Analysis
-
max time kernel
95s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 16:01
Static task
static1
Behavioral task
behavioral1
Sample
35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe
Resource
win10v2004-20241007-en
General
-
Target
35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe
-
Size
324KB
-
MD5
ebc69a50823fae08049f193113756bf0
-
SHA1
8853dff0b2f896a1440eaa5c455c70c9cbe81caa
-
SHA256
35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7e
-
SHA512
573c809a36bb38d03ab425c68d0954fe568b810a8fe9d7167e6c20b79dae0046e6773f1154ed7b69f5e567fb5f9fde6c05c88e9ed36d0e00aa29c402c6b2d610
-
SSDEEP
6144:zcbmNXktahlY1Szd5IF6rfBBcVPINRFYpfZvT6zAWq6JMf3us8ws:fNVn/p5IFy5BcVPINRFYpfZvTmAWqeM2
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfknkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcibama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjagjhnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjmgfgdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nebdoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddmdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdkch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nphhmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjoankoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmiflbel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfolbmje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcknmop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aabmqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beihma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpablkhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnkgeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgcbgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmdkch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpppgdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjeoglgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfmde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmidog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afoeiklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beeoaapl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngdmod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmkjkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabmqd32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4604 Mpablkhc.exe 428 Ndokbi32.exe 4228 Nepgjaeg.exe 5096 Ndaggimg.exe 4788 Nebdoa32.exe 2420 Nphhmj32.exe 3512 Nnlhfn32.exe 4536 Ngdmod32.exe 3368 Nlaegk32.exe 4560 Ojllan32.exe 2864 Ogpmjb32.exe 2604 Oddmdf32.exe 5076 Ojaelm32.exe 3972 Pjcbbmif.exe 4672 Pjeoglgc.exe 3980 Pmdkch32.exe 4860 Pfolbmje.exe 448 Pmidog32.exe 972 Qqfmde32.exe 1332 Qjoankoi.exe 5112 Qgcbgo32.exe 1856 Aqkgpedc.exe 3700 Ageolo32.exe 3832 Afjlnk32.exe 3852 Anadoi32.exe 2232 Acnlgp32.exe 4412 Afmhck32.exe 4608 Aabmqd32.exe 1636 Acqimo32.exe 720 Afoeiklb.exe 2792 Anfmjhmd.exe 5032 Aepefb32.exe 960 Agoabn32.exe 5040 Bfabnjjp.exe 3936 Bnhjohkb.exe 2164 Bmkjkd32.exe 264 Bebblb32.exe 776 Bganhm32.exe 3220 Bfdodjhm.exe 1536 Bnkgeg32.exe 2948 Baicac32.exe 4616 Beeoaapl.exe 2424 Bgcknmop.exe 2208 Bjagjhnc.exe 5052 Bnmcjg32.exe 4128 Balpgb32.exe 1088 Bcjlcn32.exe 3172 Bfhhoi32.exe 5056 Bnpppgdj.exe 2100 Banllbdn.exe 5068 Beihma32.exe 1976 Bhhdil32.exe 4516 Bjfaeh32.exe 2168 Cndikf32.exe 3152 Chmndlge.exe 2720 Cmiflbel.exe 5004 Cdcoim32.exe 2452 Cjmgfgdf.exe 2624 Cmlcbbcj.exe 4972 Chagok32.exe 2572 Cnkplejl.exe 4444 Cdhhdlid.exe 4220 Cnnlaehj.exe 2552 Cegdnopg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bjmjdbam.dll Pfolbmje.exe File opened for modification C:\Windows\SysWOW64\Cndikf32.exe Bjfaeh32.exe File opened for modification C:\Windows\SysWOW64\Chagok32.exe Cmlcbbcj.exe File created C:\Windows\SysWOW64\Pmdkch32.exe Pjeoglgc.exe File opened for modification C:\Windows\SysWOW64\Ddmaok32.exe Dmcibama.exe File opened for modification C:\Windows\SysWOW64\Dfknkg32.exe Ddmaok32.exe File created C:\Windows\SysWOW64\Nebdoa32.exe Ndaggimg.exe File opened for modification C:\Windows\SysWOW64\Afoeiklb.exe Acqimo32.exe File created C:\Windows\SysWOW64\Bfdodjhm.exe Bganhm32.exe File created C:\Windows\SysWOW64\Nenqea32.dll Nepgjaeg.exe File opened for modification C:\Windows\SysWOW64\Bfabnjjp.exe Agoabn32.exe File opened for modification C:\Windows\SysWOW64\Dkifae32.exe Dhkjej32.exe File created C:\Windows\SysWOW64\Eflgme32.dll Bgcknmop.exe File created C:\Windows\SysWOW64\Bfhhoi32.exe Bcjlcn32.exe File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cndikf32.exe File created C:\Windows\SysWOW64\Mgcail32.dll Cnnlaehj.exe File opened for modification C:\Windows\SysWOW64\Ndaggimg.exe Nepgjaeg.exe File created C:\Windows\SysWOW64\Lqnjfo32.dll Pmidog32.exe File opened for modification C:\Windows\SysWOW64\Bnkgeg32.exe Bfdodjhm.exe File created C:\Windows\SysWOW64\Fqjamcpe.dll Bjfaeh32.exe File created C:\Windows\SysWOW64\Ddmaok32.exe Dmcibama.exe File created C:\Windows\SysWOW64\Jcbdhp32.dll Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Beihma32.exe Banllbdn.exe File created C:\Windows\SysWOW64\Bjfaeh32.exe Bhhdil32.exe File opened for modification C:\Windows\SysWOW64\Cjmgfgdf.exe Cdcoim32.exe File opened for modification C:\Windows\SysWOW64\Cnnlaehj.exe Cdhhdlid.exe File opened for modification C:\Windows\SysWOW64\Dhkjej32.exe Delnin32.exe File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe Deokon32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File created C:\Windows\SysWOW64\Pmidog32.exe Pfolbmje.exe File opened for modification C:\Windows\SysWOW64\Agoabn32.exe Aepefb32.exe File created C:\Windows\SysWOW64\Kofpij32.dll Bcjlcn32.exe File created C:\Windows\SysWOW64\Ljbncc32.dll Afoeiklb.exe File created C:\Windows\SysWOW64\Bfabnjjp.exe Agoabn32.exe File created C:\Windows\SysWOW64\Pjngmo32.dll Chagok32.exe File created C:\Windows\SysWOW64\Akmfnc32.dll Bnhjohkb.exe File opened for modification C:\Windows\SysWOW64\Bebblb32.exe Bmkjkd32.exe File created C:\Windows\SysWOW64\Bnpppgdj.exe Bfhhoi32.exe File created C:\Windows\SysWOW64\Chagok32.exe Cmlcbbcj.exe File created C:\Windows\SysWOW64\Afmhck32.exe Acnlgp32.exe File opened for modification C:\Windows\SysWOW64\Aabmqd32.exe Afmhck32.exe File created C:\Windows\SysWOW64\Cndikf32.exe Bjfaeh32.exe File created C:\Windows\SysWOW64\Hpoddikd.dll Acnlgp32.exe File created C:\Windows\SysWOW64\Gfmccd32.dll Ndaggimg.exe File created C:\Windows\SysWOW64\Fibbmq32.dll Nphhmj32.exe File created C:\Windows\SysWOW64\Chempj32.dll Qqfmde32.exe File created C:\Windows\SysWOW64\Acnlgp32.exe Anadoi32.exe File created C:\Windows\SysWOW64\Nepgjaeg.exe Ndokbi32.exe File opened for modification C:\Windows\SysWOW64\Nnlhfn32.exe Nphhmj32.exe File created C:\Windows\SysWOW64\Afjlnk32.exe Ageolo32.exe File created C:\Windows\SysWOW64\Efmolq32.dll Aqkgpedc.exe File opened for modification C:\Windows\SysWOW64\Acnlgp32.exe Anadoi32.exe File created C:\Windows\SysWOW64\Bebblb32.exe Bmkjkd32.exe File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe Chagok32.exe File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe Cegdnopg.exe File opened for modification C:\Windows\SysWOW64\Ndokbi32.exe Mpablkhc.exe File created C:\Windows\SysWOW64\Pjeoglgc.exe Pjcbbmif.exe File opened for modification C:\Windows\SysWOW64\Ageolo32.exe Aqkgpedc.exe File created C:\Windows\SysWOW64\Afoeiklb.exe Acqimo32.exe File created C:\Windows\SysWOW64\Idodkeom.dll Mpablkhc.exe File created C:\Windows\SysWOW64\Aepefb32.exe Anfmjhmd.exe File created C:\Windows\SysWOW64\Hfggmg32.dll Bfhhoi32.exe File opened for modification C:\Windows\SysWOW64\Cmlcbbcj.exe Cjmgfgdf.exe File created C:\Windows\SysWOW64\Jjjald32.dll Dmcibama.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1068 2908 WerFault.exe 162 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpablkhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjeoglgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepgjaeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebdoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banllbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlhfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpmjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfmjhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnlaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndokbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdkch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjlnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmhck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepefb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmcjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnpppgdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmlcbbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndaggimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojllan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojaelm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfolbmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegdnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlaegk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdodjhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agoabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkplejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqimo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmgfgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphhmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcbbmif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoeiklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcknmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddmdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjoankoi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll" Pfolbmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anadoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll" Nphhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll" Nepgjaeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cndikf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll" 35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" Dkkcge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll" Mpablkhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Bnpppgdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojaelm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acqimo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll" Bganhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndaggimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnlhfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll" Anadoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" Cjmgfgdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcjlcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjmgfgdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll" Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll" Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhhdil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjoankoi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 996 wrote to memory of 4604 996 35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe 85 PID 996 wrote to memory of 4604 996 35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe 85 PID 996 wrote to memory of 4604 996 35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe 85 PID 4604 wrote to memory of 428 4604 Mpablkhc.exe 86 PID 4604 wrote to memory of 428 4604 Mpablkhc.exe 86 PID 4604 wrote to memory of 428 4604 Mpablkhc.exe 86 PID 428 wrote to memory of 4228 428 Ndokbi32.exe 87 PID 428 wrote to memory of 4228 428 Ndokbi32.exe 87 PID 428 wrote to memory of 4228 428 Ndokbi32.exe 87 PID 4228 wrote to memory of 5096 4228 Nepgjaeg.exe 88 PID 4228 wrote to memory of 5096 4228 Nepgjaeg.exe 88 PID 4228 wrote to memory of 5096 4228 Nepgjaeg.exe 88 PID 5096 wrote to memory of 4788 5096 Ndaggimg.exe 89 PID 5096 wrote to memory of 4788 5096 Ndaggimg.exe 89 PID 5096 wrote to memory of 4788 5096 Ndaggimg.exe 89 PID 4788 wrote to memory of 2420 4788 Nebdoa32.exe 90 PID 4788 wrote to memory of 2420 4788 Nebdoa32.exe 90 PID 4788 wrote to memory of 2420 4788 Nebdoa32.exe 90 PID 2420 wrote to memory of 3512 2420 Nphhmj32.exe 91 PID 2420 wrote to memory of 3512 2420 Nphhmj32.exe 91 PID 2420 wrote to memory of 3512 2420 Nphhmj32.exe 91 PID 3512 wrote to memory of 4536 3512 Nnlhfn32.exe 93 PID 3512 wrote to memory of 4536 3512 Nnlhfn32.exe 93 PID 3512 wrote to memory of 4536 3512 Nnlhfn32.exe 93 PID 4536 wrote to memory of 3368 4536 Ngdmod32.exe 94 PID 4536 wrote to memory of 3368 4536 Ngdmod32.exe 94 PID 4536 wrote to memory of 3368 4536 Ngdmod32.exe 94 PID 3368 wrote to memory of 4560 3368 Nlaegk32.exe 95 PID 3368 wrote to memory of 4560 3368 Nlaegk32.exe 95 PID 3368 wrote to memory of 4560 3368 Nlaegk32.exe 95 PID 4560 wrote to memory of 2864 4560 Ojllan32.exe 96 PID 4560 wrote to memory of 2864 4560 Ojllan32.exe 96 PID 4560 wrote to memory of 2864 4560 Ojllan32.exe 96 PID 2864 wrote to memory of 2604 2864 Ogpmjb32.exe 97 PID 2864 wrote to memory of 2604 2864 Ogpmjb32.exe 97 PID 2864 wrote to memory of 2604 2864 Ogpmjb32.exe 97 PID 2604 wrote to memory of 5076 2604 Oddmdf32.exe 98 PID 2604 wrote to memory of 5076 2604 Oddmdf32.exe 98 PID 2604 wrote to memory of 5076 2604 Oddmdf32.exe 98 PID 5076 wrote to memory of 3972 5076 Ojaelm32.exe 99 PID 5076 wrote to memory of 3972 5076 Ojaelm32.exe 99 PID 5076 wrote to memory of 3972 5076 Ojaelm32.exe 99 PID 3972 wrote to memory of 4672 3972 Pjcbbmif.exe 100 PID 3972 wrote to memory of 4672 3972 Pjcbbmif.exe 100 PID 3972 wrote to memory of 4672 3972 Pjcbbmif.exe 100 PID 4672 wrote to memory of 3980 4672 Pjeoglgc.exe 101 PID 4672 wrote to memory of 3980 4672 Pjeoglgc.exe 101 PID 4672 wrote to memory of 3980 4672 Pjeoglgc.exe 101 PID 3980 wrote to memory of 4860 3980 Pmdkch32.exe 102 PID 3980 wrote to memory of 4860 3980 Pmdkch32.exe 102 PID 3980 wrote to memory of 4860 3980 Pmdkch32.exe 102 PID 4860 wrote to memory of 448 4860 Pfolbmje.exe 103 PID 4860 wrote to memory of 448 4860 Pfolbmje.exe 103 PID 4860 wrote to memory of 448 4860 Pfolbmje.exe 103 PID 448 wrote to memory of 972 448 Pmidog32.exe 104 PID 448 wrote to memory of 972 448 Pmidog32.exe 104 PID 448 wrote to memory of 972 448 Pmidog32.exe 104 PID 972 wrote to memory of 1332 972 Qqfmde32.exe 105 PID 972 wrote to memory of 1332 972 Qqfmde32.exe 105 PID 972 wrote to memory of 1332 972 Qqfmde32.exe 105 PID 1332 wrote to memory of 5112 1332 Qjoankoi.exe 106 PID 1332 wrote to memory of 5112 1332 Qjoankoi.exe 106 PID 1332 wrote to memory of 5112 1332 Qjoankoi.exe 106 PID 5112 wrote to memory of 1856 5112 Qgcbgo32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe"C:\Users\Admin\AppData\Local\Temp\35be5a76f0fd09f9ab51e68641ee4f4c21e55df23ae662fc5c8e1c50af01ab7eN.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3852 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:720 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3936 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3220 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5052 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3172 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4516 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3152 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4972 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4220 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe78⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 41679⤵
- Program crash
PID:1068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2908 -ip 29081⤵PID:4052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324KB
MD57690925f883df4dfe139ba22bbbd46f8
SHA1a6563748f9dc24d14ea70394f4731c447f453b4b
SHA256d13e2c05b5733c2c8612eaaadcf5f86f58b3776d0ca1bfabdc34742bfbb8c163
SHA512cb13d5366f65ee0c77efa8240bd62cc1039f3ca077a4cd9b6cf3016310ab453162c2e700e53e0c4610b5efda03d6b9a0a4668ae712d3a5589a19b0f3c8593541
-
Filesize
324KB
MD5c8360c64adf629466c9ed1f73b4a64d4
SHA1811b98bda49d87211bd5fc245fd45efb308d91d6
SHA25688f1439163ed364083d8878cc469893ba99786ec4d118dd677d7c21634411269
SHA512fa52f644b3bc0a4e048f7e227aafdb5c6d41b6be28986929e089631e1f7c72c92f638c9ee042986ff1fe7d0279d12d8b97d604b3f55490085003f8025500deb2
-
Filesize
324KB
MD5b38583a1411edf34c0bac5d3c48fdaf6
SHA1c9c166f1eff88a7c6475f8742c691816032c9cb5
SHA25660d71ae01e0e092984fb8cdf104f16d317284ff6b76a2ecf47be821f857e02b1
SHA512240c5d2795684fe3c936ed55efce3b27caa581a607fcdefdedcf19eefeee727fa611c9ea9ed2d82a92c1bccfe43285db367e2beded676f2c70a3d6a77ba42430
-
Filesize
324KB
MD5b7db15b2fc4362a938e704b32223fffe
SHA1363f6632aab71626a4ae2a44331189cfa952ad32
SHA256a2a3b48b5c15b57bb760f124a482241fe594411eedc3c2ee57f59b927ae777e0
SHA512ab2a01287bbb6bbfad4be85162bcdaf31635e5c9d62478b0737acfc76f87616791af188a4e316b534e84083b1b5c514e5a64b4511ccc8a025ab7e8c0e1b048f2
-
Filesize
324KB
MD56b9b20b087084524c16db32a308b32eb
SHA12cdd146a39fc6379b085fbdf32bcc75e2907c608
SHA25607c85bbeed07be32c562bb538eefb72a6acf765eecec259a3a7b82cd483e452e
SHA512d95c74442bd205562492953fdfdc334494ca738b00cf4983f59171e92d163a2229aa3d80b0702a331ffe74eebb119a349441afb6901ab7f72bc3715d3365a33b
-
Filesize
324KB
MD52cbbe50398e9f1f19ab570f8d5e5405d
SHA1a8096a539cea46cd0d823a5dc0ac7b6da6edaa21
SHA256103528ce9fecfc785e9f1524d32dc3374741b084c121f222eaba2182aafb7fce
SHA512b13309cdb110cf4c7a7161df441459da69d0c9c086174cf19d5b065ae6d6a69dc41db5cff31313a613f23cbb75fc327756fbdfedf2950a421f5906d61c0a6798
-
Filesize
324KB
MD5b54cc1b34b53c7ade84dce8605dfe5a4
SHA13fe82f5ed391a1dcf2a6018fb2739cfe54bf561f
SHA2561a3079e5573b21ba2a411af26a0625da3bb4fcf1fe31735d533ef149b2dd4d87
SHA512b02ef95f493cf066f637579ee4c6ff963b473b4bb558fcd8271559235270c43fba00f5412fa6a6cba8ece8bab1bdf2fa083fb55a2d83582bfa689f56bf21591a
-
Filesize
324KB
MD5a534139db142faf5074b4dbcab3610c0
SHA15b302695ad2b24fc9ea6bc3140e6cdee93eab1ed
SHA256a9bb1c7f00df53083cb4e0d3af79a72618329f616a153fa4fdb02dc0f83097b8
SHA512a5e312cda908bcffd596a28aa215a22f82c319ec8b36b706db9962b4ce9171675ccf43374c1ae1f4d17caf5d15c8ba20fbe94c10809ae9863bc435aa38a45409
-
Filesize
324KB
MD5ebd574db53574f89bc3aeacd033f834d
SHA1dc2872cf8ac2ab0b7d3c598d9f010f37b872eb77
SHA25616d87235c82834d56a52802478c6bf5d75097cb4756e3313574f853715122494
SHA5122bd1358175891a2dd2f5abfdbece6d4b168b7c5ceeb3517b9796fede9236080df106fcad78dba1a56a19e304b44b15716f00a30d5414530112523d4780d78cbd
-
Filesize
324KB
MD5c3e49cdef25c849a1e9e0364f85c687f
SHA1390d640407cf8b8fcffdbc0743f6e664507a6588
SHA25681a1727a6823640c39d9949cf44262aa3803a1ec6ecc713fe4fcc2caca316a40
SHA512067205e92a102bea52d8dd9b466c8013040a36db950b31f91905c1ec91ad6d78ce89c7a7e8e03f5c923af0967c6a0e62d7a1e9321f4ad9f4c5c794c3ffce4b9f
-
Filesize
324KB
MD56bec1c4bd3e12e4a76b951a57ea52e5a
SHA1906de57678d1362b67dd50e6690bed9fceea5f75
SHA256b1b738e0ae9d4d7dfa61bae1c0939894fdc82c060c34961a46b573c1db58844e
SHA512e3157c331cff038acf1b960545920046d258e9bcced0f5a9d912948e877e38787fe8d632024ff2c3954e1d45f0eed6a7d53e1f8e9f0c70aab2f8aed78644952c
-
Filesize
324KB
MD5b79c2df7df935311dac1c1153099c73e
SHA1312adccee1161cf505fcf28839649192ca599eef
SHA2563c3175b21ea23ac5de258b1f48e435eaabda247e603c9dbbdffbf82aa6532029
SHA51212f193539add165adbb65940643f2c9e09c68a7fa4a409b6355175382072ef3f1a532d684d88690527f3fca4da446cbd6d40b5074f8b92eea4a7408d75a1b13e
-
Filesize
324KB
MD524734c40e8e93acd84b9a79804b71475
SHA12e8f198d6b7eac28273933c8c1a69074cebad873
SHA2569e5b47f2b9a6360c44e17452396fdb3dcdcaa2fcbc8de18bbe29d1c1720c4cb9
SHA5129927b6dc217008cc8ab6083488b51c5151b8782bd10145438fb6b99a05df2f9c294a0a0106753582549fba947712eb78825ab212f5b8ef643cfe34728dd895a3
-
Filesize
324KB
MD5421b07cdf7e9cfe34d05b0443435aacd
SHA184165a35008a18a54a9028f3236ea4e873aabed0
SHA256240c1f819de93c3349518e6429392754ad956b27a4efeb25bf8f17fc3177bbd8
SHA512fcdaafb6f54c86b087657a443228c6d2250a309722a6f2a9378c572636420480c025acdf292e303118d5faee961c401dec2dad689459789b5257cdef9d7315bd
-
Filesize
7KB
MD521d0a469bdcb3f352ef1936d465dec27
SHA1264aebcd92d980cfeb75fa59757eab236f3e4562
SHA2562a1cc44ec47c4d85d1c1920e70f1f5b181a4a2373a2dd9d3cbc2fdfe1a0d119d
SHA512f5214c2beba9287e8c41878a70e0da048b54e991dcca97ddbfc260fc311f58bda6a348fdd8d45df5540d1fe7059b17b1af59d40817f9b880922c8afac41b8023
-
Filesize
324KB
MD5b6c40f2a32e016501ff84fbfc9a2e7dd
SHA1d82b76e63d421930061a30e2ddf55919370c324a
SHA25687672e54dffa5c3acf2876f45fe2f36de8479602d8a6e81ac121986b28d43424
SHA512a4900bab6358ea51931a4550c5b50ddb46346bd62c4afac5f2c29277334c1c935bf8ad0805bf9c8d55fe525e3fa01560d89ebfd2d3375e618a7de81f8eca540f
-
Filesize
324KB
MD51a8b313593dcf903cb9b017bc8c02045
SHA17795a9ba1476661be3701125d757dde46f8e29f6
SHA256cb68080059bfcb5f2376ed4354977292365f5beb0a14778dccb5ffd109690f11
SHA5122e282921f2652fb3f38d3d704240c6c66e8cc36385e978376e0e0d7c77893327928db97afe328e160f0e09585d6caae9eac00f7214c5033c4cb1225dd2a86c78
-
Filesize
324KB
MD5c588277f3d88f654baf3ac3b6edf135e
SHA1895f5f9ec69778f7c00ca6d1371e311986b4b0de
SHA256c7ffecda0d6bdf1d6e8119324ccb9c5c5bf2e7d8aca046f2856ac2d0b8ce8677
SHA5129b8edab529be731bce3473b46c0ca71b4dabd6b96d6f9e8e8368fb9335ede1e841b58b4e06a939fa1ceb15210fb6a16a651fec22bc112c12d620b3bde5fc1a24
-
Filesize
324KB
MD5e41f0a72593f85394347620b6f69a552
SHA1260a145ff93c6e1f1871f244fc49e3505aac9570
SHA25623ba0ee144f401f9a7ed5e902ad5d9e740de7e8e2d50646e4418871f5af2cb7d
SHA51272f5e28609a66d4c1178a7f03a520eea5b94a7a22eea83eafd26d60401f2fcedd2d591c7e1865ede5b8acf589c70385cbce41e25287324b9003db64726804f0f
-
Filesize
324KB
MD5fd49ede775e7d206c5c44742268c1b34
SHA116b09360dfb3117a0321394b04606a283d86288e
SHA2561b259e2e215ae669d1a0524d8650a43b839e05ecc6e27cf6041087bba2d56e74
SHA5120de4b47fdcfba9bd2be1f766c26975fb099217321c88d5ce5231919d43523ba3a62a17880d7de1f178858da1b3f48c1bfc956e39333a0ef69af7336248c98aac
-
Filesize
324KB
MD5d2de1ab7b3093b3911573707c7710c12
SHA13dd96134f3a9069d10eeea380b1f74cbb03a9d1f
SHA2566804c5227f649c8bd7b6e369e220918555c309eaf8d25a82fb95a83e7c95799a
SHA51202f50cedc51773cccde97f6f816b0241d33c5913937d04d5f00978b8c769ecb5492094d8250346035c1c6f99ca569554427ecd14ae926d31bb0fe9242b182ac5
-
Filesize
324KB
MD56978d1658f3f9f5c5355ab0784ab6634
SHA1647c7dc2e946e32c863a0f26c022cbe968d1c517
SHA25650278f68d3c855b64fbc89ba0e51616d66e142c40fa3658098a3632b34ee5e12
SHA512772490c51d31c6deb1644909ed27d3c8ac194a8c887239787836a2f38532a38b0fcd7aa027c48bd0a4c97cf232cd2fd5609654e536562eefea1cc70d5ec92bf6
-
Filesize
324KB
MD525e1300a267ffc167f472983d622cf09
SHA1b7d0b4d40285b5e26bc95d53dfa547ecd01e794b
SHA2569e0f70913095f9a89d6d7db2556bb524bd3e6283d6188810386a87ed6ded9fbd
SHA512c7aa962c39de26ee2adb69397d0f6fe79bc45140c8625f3fc5d8a69674ac9582d3e076a9ae9523e0d3c7b428618bf8970ec7c2de2a429fdbd32d49427f364bc7
-
Filesize
324KB
MD59049232b049e8194d4fd6dfff289f456
SHA1b67af1ac5396bb051c2fb3896a9f3fdaa6456d93
SHA2564929f0e13df6fd848bc82adc430ae6c00ce13bf9dc35a9cc8d7882c702a9a18b
SHA512cfc6f308d42a1691e7eee334ddedeedcbf6514cf943c64bb96ff878da80a93509f10fac6e6e7ee55fab3fc035f3c3d19c615f4d47044044b44a31c6cb9ff9a44
-
Filesize
324KB
MD5204e8dbd9b117aae381192623c5eaaf8
SHA1e06c6d60dd6acbee2ae98ebbbb6523d6e302c9a4
SHA2561742357e451941b62cef3cbcaed35c731d7ae7a6ef410aa3a2b400c28673169a
SHA5122a9fba035e485a2b57549d4cbb58a870747b4d927aaf53c7dc6324e23c3f640148c6b70ec3a68fedfd219db816ed7c7eee9f113669a6d8557e51dc06fc6478e0
-
Filesize
324KB
MD5ad747ae00aec8e11412f994b4644424b
SHA1f2fa1a675ca43b70e7e61e0cc265b2006ad9c07d
SHA2562e6839e7bd3f4b17bb7e8a74a3010a9f94170e2a16b70d74950c13eeb5ce66b8
SHA51207ab6ba3345d5e04d9d548a559e01ddacf489ca4d86a75f7820dbad301cf558f5433289e33686f6afb6054212e069109560bd3da15b07a762a5df8470de32bbe
-
Filesize
324KB
MD5fb357d138f1031c66d170769c2a238d2
SHA1f8a28bfa99ec9a0e86a0e859ae2e61caf963cad6
SHA256d617ecf036176c6d5f4422b49b960fc8d11477bcef9459b2ba59498a6eca719d
SHA512c2e7eabe200b65f7c2ab88a499bc52d6e3457f33917b0281a2e45fe364bc34ed4d31eeaf28d6cf035ad5f31bca640dfb26d4f336f7c01391e1be7c9ff5b118e2
-
Filesize
324KB
MD56b07047061cbd89f8769b4a2979a4e34
SHA112967b0db57390c8e7b05c2df3072b57f11b0ced
SHA256469c5f44af52094e8bf47eff24141c41c2def322b44b02b1169d5d659e0f9aa2
SHA512c29d064667aa9b4c9e3ca786c9d97871bc63d63a72b77c4217229946904f0922784703a8b9d6ca74bee6739f60b6dfd36ad9746ed8829587cd914ed7d1e8c2d9
-
Filesize
324KB
MD5d1295f6f7000286850b2bc8e08f733e2
SHA13f94e2d81316989947b3f4bf4e2b07a62eea08f6
SHA25640d28694c8ba7d0c3556e749531b984dd47633b938e4643beeca41908cf7bd23
SHA512216aab643928b20df7ee8291a7683f8904a1652761c1f36b2c1046796517f7221972ace9caea8856ff2f873c8e38510cddcce91c98da9cdbb77a854e49b91554
-
Filesize
324KB
MD5fbfeaea99b95551422cc73fb78c0275e
SHA16710cae30ebe4728c5a7a08d4fc2bceaa6c8ae0e
SHA2563344a7d463770563a321087e9e7dfe4648324e16c6220ce6878e1247dc638a6c
SHA512e9e7ad16f36f383327b74089aa3dac4ede5516179f8bcbb0dd0948ceda7bbcd1a9cc2fa9f4dbfd41908007b5a1656b89b8b934439788154701e73fae4b351f4a
-
Filesize
324KB
MD5525c55dcae6bc64b5ef2fb511d5dfbeb
SHA1bc44c7c8bb1031b1e03449707a7abd5219991468
SHA2568e278b670138d34c1dd12a3d5b9ba89f2a997c0ecefb9fe82fde6c5a4b5e9441
SHA51255703d6ca8a1a66cb4a03789c0d60686d9d97e13cbd02e4fa37cb39ea12980d78859b02f3839bd083b9136a5fe39980d6f8787ce494f43fd765642b6f1c726b8
-
Filesize
324KB
MD5d5449f76e7f7b2cae3105beee3f1519b
SHA14142cdaafd22eefbd2084a3513d9eab749b3c4c1
SHA256eb899968d2b29a425519197dc35d15416d269c9663852ffef26f1dfb295da7b9
SHA512a5a19de148611535db70a7955cd888f3abc0ce520ad4153c3a9352266a669c336fab5ea9702eca2431b4bdeb5f0d1f37ea9bcb1e3368f574568b3f34f204e7b7
-
Filesize
324KB
MD5537d7334553bf927c530d185b75fc670
SHA12c8dcc3af3fb0ea792adc7ef924e7b2da8744299
SHA256e5cab885848cf33c04fb45df8af90a2c9e7ce30b04806377de60b740f4a84377
SHA5126780db7253d20a7a6b827a1056b7382efdcbc72a83d076165cda5109d8462bddc6e41c35aba1235b366bbf285eb97f1613e412df15bc6fd0c44c0e1710224cb8
-
Filesize
324KB
MD575f3c39f102e7041c0d9c445d73cba28
SHA149bfa10f5eb5d690b4224db7dc6ba49d6dc798aa
SHA2563a2d448d91dd7e7af003bf18cebba31aadd84939880ef3fb7cc4bf748fe9b83a
SHA5121db8adbe2ca24f14abaca635ed3df2c5eb8333ba39d3c5fa2e31ecc4234d650e3c608bf8391d0976511b138c0ce7e3a372939b7cd40195c157a6e1192f7dfa9b
-
Filesize
324KB
MD50f3c954dca41603073d26d631d332c80
SHA14b14feaa798382051b5e6d099fc98581420b7d6f
SHA256e1f726fd0d22c202391fef40e42958ec5e490112b59f113624194831da8fc568
SHA5128785f0973208a284760c000de19bd7f0d94f81fc81c4162953f5f0738002af4a0d25650013d08d004e344da50e7c06d6c8da27f3204a1430d9a4a8a6a6501039
-
Filesize
324KB
MD57567a0b51f9658097bca29c8dc58ef93
SHA1296737f8fd84e4dce17fbfe94281afe6ee2873fa
SHA2561b584775dd24a1f05626e1774b5da32be1ad3c3a903ed28f455fcb41759f7ea6
SHA512cad24fed8c8581d5062f7038c38d92f12b039ab34c7b25197c0c5c692b921618ed33bd8cdeccaa02a8c58589c16053b4889bab01da1efde5a40a5cd9e2c712cc