Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 10:51
Static task
static1
Behavioral task
behavioral1
Sample
9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe
Resource
win10v2004-20241007-en
General
-
Target
9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe
-
Size
384KB
-
MD5
b654a546c25b33ecd91f570c11f24020
-
SHA1
d67ca973a1b35574f021331811ef0f3fc16a2aca
-
SHA256
9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29a
-
SHA512
0d28fbc704ee6357d0a3cef6ecbd7add8e237cd5a3a5e7c2cd7b3ead4b18b988281ff5c272249a28f57200acb827d0eab6b5dd5c2ef3f61a38d92a5c1589d97d
-
SSDEEP
6144:AR3Q5U4/4Bjvmih8SeNpgdyuH1lZfRo0V8JcgE+ezpg12:Y3oX4pvmK87g7/VycgE82
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajhddjfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chokikeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmgjgcgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmgfgdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdabcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjfaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhhnpjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bebblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdfkolkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnffqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andqdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjmgfgdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfpnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cagobalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepefb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daqbip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anadoi32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2780 Anadoi32.exe 4688 Aqppkd32.exe 3616 Aeklkchg.exe 3964 Agjhgngj.exe 1448 Ajhddjfn.exe 228 Andqdh32.exe 216 Aabmqd32.exe 1612 Aeniabfd.exe 556 Aglemn32.exe 1980 Ajkaii32.exe 2864 Anfmjhmd.exe 2532 Aadifclh.exe 2668 Aepefb32.exe 840 Agoabn32.exe 4860 Bjmnoi32.exe 4768 Bnhjohkb.exe 4268 Bmkjkd32.exe 3672 Bebblb32.exe 2336 Bcebhoii.exe 4832 Bfdodjhm.exe 1256 Bjokdipf.exe 3336 Bnkgeg32.exe 336 Baicac32.exe 3588 Bchomn32.exe 3880 Bgcknmop.exe 3892 Bjagjhnc.exe 4052 Bnmcjg32.exe 3624 Balpgb32.exe 2748 Bcjlcn32.exe 5068 Bgehcmmm.exe 464 Bjddphlq.exe 4284 Bnpppgdj.exe 4304 Banllbdn.exe 4724 Bclhhnca.exe 2384 Bfkedibe.exe 1948 Bjfaeh32.exe 2320 Bmemac32.exe 3452 Belebq32.exe 3392 Chjaol32.exe 1996 Cjinkg32.exe 4784 Cmgjgcgo.exe 4264 Cabfga32.exe 1124 Cdabcm32.exe 1572 Cfpnph32.exe 3928 Cnffqf32.exe 1736 Cmiflbel.exe 3972 Ceqnmpfo.exe 4700 Chokikeb.exe 2060 Cjmgfgdf.exe 1816 Cnicfe32.exe 2732 Cagobalc.exe 532 Cdfkolkf.exe 4568 Chagok32.exe 3492 Cjpckf32.exe 2996 Cmnpgb32.exe 3248 Cajlhqjp.exe 2416 Cdhhdlid.exe 404 Chcddk32.exe 3740 Cjbpaf32.exe 2020 Cnnlaehj.exe 1552 Calhnpgn.exe 1772 Cegdnopg.exe 3896 Dhfajjoj.exe 628 Djdmffnn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aglemn32.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Anfmjhmd.exe Ajkaii32.exe File created C:\Windows\SysWOW64\Aepefb32.exe Aadifclh.exe File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Cjmgfgdf.exe Chokikeb.exe File created C:\Windows\SysWOW64\Dobfld32.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Pdheac32.dll Dhkjej32.exe File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Jffggf32.dll Cagobalc.exe File created C:\Windows\SysWOW64\Cacamdcd.dll Chagok32.exe File opened for modification C:\Windows\SysWOW64\Chcddk32.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Cnnlaehj.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Dfknkg32.exe Dhhnpjmh.exe File created C:\Windows\SysWOW64\Gfghpl32.dll Dddhpjof.exe File created C:\Windows\SysWOW64\Bcebhoii.exe Bebblb32.exe File created C:\Windows\SysWOW64\Qlgene32.dll Cdfkolkf.exe File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe Dddhpjof.exe File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe Calhnpgn.exe File created C:\Windows\SysWOW64\Oammoc32.dll Dmgbnq32.exe File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Daekdooc.exe File created C:\Windows\SysWOW64\Bmkjkd32.exe Bnhjohkb.exe File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Daqbip32.exe File created C:\Windows\SysWOW64\Cdlgno32.dll Bfdodjhm.exe File created C:\Windows\SysWOW64\Balpgb32.exe Bnmcjg32.exe File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe Cnffqf32.exe File created C:\Windows\SysWOW64\Cdfkolkf.exe Cagobalc.exe File opened for modification C:\Windows\SysWOW64\Cmnpgb32.exe Cjpckf32.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cnnlaehj.exe File created C:\Windows\SysWOW64\Doilmc32.exe Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bnmcjg32.exe File created C:\Windows\SysWOW64\Cfpnph32.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Jbpbca32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Kdqjac32.dll Cmiflbel.exe File opened for modification C:\Windows\SysWOW64\Dkifae32.exe Dhkjej32.exe File created C:\Windows\SysWOW64\Ihidnp32.dll Dkifae32.exe File created C:\Windows\SysWOW64\Hjjdjk32.dll Balpgb32.exe File created C:\Windows\SysWOW64\Mogqfgka.dll Bjfaeh32.exe File created C:\Windows\SysWOW64\Chokikeb.exe Ceqnmpfo.exe File created C:\Windows\SysWOW64\Bcjlcn32.exe Balpgb32.exe File opened for modification C:\Windows\SysWOW64\Ajkaii32.exe Aglemn32.exe File created C:\Windows\SysWOW64\Djdmffnn.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Kbejge32.dll Baicac32.exe File created C:\Windows\SysWOW64\Hfggmg32.dll Bjddphlq.exe File created C:\Windows\SysWOW64\Nbgngp32.dll Dejacond.exe File created C:\Windows\SysWOW64\Bgehcmmm.exe Bcjlcn32.exe File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Lfjhbihm.dll Cfpnph32.exe File created C:\Windows\SysWOW64\Ddakjkqi.exe Daconoae.exe File created C:\Windows\SysWOW64\Aglemn32.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Ooojbbid.dll Anfmjhmd.exe File created C:\Windows\SysWOW64\Dmjapi32.dll Bjagjhnc.exe File created C:\Windows\SysWOW64\Jfihel32.dll Belebq32.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Agoabn32.exe Aepefb32.exe File created C:\Windows\SysWOW64\Cmiflbel.exe Cnffqf32.exe File created C:\Windows\SysWOW64\Bbloam32.dll Cnffqf32.exe File created C:\Windows\SysWOW64\Cogflbdn.dll Dhhnpjmh.exe File created C:\Windows\SysWOW64\Daqbip32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Doilmc32.exe File opened for modification C:\Windows\SysWOW64\Aqppkd32.exe Anadoi32.exe File opened for modification C:\Windows\SysWOW64\Aeniabfd.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Bneljh32.dll Bnkgeg32.exe File created C:\Windows\SysWOW64\Belebq32.exe Bmemac32.exe -
Program crash 1 IoCs
pid pid_target Process 5808 5720 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfmjhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclhhnca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjinkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnpppgdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkedibe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chagok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeklkchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadifclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdodjhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjokdipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnlaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqbip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjhgngj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepefb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andqdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcebhoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banllbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjohkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabfga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnffqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegdnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqppkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddjfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjlcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglemn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcknmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfaeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmgfgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjddphlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmemac32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll" 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll" Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bebblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll" Ajhddjfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" Cmgjgcgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Andqdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agoabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aglemn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll" Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" Bnhjohkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bclhhnca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" Cajlhqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmgjgcgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll" Bmkjkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll" Anfmjhmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmkjkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll" Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnffqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cabfga32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 2780 1616 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe 83 PID 1616 wrote to memory of 2780 1616 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe 83 PID 1616 wrote to memory of 2780 1616 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe 83 PID 2780 wrote to memory of 4688 2780 Anadoi32.exe 84 PID 2780 wrote to memory of 4688 2780 Anadoi32.exe 84 PID 2780 wrote to memory of 4688 2780 Anadoi32.exe 84 PID 4688 wrote to memory of 3616 4688 Aqppkd32.exe 85 PID 4688 wrote to memory of 3616 4688 Aqppkd32.exe 85 PID 4688 wrote to memory of 3616 4688 Aqppkd32.exe 85 PID 3616 wrote to memory of 3964 3616 Aeklkchg.exe 86 PID 3616 wrote to memory of 3964 3616 Aeklkchg.exe 86 PID 3616 wrote to memory of 3964 3616 Aeklkchg.exe 86 PID 3964 wrote to memory of 1448 3964 Agjhgngj.exe 87 PID 3964 wrote to memory of 1448 3964 Agjhgngj.exe 87 PID 3964 wrote to memory of 1448 3964 Agjhgngj.exe 87 PID 1448 wrote to memory of 228 1448 Ajhddjfn.exe 88 PID 1448 wrote to memory of 228 1448 Ajhddjfn.exe 88 PID 1448 wrote to memory of 228 1448 Ajhddjfn.exe 88 PID 228 wrote to memory of 216 228 Andqdh32.exe 89 PID 228 wrote to memory of 216 228 Andqdh32.exe 89 PID 228 wrote to memory of 216 228 Andqdh32.exe 89 PID 216 wrote to memory of 1612 216 Aabmqd32.exe 90 PID 216 wrote to memory of 1612 216 Aabmqd32.exe 90 PID 216 wrote to memory of 1612 216 Aabmqd32.exe 90 PID 1612 wrote to memory of 556 1612 Aeniabfd.exe 91 PID 1612 wrote to memory of 556 1612 Aeniabfd.exe 91 PID 1612 wrote to memory of 556 1612 Aeniabfd.exe 91 PID 556 wrote to memory of 1980 556 Aglemn32.exe 92 PID 556 wrote to memory of 1980 556 Aglemn32.exe 92 PID 556 wrote to memory of 1980 556 Aglemn32.exe 92 PID 1980 wrote to memory of 2864 1980 Ajkaii32.exe 93 PID 1980 wrote to memory of 2864 1980 Ajkaii32.exe 93 PID 1980 wrote to memory of 2864 1980 Ajkaii32.exe 93 PID 2864 wrote to memory of 2532 2864 Anfmjhmd.exe 94 PID 2864 wrote to memory of 2532 2864 Anfmjhmd.exe 94 PID 2864 wrote to memory of 2532 2864 Anfmjhmd.exe 94 PID 2532 wrote to memory of 2668 2532 Aadifclh.exe 95 PID 2532 wrote to memory of 2668 2532 Aadifclh.exe 95 PID 2532 wrote to memory of 2668 2532 Aadifclh.exe 95 PID 2668 wrote to memory of 840 2668 Aepefb32.exe 96 PID 2668 wrote to memory of 840 2668 Aepefb32.exe 96 PID 2668 wrote to memory of 840 2668 Aepefb32.exe 96 PID 840 wrote to memory of 4860 840 Agoabn32.exe 97 PID 840 wrote to memory of 4860 840 Agoabn32.exe 97 PID 840 wrote to memory of 4860 840 Agoabn32.exe 97 PID 4860 wrote to memory of 4768 4860 Bjmnoi32.exe 98 PID 4860 wrote to memory of 4768 4860 Bjmnoi32.exe 98 PID 4860 wrote to memory of 4768 4860 Bjmnoi32.exe 98 PID 4768 wrote to memory of 4268 4768 Bnhjohkb.exe 99 PID 4768 wrote to memory of 4268 4768 Bnhjohkb.exe 99 PID 4768 wrote to memory of 4268 4768 Bnhjohkb.exe 99 PID 4268 wrote to memory of 3672 4268 Bmkjkd32.exe 100 PID 4268 wrote to memory of 3672 4268 Bmkjkd32.exe 100 PID 4268 wrote to memory of 3672 4268 Bmkjkd32.exe 100 PID 3672 wrote to memory of 2336 3672 Bebblb32.exe 101 PID 3672 wrote to memory of 2336 3672 Bebblb32.exe 101 PID 3672 wrote to memory of 2336 3672 Bebblb32.exe 101 PID 2336 wrote to memory of 4832 2336 Bcebhoii.exe 102 PID 2336 wrote to memory of 4832 2336 Bcebhoii.exe 102 PID 2336 wrote to memory of 4832 2336 Bcebhoii.exe 102 PID 4832 wrote to memory of 1256 4832 Bfdodjhm.exe 103 PID 4832 wrote to memory of 1256 4832 Bfdodjhm.exe 103 PID 4832 wrote to memory of 1256 4832 Bfdodjhm.exe 103 PID 1256 wrote to memory of 3336 1256 Bjokdipf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe"C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3336 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3880 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4052 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe31⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:464 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4784 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3928 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4700 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4568 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4108 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5276 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:5564 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe84⤵
- System Location Discovery: System Language Discovery
PID:5720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 40885⤵
- Program crash
PID:5808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5720 -ip 57201⤵PID:5784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD55caba83cabf3aaed4cbc94c42ce5e0e4
SHA1aadd6257512939517869d3b6d23401f18e8654e8
SHA25639038682c45c852002c9a46489192ecef9bae4f6f16bb0a203343e72a8045f95
SHA5121df41df88c660273c6d7bfe51fcb1293ba766657ec3e6a4efa8a74868572e10d08c8c377ca4dca8ac8496e3764a97fb6890e11e6acea9c1f1e7b3891c9f9df72
-
Filesize
384KB
MD576483984f8b2bff03f185a16e6be996b
SHA1adc95cd8ccc4aeb48838ef70e365d65f35a7825f
SHA25614fc25a18db423ab6de3ba789d01c6ba876d46327743c353ab10e420ed176ef1
SHA512afff813f6218120726a89b09319a0855b68c75a7d8ad894c7a3bbaf6f2f4c4ab0d185ba9703b564659339781b8c1e97b3cbf75c88ee53bbef350d1a0fc54e46f
-
Filesize
384KB
MD59033d2981a18a605291db997d583e8ba
SHA1462b074949397d5edb14d9d314afebf180dab27e
SHA2567809e0976306cb102204ba2ebbaae7c0eda72ed092255e334357168c775b9cc1
SHA512d84d566ad229330854ae2e48616308018c185a1a381df78cfd78af746545328d520ecdaae79cd9a2c1baaff60ac6ebae23f5217dcbe3e14367eeb245aaa04cdb
-
Filesize
384KB
MD5fc193cca4ef6d18159e7c6c97d7785fb
SHA122ecdb554eb63b1660203838ef2720166ae938cf
SHA256a6fc962d18d2192d674fed0280a4b03872300460e685d1ef6ffaa537511960ee
SHA5122c092f04e2dc488c40a87596ec29cc16f320a4352931b134f46db58f408389d946a946d272d52563be0e71e7b72256e6f97edafa2850a08644e4882cc42dbfcd
-
Filesize
384KB
MD5b7939ed895f271fe437ab6f59a5a36fe
SHA163fcdedaf7693f075c1493b73d2badb333036378
SHA25683d0ca1cbe71ccbbda877ec96e824bf2c14a4aad085a43d4057d3e6daab882c3
SHA51229afce1ffdd61ea6a21c2306cf46dc9c09bd210da4787464ee550c024c77c9984a6bfdee47b6671195e2c2dccc6ee70985f84637b5e4c85647c321bafca766da
-
Filesize
384KB
MD52bbefa417553b86165dc8d011c97fc57
SHA18711abb550a7e386a5e68225efdb78a5f46a978b
SHA256ff6c247408a44fd63fe151f299d329c699feb716bf9df7ab4ce44bf7dd0625b2
SHA512b22e6cc8bf571b8442872fc54ff6f126e472ed15090801bcce54a026301d7f401055951cbf37931069e0c2deb04726f914efd7fa0447d9e9fa8d83c7dbc18553
-
Filesize
384KB
MD55b887951738160872b2b94b2dfdf426c
SHA14000da3e13ba7be4bae36ec7c73100a4090cf984
SHA256c4545a96259a0722acee2cec39aa1d55d76ad605eea9acb9cb63cbe304de44fd
SHA5127f29f0cbfc460d2078e842d749e5f00d9b559cc005d31767889385194c9aaa9c2b32af3cf84c74ffb2b9189b5226f2a6180c9f067b23c75f3026107634758ca2
-
Filesize
384KB
MD5c46908b167b12e58b88c244a0d2c6419
SHA1cf35b424fc4fd467a5cd99a080b2d4df31ec0102
SHA2564b22b23d4c4d5523e7aa65790029298b0ede415f09dba843a2f3608e38bc5a13
SHA5129ca6074131867e3a0d3b67e68e327d2fa9c5e9f7f5a5bf183eacffe202ea0d4c3afcd84afe022fb0b6a60df2b0c7213469d39acc820f6ea08e7a3348862a0d7a
-
Filesize
384KB
MD554e978ae72a7372572bb100b8968ceda
SHA189afc3b6d88a985ecc49a88546fe7693fca54c22
SHA256d415ef949795eb5991a23adb6942e0c48973686aac9eeb2fc38a25e3ecfe031f
SHA5127cc4919cbc5948a587826b2a0d71cf7d48f68802be784b3c60f90a4fe032b572e1dd97b943cee50892f27e2aac0a23a4b53a88dc90ed9cad56b2596e7066c564
-
Filesize
384KB
MD5ce53cdd0fac74c87ee4613b2fea5192e
SHA18f598a91ec21a5a5fce149cee3766d6535ab24b9
SHA2565f0e75834ba00008219daa765f8ab3a502973152ddf8101fc346294ed52f63b1
SHA512e40f5232c121072e963b72cbd12ddcf6efd9d737133e9596d2e126fb222914ccf5f8e87373edb247802f2f154cc1a487d3564dc720de9608507b5836ff808365
-
Filesize
384KB
MD54ffabc8aa292472ba34637f8181be062
SHA11a0485e044e7335cc1a1150a0ce1319e143710af
SHA2565af6633f74fd23c8f09c5483405480f3fe0c02b8d2fb2e153500a2844c01411e
SHA51298a775e9ba19d750254c4d91a924a21c30d922d0fa332eaf5c5052e2a4fbdcd3357ed7c55bb86a98b3d582e8314dde070247dac1daaca71e972fe843c5b735bd
-
Filesize
384KB
MD56dc4d3d60446c2792db0f620f604a920
SHA174adaf0531eb962faada1e27e78a5978b34b43b7
SHA2565b85099359f9c2f998c54cfd864f46a117512a7b9540bfb710eb5d6cbec2ae1d
SHA51239c02a117e84edf80159433e278ef625da3b95654ff7783d7a6004192693a5a40a32face58890c3f9608779964c071553f4782ac710806f8124f610436b10e2b
-
Filesize
384KB
MD54e8648a8a43145c59be715ce33b11161
SHA1a2c750a493cc18c9b64bb02138a7c7aed89e9900
SHA2561337ffbc4136d0409c1b72f8a857f95ed4c7b731595879f954d6fbe9a0798b54
SHA512f8e4b9067ef57e6c4ba1233f8d17aaf8a5d95fec1fa4b528cfe18d2a423afea9158a5565bd3e0facbc87b5698821a6cddf4d2e5dab410eeb913dadf1888965cc
-
Filesize
384KB
MD5a7f7759e023d90bdebe75b43a067fc65
SHA18ba9798615f6018e63448a0c52efb0bbc6de1257
SHA2566deb7d6c3f1306a50906236c0df25fa3f95d39612910fa424454f9a696668496
SHA5121b651abbfffdb451490bfc740a51161411344b30b68dedd54bd1c9b79e6297b4c02e8c00d97fc6d9e6b76fe9320146315f6e6f9960847415fe4a5adebf61c961
-
Filesize
384KB
MD52e87eea3b2eac62c29cffddc7a7bdb07
SHA1a2da2d7eb388361223249b2bd5789254ad9d5916
SHA25661aa0a3c16b05065952f1c81d8c05495c24765ab8f725c62f53af9a5ac17657d
SHA512fa6d414166c543ad028f3b844c793d11df5999d5d3494d4f7a172fbaf5198b456e9474f8989ee0380aafb29545727ebb9e561d71d23017460c778c28995a9fd5
-
Filesize
384KB
MD505817ed39385a3762f1a7484114e11bb
SHA1fcfb845f5ec3a1afbe728b4cad4262f7f39066ed
SHA256ec74ccfd19af4d5c0c545af6662fc16a1dbceda41ba94d791418ebf289642578
SHA5123fc80399f86764d26e49330208d3046af3a520824fef075c7e3e121adac961ef9e33f1e9bdae497896cc3939d7dfb5f8134ad1766d4483f02bb9260623c6596c
-
Filesize
384KB
MD59241beba41c378685658f4dcf73eab46
SHA125f7e74b4f32aa97ea001ca3ff54f12ac16ae139
SHA25629864d08a28638f6ce16c4f309cf68d9abc2fe77dae689dbddefdb2a2d61687f
SHA51203f91c2676fd717e2d354302256452dcc112eb7eb2d929f37b93403c06eb41699de1d50d2d14bbb90e39967a944c24da05dddd01e616e97914a9305a6000161e
-
Filesize
384KB
MD5a195a979c34925e77e64a4990ae3dbdc
SHA1db3c57f42347a0bf90a8d2ca26463707b265412a
SHA25688eba9656e880f701ee6ac096eb0f6ae1be3759ed1468a89bd2fbb8009bbc119
SHA51291728d0e1d6839a5ee28332d99e731d005be3349c44385097c4a034ccee4fcaa73ddbadb88819c57956793f9200d33572301a7994bf5f9f07be09832cd933b84
-
Filesize
384KB
MD5786e59a353a4fcc1ab519f84a27f6cff
SHA1b167bb7d78037018a64c6b6ea5630bf7e9d3cf4d
SHA2564ff2665bd6e3c34009feb528a2093a66a540a4c552efea660dc6bfbb68c752f8
SHA512f80167cadbed951e65974c38aa7be5d6ceda7651913a99ef5fe68bf83e6900b0cc99799a864387ac81594de7886851dd10e488eaa81f3a2d0ea0cade8c552506
-
Filesize
384KB
MD58fe9eda04d39a1b92b99bb117fa96e6f
SHA120eba5ad6f8b93d805c78704054a89c7248c6efa
SHA2564d747ae878c711078a4a9f5acb9d1a7e07a79666e9950317c0f24d761634294f
SHA5128be8e51cf721202ea9f80dd68707af1ed83b79670b8b26931c71ec7ad3b6b39ca063e929fae01f37ca2daebc2c33cc368f2c8b5fcfb79ebcaf8390a333365c38
-
Filesize
384KB
MD53cda09660b34ecf2d14433873c983c9a
SHA1dc37780155b72c4a54c1543408b6e8fb5cab2869
SHA256e6c458327f9a6623a2fe12da2fce90f296e05eb68436f0462effc5eef715ec43
SHA5127fa5ffad96c26ff32abece4c00ea9cc56c41acbf51d949d1c7db22a6e778060eb567f210e806aea0dfac4dca947509b8f93b79dcc6e559b69ba315713b2b76df
-
Filesize
384KB
MD503b18db24a7eaed60251d152f040f675
SHA1dd0f9ec8639efffba8c9751cf7cbbede009bcfd2
SHA256d45f8f4660d57c36ed357b5e3c18453173ba6be2c63d2e9412fd35f394a200ce
SHA512f31d513978821ae80aa11f80c30d7b8c73e8781a64b2839e527ba07cb53569c7bd4c16076d400d287666ce5c4a98f22ceff12830ce8439eda4df66626adca0ee
-
Filesize
384KB
MD5e9e24e680f9f139d7ccb43d986a9bc85
SHA1bef665ac2e4a8dde81affaeb6ebe9c58e7194050
SHA2564ef1144eb56d4f31a4f3bea11085bd6542ebfe3f79784f0fce6261e2e8093d9d
SHA512c8bc2f932de67214c7527d57d55ec8786b510b5976330cc0bf22e0eb11101312e5e2dcec83e51a6b67da1bd9e40268d5f5ccce24385b9a291336a635c4cf71c8
-
Filesize
384KB
MD56e9801b31315492eeba2db98408adfcb
SHA1725addc8c30916a33fee2542ff57ea8ebe61e609
SHA25668a589fcc4bb5851544039af57029b11a40d365db29c21e03de0dbf74e9ec05b
SHA512bf42a9d8d1001d7d6c2503bab19a16aa5f1f4c893a034946a9be8bfc5f4fc469f4f6b5355891327b8d59798cbbaf025e04a6c1c26b85c733ee6798bf8b382c56
-
Filesize
384KB
MD5d589cb5b698778459710e02f545b5db3
SHA1288abd678422e5ed3726e49c4610d1f7c5e2bda4
SHA2565a4ec4a2159baa5d785115cf1bb91a540723e5bb97bf000e8169a89f9a54b8ad
SHA512c03ed5f4a1f5f728c5f7e2f4343898107b5b4a5d2d0c0fdeac4057cb86709ffa5e6bdde3d082af616bc127ffa8d0c5e7921536c6be3a0badf1619df35778eaeb
-
Filesize
384KB
MD5f6a8245f959cab9fbcd18d89044a176c
SHA162fea54aba3b05b4fbc85c0d67d8da131b2fe8b6
SHA2565ac49e35f5ff23a72a1fa1a3556f378777a8cd2012de413a8b5383e687d6fcc0
SHA512c50c894286bc9f68a82da155e90536b75ad56df1799feec4c776525e61dc586595ae1f506c1a04b382b21ec0cca7b9821a602a278a774a4253111408aaf3c131
-
Filesize
384KB
MD5b308e8e93ff5e694facb802d2c6373c6
SHA10dff637ba0b35ae738533051dd9b9542ddf303fa
SHA256ad8ad43bb23f579ada4b8075f3c82bebb9312c1db037ef94020568eda3369da4
SHA512fb8dcea8ee8dc46aabc15e7f36a7abd82f03800d3c99629e7faec76b82856de97f70025c103176159856455b6474e2e0a8b36b75dfc176a1eaf97f6be9f1be51
-
Filesize
384KB
MD5d976e3ae9ece8489471ef7f8afcb335e
SHA1b5da39c03eae1ab7e7b1e856124f16c25dc0f717
SHA256b8e410fc8e772f1a422188d0673271c1ab6f1b26a2b34d899fdf8156a8913ec7
SHA5121f477c46170885eab831bb5120add1999729a8c7f75d01732e4dcea6cb5b67c01881b33d88f10cb2a240a3b4665eeadcec7f561224ad636a9f44b340f5ae68f8
-
Filesize
384KB
MD55e423dd3bec5f6579a1688034fa13e42
SHA16b4590ad9ae0c5a027f62d2b322cbc2101960973
SHA256f0677a4c4c8b99752b05c419f9d6310d52a38a986c698fc5a7ab597225175432
SHA512abdc2c634087ddea475c0526d85a499da7f67b65789d2c7171e795379e6e6f4bc96e86b37f27b0c1102cac6f5d7d16e5115a84efe19e086e053761dc2ee0e96f
-
Filesize
384KB
MD5c740db47b5b808dc2c08c40adf4b515a
SHA1d0455335f8f882a8962df4c37232ea6284361824
SHA256e9f34b7ff02daff0c2a87523d23cdb6c2dbba4e218d610c9034394d831a206fb
SHA512e4a3b128646756f9468f74c8d1944dc688647d7b2ce35392f5f290d1a4418431c7d9999672091a08cbffe678dbf6546df8c29349b55a819e8e99ad26a68e4ee8
-
Filesize
384KB
MD50ae159163e8566c045f7c58b1f0406ba
SHA17f286abe9b947677ddd578831ddb5c8b3f0a915d
SHA256a348ab21a063970932400b1fdc3fff7beecddc9c5bd97fc99c50a784f374e86d
SHA51271e01c394b850122cfccbb32ffabcd78d0cfcbcde6e218c97380f312c3f9757c69d62ed7396e7fc0e0e1fe79781bfa8f1927284c10e0c9dfc5a01ca1098bc742
-
Filesize
384KB
MD522218f9a90c350d2da5fcc0438caad69
SHA112941900aed12da89233110f97d4b8507d910af6
SHA25621c37f7e0a31e02fef89aa9516e9ad0859b8f65744b8b40fd9a361c9d446a782
SHA5120ae4fc4cefdbac42bc1a88280196d916d8c228f664477fbe89a9bbc45ba9352db5b79b568a23b577ab160fd4ae7aa2605845df8f432f6951902daa10af1f5f6d
-
Filesize
7KB
MD56e1123c58d25ad4d90730094ef185322
SHA1e8a011a5a72e7d6614fb35a86a19949627dbfb84
SHA2561d9b9b034c223ba26694923179b9e53719ecf7c23c2fcc956ec4b5f1e51bf305
SHA5120fd7c987d76a701ae67db5e5a7546e16fe08612833ab2da6f46f069a58e9815bf6ef1a9cd33aab7d4a755abacc0275fcda0bc0adaab313b96d6694c2fbc320a5