.exe 3648 Bmemac32.exe 888 Belebq32.exe 3392 Cfmajipb.exe 4276 Cndikf32.exe 3680 Cenahpha.exe 964 Chmndlge.exe 2460 Cfpnph32.exe 3348 Cnffqf32.exe 4012 Chokikeb.exe 5012 Cagobalc.exe 3536 Chagok32.exe 2888 Cjpckf32.exe 1372 Cajlhqjp.exe 1248 Cdhhdlid.exe 4888 Cffdpghg.exe 1588 Cnnlaehj.exe 4476 Calhnpgn.exe 824 Ddjejl32.exe 3476 Dhfajjoj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bjddphlq.exe Bgehcmmm.exe File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe Bgehcmmm.exe File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe Cnnlaehj.exe File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe Dodbbdbb.exe File opened for modification C:\Windows\SysWOW64\Doilmc32.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Hmmblqfc.dll Pdmpje32.exe File created C:\Windows\SysWOW64\Qmkadgpo.exe Pjmehkqk.exe File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe Cdhhdlid.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Dhhnpjmh.exe File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe Delnin32.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File opened for modification C:\Windows\SysWOW64\Bjagjhnc.exe Bffkij32.exe File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe Chmndlge.exe File created C:\Windows\SysWOW64\Cnffqf32.exe Cfpnph32.exe File created C:\Windows\SysWOW64\Cffdpghg.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Baacma32.dll Ampkof32.exe File created C:\Windows\SysWOW64\Bfabnjjp.exe Aepefb32.exe File opened for modification C:\Windows\SysWOW64\Bmbplc32.exe Bjddphlq.exe File opened for modification C:\Windows\SysWOW64\Qdbiedpa.exe Qmkadgpo.exe File created C:\Windows\SysWOW64\Amgapeea.exe Andqdh32.exe File created C:\Windows\SysWOW64\Aclpap32.exe Aqncedbp.exe File opened for modification C:\Windows\SysWOW64\Andqdh32.exe Afmhck32.exe File created C:\Windows\SysWOW64\Ebdijfii.dll Beglgani.exe File created C:\Windows\SysWOW64\Djgjlelk.exe Dhhnpjmh.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File opened for modification C:\Windows\SysWOW64\Pgllfp32.exe Pdmpje32.exe File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe Anogiicl.exe File opened for modification C:\Windows\SysWOW64\Bganhm32.exe Bebblb32.exe File opened for modification C:\Windows\SysWOW64\Bgehcmmm.exe Beglgani.exe File opened for modification C:\Windows\SysWOW64\Dodbbdbb.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Mfilim32.dll 9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe File created C:\Windows\SysWOW64\Ciopbjik.dll Pncgmkmj.exe File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cenahpha.exe File created C:\Windows\SysWOW64\Aoglcqao.dll Cenahpha.exe File opened for modification C:\Windows\SysWOW64\Qmmnjfnl.exe Qfcfml32.exe File created C:\Windows\SysWOW64\Amfoeb32.dll Dmgbnq32.exe File created C:\Windows\SysWOW64\Qopkop32.dll Bebblb32.exe File created C:\Windows\SysWOW64\Glbandkm.dll Bganhm32.exe File created C:\Windows\SysWOW64\Mkijij32.dll Cndikf32.exe File created C:\Windows\SysWOW64\Clghpklj.dll Cjpckf32.exe File created C:\Windows\SysWOW64\Efmolq32.dll Adgbpc32.exe File opened for modification C:\Windows\SysWOW64\Afmhck32.exe Aqppkd32.exe File opened for modification C:\Windows\SysWOW64\Bmemac32.exe Bjfaeh32.exe File created C:\Windows\SysWOW64\Cnnlaehj.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Ghngib32.dll Pmdkch32.exe File created C:\Windows\SysWOW64\Hpoddikd.dll Aqppkd32.exe File created C:\Windows\SysWOW64\Eflgme32.dll Bffkij32.exe File created C:\Windows\SysWOW64\Lpggmhkg.dll Cajlhqjp.exe File created C:\Windows\SysWOW64\Jlklhm32.dll Ajfhnjhq.exe File created C:\Windows\SysWOW64\Aepefb32.exe Aminee32.exe File created C:\Windows\SysWOW64\Nbgngp32.dll Dejacond.exe File created C:\Windows\SysWOW64\Qmmnjfnl.exe Qfcfml32.exe File opened for modification C:\Windows\SysWOW64\Dejacond.exe Dmcibama.exe File created C:\Windows\SysWOW64\Gallfmbn.dll Bmemac32.exe File created C:\Windows\SysWOW64\Hfanhp32.dll Calhnpgn.exe File created C:\Windows\SysWOW64\Dhfajjoj.exe Ddjejl32.exe File opened for modification C:\Windows\SysWOW64\Qfcfml32.exe Qdbiedpa.exe File created C:\Windows\SysWOW64\Ghekgcil.dll Ageolo32.exe File created C:\Windows\SysWOW64\Bmhnkg32.dll Bjagjhnc.exe File created C:\Windows\SysWOW64\Bjfaeh32.exe Bhhdil32.exe File created C:\Windows\SysWOW64\Dhocqigp.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Doilmc32.exe File created C:\Windows\SysWOW64\Pqdqof32.exe Pjjhbl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5164 2420 WerFault.exe 172 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgllfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfajjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjhbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfcfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmhck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgehcmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnffqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqncedbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodbbdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aminee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbplc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chokikeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdkch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffbbldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgapeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnlaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmnjfnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmehkqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beglgani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbmka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qddfkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflplnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqppkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffkij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmajipb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjddphlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgbpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andqdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beihma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkcde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdqof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmkadgpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbiedpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageolo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll" Adgbpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjjhbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anogiicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djdmffnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll" Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll" Cnffqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll" Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll" Aqppkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll" Andqdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll" Chokikeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbdlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll" Pmdkch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll" Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmemac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll" Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cajlhqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll" Pjmehkqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chokikeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmhck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgehcmmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adgbpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll" Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll" Qddfkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afmhck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll" Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" Amgapeea.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1284 wrote to memory of 3184 1284 9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe 83 PID 1284 wrote to memory of 3184 1284 9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe 83 PID 1284 wrote to memory of 3184 1284 9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe 83 PID 3184 wrote to memory of 1264 3184 Pmdkch32.exe 84 PID 3184 wrote to memory of 1264 3184 Pmdkch32.exe 84 PID 3184 wrote to memory of 1264 3184 Pmdkch32.exe 84 PID 1264 wrote to memory of 452 1264 Pdkcde32.exe 85 PID 1264 wrote to memory of 452 1264 Pdkcde32.exe 85 PID 1264 wrote to memory of 452 1264 Pdkcde32.exe 85 PID 452 wrote to memory of 1776 452 Pflplnlg.exe 86 PID 452 wrote to memory of 1776 452 Pflplnlg.exe 86 PID 452 wrote to memory of 1776 452 Pflplnlg.exe 86 PID 1776 wrote to memory of 3340 1776 Pncgmkmj.exe 87 PID 1776 wrote to memory of 3340 1776 Pncgmkmj.exe 87 PID 1776 wrote to memory of 3340 1776 Pncgmkmj.exe 87 PID 3340 wrote to memory of 524 3340 Pdmpje32.exe 88 PID 3340 wrote to memory of 524 3340 Pdmpje32.exe 88 PID 3340 wrote to memory of 524 3340 Pdmpje32.exe 88 PID 524 wrote to memory of 3700 524 Pgllfp32.exe 90 PID 524 wrote to memory of 3700 524 Pgllfp32.exe 90 PID 524 wrote to memory of 3700 524 Pgllfp32.exe 90 PID 3700 wrote to memory of 1632 3700 Pjjhbl32.exe 91 PID 3700 wrote to memory of 1632 3700 Pjjhbl32.exe 91 PID 3700 wrote to memory of 1632 3700 Pjjhbl32.exe 91 PID 1632 wrote to memory of 1652 1632 Pqdqof32.exe 92 PID 1632 wrote to memory of 1652 1632 Pqdqof32.exe 92 PID 1632 wrote to memory of 1652 1632 Pqdqof32.exe 92 PID 1652 wrote to memory of 2208 1652 Pcbmka32.exe 93 PID 1652 wrote to memory of 2208 1652 Pcbmka32.exe 93 PID 1652 wrote to memory of 2208 1652 Pcbmka32.exe 93 PID 2208 wrote to memory of 4672 2208 Pjmehkqk.exe 94 PID 2208 wrote to memory of 4672 2208 Pjmehkqk.exe 94 PID 2208 wrote to memory of 4672 2208 Pjmehkqk.exe 94 PID 4672 wrote to memory of 4780 4672 Qmkadgpo.exe 95 PID 4672 wrote to memory of 4780 4672 Qmkadgpo.exe 95 PID 4672 wrote to memory of 4780 4672 Qmkadgpo.exe 95 PID 4780 wrote to memory of 2804 4780 Qdbiedpa.exe 96 PID 4780 wrote to memory of 2804 4780 Qdbiedpa.exe 96 PID 4780 wrote to memory of 2804 4780 Qdbiedpa.exe 96 PID 2804 wrote to memory of 3752 2804 Qfcfml32.exe 97 PID 2804 wrote to memory of 3752 2804 Qfcfml32.exe 97 PID 2804 wrote to memory of 3752 2804 Qfcfml32.exe 97 PID 3752 wrote to memory of 5056 3752 Qmmnjfnl.exe 98 PID 3752 wrote to memory of 5056 3752 Qmmnjfnl.exe 98 PID 3752 wrote to memory of 5056 3752 Qmmnjfnl.exe 98 PID 5056 wrote to memory of 1828 5056 Qddfkd32.exe 99 PID 5056 wrote to memory of 1828 5056 Qddfkd32.exe 99 PID 5056 wrote to memory of 1828 5056 Qddfkd32.exe 99 PID 1828 wrote to memory of 3060 1828 Qffbbldm.exe 101 PID 1828 wrote to memory of 3060 1828 Qffbbldm.exe 101 PID 1828 wrote to memory of 3060 1828 Qffbbldm.exe 101 PID 3060 wrote to memory of 4044 3060 Ampkof32.exe 102 PID 3060 wrote to memory of 4044 3060 Ampkof32.exe 102 PID 3060 wrote to memory of 4044 3060 Ampkof32.exe 102 PID 4044 wrote to memory of 4884 4044 Adgbpc32.exe 103 PID 4044 wrote to memory of 4884 4044 Adgbpc32.exe 103 PID 4044 wrote to memory of 4884 4044 Adgbpc32.exe 103 PID 4884 wrote to memory of 2984 4884 Ageolo32.exe 104 PID 4884 wrote to memory of 2984 4884 Ageolo32.exe 104 PID 4884 wrote to memory of 2984 4884 Ageolo32.exe 104 PID 2984 wrote to memory of 2248 2984 Anogiicl.exe 105 PID 2984 wrote to memory of 2248 2984 Anogiicl.exe 105 PID 2984 wrote to memory of 2248 2984 Anogiicl.exe 105 PID 2248 wrote to memory of 688 2248 Aqncedbp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe"C:\Users\Admin\AppData\Local\Temp\9df7b8af2a81da09c8f8fb85badba5febff6cc1005c8fee4434cc6e15cc9b666N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3908 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4752 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4180 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe30⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3144 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe36⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4852 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3584 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3648 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4276 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3680 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4008 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4468 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3172 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:4532 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4624 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5084 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe83⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3484 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4428 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe86⤵PID:2420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 39687⤵
- Program crash
PID:5164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2420 -ip 24201⤵PID:5140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD53272e475482e320b8aad6ab9cca2d303
SHA19ad7cb91f29eaa6679d2d39aa5173aa7a9074ef1
SHA25625f70807beef242801609b8b70582ace4041763e273b694b0e16ad16e717da74
SHA51233bfe373534ba4419aa6dc99d0204699dbf577079aa667a46d0f0286fcd435231e6419dcb1c0380ab72cd39bb79f2c9069d72fb75a8ba6cb5ed68df232db91d9
-
Filesize
64KB
MD5a27787e12422d479a12ad3bfe4dbb10f
SHA1203798653c4e062cd2fe4af7746e8ae5365fcb9a
SHA256de86c1f376a2b3d5f64a7b814535643608d7082d21718fc885ce72daf2a98dcf
SHA512cf1894e3870a31483b6480f5d53e4136a27d49ce97c48c2174f1d75339160a271b2fa0427a4a28ffa8cd9af076c8fe672066e4e3d88917cf1a74e4c301984a79
-
Filesize
64KB
MD55fbe8f3f6bceba58949424990cb58689
SHA18889a1af5a24af68edafc667513c174e6ca3ec95
SHA256dfcd73b9a849c9b01357d930469e06e41ca993fdc8b91369da5fefae73c3a1a7
SHA512f1fff05cfc72ada5b6b4c1c13216039e3f9ad19e352eb975c10ce3e5236aff1ab5a330eb2a3111f64589ff0000eec6c4b2d0310aca48d4c9246ab9e8262d7e64
-
Filesize
64KB
MD5111a9494180b721bab5d8474bdb95984
SHA1d6551cc877a58693d9c776075093dd00e22197db
SHA256836bb83befe6f32b28ba61f0f5076dd7078743b8d508d8c858087b314bab5d00
SHA512b723f158e7405d120c7da86515f44c93710e2d3c4b1706666adc9ae84d425cd9161ec8b52d301fea61e9367ce016f2e77cfb45b059937d0b19841dadc908f785
-
Filesize
64KB
MD58701f7b32a1742e6e92648cf53041da8
SHA135b6d97a22065f39b2200ab93110b61da9165b1d
SHA25600ad248cdbf20b8a31c2d33cab7484ee029378f44974d1f1b8068315bacaf078
SHA512e0df98c872c70c1437e73ab5c01e0a7b8d12e565fba8b19ac0f3a7c4b886f9c8eac4f97ae33219c146b871b3a66529c46706c48b95dcdccd43bc8e7e1c6789b8
-
Filesize
64KB
MD5ae2e62d80013c698de8c7ad4c7670a3a
SHA194151b9627792803dea8ebca8ff6269d3ada2962
SHA2567105dced17fb5539330850a991ef6f6a5a9de3f44fde5bd22720c18cb71ee88f
SHA5126178f429dc8da003d20309942724515b7e393d2b6aa78773456788eaf23e3feed02949c31987e66115cdd1f283afc270d48cbfef7776044e501e4a53ff6fb411
-
Filesize
64KB
MD543695eac7c6fefcb8ca8eec894a4bf8b
SHA1f22eee819a2a1b206f4919e8941977b0e5c07a00
SHA256622f7cfe3347e3f881a36c669b69221f78e48bad6a3249720db68a0252b946fa
SHA512b72f266620079656d5607aabdb63793c10e0c88d318afc7ca1a0f970819c46a8021007420d11a21b846fb8ff2f7909688a2bf82ae048d770500c8073921029fd
-
Filesize
64KB
MD588454e1d31c428aa92cbc37531c86a5c
SHA134569d06bb9869b81d433b0ec38e96f2c3c8a193
SHA2565c0723ed91a413e85f9c0f0348ec90c2571a3e835e31d433049480e4f45ec5b0
SHA51205865253c065058a70a094be8a1aa859466bc68e2653fa97b00709f6fc23b72ac2b8ee4db27e32b568f51ff2a15767ad3f448d5297577b67d974683e6d5e0aef
-
Filesize
64KB
MD5034298f74ba2a83c869f8f96a21e9acc
SHA131913f7460fd4098d64d8de4b70b62ecd0f7f565
SHA2569194d764911324c009373a0e63865dbda746877ae040ba3a037c0e1eec60772d
SHA5127fa212e63091a90ed44db30146d3da4c9716caa461515fca2ade2e5d297647ff3fe74520fbe48f282200e5c11e7ab2fc97e0b19c6d8c22cac9cc2051ab047440
-
Filesize
64KB
MD52a0e440808a4aba0573d6fbeb4ca4c1c
SHA13a968daf7112e077c704ab69a7615c7f58516d5a
SHA256612ccccb48fdbb522372d6bd94793c099b8f7e9af40b7315c22b21cba18e6dd5
SHA512a8e01d92ff724d0095d3d2390102d5d8430c425a5fffcefcaacd1561b8168806faee36fc08554fc6cf605de7e6e1f23ebff144dc2f75e3b17cd058a3ac3508fe
-
Filesize
64KB
MD5bf6383839cec0ddc039bca8816ff937e
SHA175fbaf4a1ea4efc15cbf327f72a88aa7a5ab448f
SHA25695686c1a7c24476b33e516d8163740d7d58c07fa8017784adef4c29163040eaa
SHA512268b7f8849ca9d6bc14142c7381d67cea5bc00ac25f922b058ba68f375b01084ab970fb0ff098ff6f98278959457ea80595188c1a5b6a43f2bfe6a239a0800a9
-
Filesize
64KB
MD5f2ddc38e8eae300d45a1fadf059261a6
SHA123ce51de4ff7cd0b0d3bb6703fbbcfd6e41072ac
SHA2569004931bc04ffebfa781048c9edd564310df46fdb4d619c5556453e1931384ca
SHA512e490b29eb7d97f498902f078ccf3b38e9f764927e8773fa9f26ce781133c06e8135b9cb741d48236aa617aca592cf1ee5eb4ac69d76d7eabcb2d0a147d57d42e
-
Filesize
64KB
MD5cdfe70483f50f1529877324fc41a130f
SHA1ffa3c9d2f9a667497ad87c1e049d261c8f5078d8
SHA2565290877b8ddf38c56e486fb62164acc55b665a8fefdf91b3c4999b2c81fcd63a
SHA5121d309ab37c9e34b0f99c71372c8dbb1345a2b1c42a4e8da59c2d371e2cd0dbeb3bb188a171fbe04517905e2b6867ac824cabdf5b479993d65b45feec76ce8462
-
Filesize
64KB
MD589557278a9e28c29ba11ec82df6b14cc
SHA1aca755c62b71d0f81cf1ac2668bde99961465b50
SHA256579d1ade9283edd15147e91f153ceddbe0112071c4e6c894eee22045b590b432
SHA512c13421b32986b1ef6435e25ac47c2b1634bfe430f1f9930b6f218b01f4dad619ba659358f10d5e9b02d31325f7d5edfff5ececf597fba8564f1e080b109d4803
-
Filesize
64KB
MD59535cbeab4a8e4339398d013e47211d9
SHA14783ec1184f64665bdb69d34e223929eb43087cd
SHA2566b8f082a9c5abd267de7d27f8d7e6865f48d32e26e34a232e3d4cb15ee24ba05
SHA51204599d73fb4dc3ee13483c8ed6926e85c8b05ab106643f9c7eec0936625d3db0d2cd5d0087d968dc3e7c51a03c72416ab30176903da02775ea1c59f9ecc888bb
-
Filesize
64KB
MD548528dd6ba1f6a670ff2b6ee58b92465
SHA114a30b2ce6b144d134d77c2137418daade14a4e4
SHA256616c32f81a5b7583643f4ce409a71f1906aa37af8ffd5f41a2143b22d953d314
SHA5125b1113477db15aff0c6c44e34f4d800eb3a0179d960126f88889743482d1617ac4055eba426e86a8f84da0f5eb7757f3e99a63b1c830376435d9822cfb03e439
-
Filesize
64KB
MD5dd11d405a0c70c8e4fd2d9dea6ac1844
SHA111c7149490a9c52aa58f7bdd2ceed5d489b3730a
SHA256328e8e8ee5a2191f511953eb539df064571a54b7d12c1f8870d86d7029bd503e
SHA51266e41aa1b14eff2b34e85ebd0884c6854f737736c81dca20099dbedabf38eb0d0fcc237876aeef5369fc3cf07ba8aacc8a7ff011144aaa9e618225145e8c74ec
-
Filesize
64KB
MD5ec2b466dacc21f328e2fed40175e8601
SHA1ac5782bf65d8c867e70c57c8d13740c5acdcb264
SHA256ea2dd1c4ad206ea11c0a68b442feddcdd111ebdf0fcaa3379b41588878628a61
SHA512fc699752e323a19cdb6e2f25822cc20f4d3a36c07aa3309444c80499a258869babe57d2a7ea04012282a8882088fdf55ae99595e29740e0f433ecef0d7c60e5a
-
Filesize
64KB
MD5be918223591f8aea8f7337f724d055d0
SHA119a6ae8a870d0ecd4bd0e79f1a3b21da78136a18
SHA256ad48478552a10c1726dcefdf3d913396f065ff4bde6fef8a5847da9f845fabd8
SHA512b4270139209bf7bc3044a68104352f2dd7f9991e806a2717b3d6c19a29d2584a157c0c3cbb9c7a9d19bba266f708faecf364f3f015efbfcf0979c7e4537189ab
-
Filesize
64KB
MD5b4081bc0241e5871f29f22ae3616ab0f
SHA15fecb982773c90aacaea599174703ede4e827a31
SHA2563e24671eb0dc4254650b301e56dc06ababd5f1f2881ebd1986812c941a47d2a0
SHA512df75c1061e28d5f49d91a857717b704b4e8a5b73b465008f498f0937fa6e227dbc2cf616e1ebc630e862f385ea7faf1469bd68319bd32cb1328eb3eaf85b5ed0
-
Filesize
64KB
MD5b9a22222a37219633decaab89c190056
SHA11fe3d52d11be896d7280ab503ebadc6f23e4379b
SHA2563f48234f5a29e1977ec1a74aa40e85300b1daea896a34574fc389b63161ca883
SHA512c0278196d46b53de6e51e0da24af63730935e63b8def04a15fb339caf950f334c90ee5a21e69888a029c06be98c2512ff03b3af0a188f24e863b345c887b532b
-
Filesize
64KB
MD53972acbec8b372770bcb4d34ab63cfaa
SHA17debf83cf51eaa85ce1d19511bd5e39ef9a79a99
SHA2563df95322ae235c83874183bdc9213029dc7e65c528863947c085bcdbdab290d1
SHA51233c49e2c1cf84f7828c090b6561fd2494dce6a129050ed3d152afce420eee43d91853e68f2c2d7d322246a7fac5126d65a8af4679b8824395ca698e195c2ab4b
-
Filesize
64KB
MD5113147f196158278b04ecef9276f9899
SHA18b106fea272aaa7e6f533998ba2c3f6307b2123f
SHA2561082ec04f57223bdbad1730dff9c8fefe6aafdc975eaf391f266c52ac8fa5afb
SHA512fb5dc509b5832131b1c71ae5d4c20e5311576e5b79eab25a81fb8d17b42a4f0060f6274de9860df110d942d22ba699f9ce276a610e9e548292403785a7fa9ef9
-
Filesize
64KB
MD5aec21e5bc1dc27a211fe943de04b376d
SHA14dcf0b068b2e5bef4822905e62b689a29fe2428e
SHA2561a79a1af0876ae553c710ac0f7802da9ebb962bd2c87db35179457f2c70985eb
SHA512a225a93c0c1fabdebe287b934051e7d3b58601847dcae5128b53d4cb83d5b166d415f5d72b0b270105d8ed0db298357ecf8f7ce1970b006deb852d4a757929ef
-
Filesize
64KB
MD5175d01b251ce24d1ee88ff63e649490a
SHA1a471a382a425b6f6ca47fb8745b32fd0d83c0e66
SHA25673cfe7d6293935a10f6254993098e5290b4ac7d0af0826b29b66316d18b55b37
SHA5124fb5fd551340748911f2271ab22dddf3017a927164a56eeeacaa0aae30cf4f468a933abc3c35f34cda66577bf8c55f6a0e843e5a14cf66e5b3cb46e07368483d
-
Filesize
64KB
MD50582df00cb9b9ff6ce0035c15baf6f4d
SHA1523eb4fb0c028501f578b070d04e56bb2c749488
SHA2564cd18aed6d3c9ada0ee00f1e3f6525198aeefac0ad3336115f4125a429c9c63b
SHA512646f47fd97ba41ff4833e774b93c2c70b79e2af6394e289a3ac715a283267f6c018e30c1c3fe778242e222a87395414afd607f2df16fba99f6c5aca11d4291e8
-
Filesize
64KB
MD579ea37b2079f25d54d426555d26dabd3
SHA1d5e9850ea2a67996ce533c05dd31b54b4bea9863
SHA256eeb919574ebd8b135e5801e64b58afbc240c475ea67fc96054293eb3da1a1d4d
SHA5123cb4f8918f1b50b2050db70af84b0edfb86d03e4f009ca429622c6992892dd5399c0d3040113bebcb33785be87850d18ce19593c396926bf418abc887517aefb
-
Filesize
64KB
MD5c6c73fbd450fbb926cb3c54656aed193
SHA134eed4c5085b1d75d5135d926736fe3fb2ed0642
SHA256936bd069b144d13624027ea00069d477351134e0665969886bdbd29432e25a16
SHA512ee229eaa78f7d688c7122a8eb69d59a2c88a2e05c68cdb94501c5347b6ebc8ab2e87b5c40d277e08645a04a92eab9bd50fbed05c5d014f333f2a1546002c429b
-
Filesize
64KB
MD561337f2fc71562445e3bc059cfe24329
SHA1e876b062bf7ed083a861e54e418fc3d1950a69a6
SHA2569e9a9d5c7c14a92f692acac8a63bef98e4510bec632d1e9746645925bba4da81
SHA5120bb3286e5c8749ad3d93bb693863ffc93c27afbf8b149e8ee12ba0b6f9498020f2b911bacc6f3e86d795ca3d1e2c082f3e8f908c8f51f4958d3241354912abc0
-
Filesize
64KB
MD5c20a5146581a62e18205baf45ac229ff
SHA1ff4879597a38546f8f991516680113a73c7b41cf
SHA2566576872b177388727a443e1ac67c6d60104c3ca78a4466d3bf05e9c179605cbb
SHA512dc43b0cf511a1d3b60f01b1b15ae71d7c40577a43b6bd9d995a786ae1550ffaef526873f04c16584e7fb13934cfacf2c71bdce2d477aaf40da4afdf23dbe5411
-
Filesize
64KB
MD562010cfc4ab2a94196e60572e7e72dc3
SHA1a28e46eb8f0f08783f37d947edabc43061bb8fbe
SHA256a6e35ea9a7fc47338ef0c7c52ec12b713ca8a63d103f1b648ceb7a23052e3e42
SHA5128eac529aff3ac505843dec31ae463bc66871f6745fe722086a62afb411da9a80bc4e5aa3db0fd83c50b3c4cc2673cde3a0a31e4462c0378f8d7f439a3589dee7
-
Filesize
64KB
MD540ca05cfcd7fd087901a8cb21ed5e019
SHA10ae1033af248fa81cdf97e80b2c9c4b795492750
SHA2566127cf3256080ac4f2d4d4d0251a3f56a4d2844619b8c72dea69be3fa57ae61d
SHA51296f98a82216a3db51c0501c76b1250f3bf64f1b9156629499bab4e445c6e83c7df92d45213404837e81330feed6e53b7f5c524c9c838389c07bae86a5b98051b
-
Filesize
64KB
MD577e4f72a52436f633864f6bbea1cf85e
SHA134d493946abc691b0c78043d37185696af9853b6
SHA256b405db875b9222cfa09c71a2dc28eef8945b9d4eb63417e4952a2c5e9cfacc6f
SHA51204100304b63ef6e3de702ea35a1dc2a554cf3d6f0e974aa5d528b0c9531a33007c9dc66de9c99d2d3d0cbcf520b19237bc6f300bf19cf58158bd9c40699f9a84
-
Filesize
64KB
MD5d93bb5345cb8de7c627b790ffbfab1a8
SHA13dd7e227c4621637ffcd0e4be838cb7be46a7b4f
SHA256db299bcb480e8d080f14675b7e027108526be03b31e2599908436cdcb2c872f0
SHA5122cf10ab418f0cecd64b15e1cf808a3252e9a87a3bbae08ca806e8898f8fcc4c2b7d1d8bd8d6b664294d557e870c32a94a56d8121e39a822b9abac8033bbeda2b
-
Filesize
64KB
MD5034ed89a6f3663dc1bec5fb3ae419b53
SHA118c41395eb7db3379c65b19f78ccdbb0597795cb
SHA2568613a13bcc5b1f10808e860bb2f6a229405e57a2edb373561f44e03f8e814c45
SHA5126464bf8f2e30adfe39fd31b98a840647116b4823727d840d5e5defe17a4eddbdc7b13353cb00259d847b30beaf3a713d59807a1f9c891e82b5cd1cd1964c67bf