Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 11:49
Static task
static1
Behavioral task
behavioral1
Sample
cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe
Resource
win10v2004-20241007-en
General
-
Target
cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe
-
Size
84KB
-
MD5
89dfd69d0c56682ccd94c38de6852210
-
SHA1
76d3e1d4663b5cb51675517af35744fa5ca86d20
-
SHA256
cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16d
-
SHA512
78202f55f6c5bfe4fd1309e134dc63b003d428eead90f82f0f93f9d08100977c0485dcc70e0badff0a3667c1888349fdb4a47b913eb01f51856685ae16c54fbe
-
SSDEEP
1536:FYjA1RSpuUW5E8lxe1T7EkGXXSREXHfVPfMVwNKT1iqWUPGc4T7VLd:FPRSp5sxe1T7AXCREXdXNKT1ntPG9pB
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnicfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qddfkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aminee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmnoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfhhoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deokon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aglemn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpcfdmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgioqq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeoaapl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqnmpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjinkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqdqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfmde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogiicl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagflcje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjinkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabmqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmemac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnhahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amddjegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgehcmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qffbbldm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhhoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhhnpjmh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4212 Pgioqq32.exe 4744 Pjhlml32.exe 4372 Pdmpje32.exe 1368 Pfolbmje.exe 4300 Pqdqof32.exe 3760 Pgnilpah.exe 2688 Qnhahj32.exe 4980 Qqfmde32.exe 4156 Qceiaa32.exe 1824 Qfcfml32.exe 1548 Qmmnjfnl.exe 2880 Qddfkd32.exe 1844 Qgcbgo32.exe 2628 Qffbbldm.exe 3332 Anmjcieo.exe 3148 Adgbpc32.exe 1640 Ajckij32.exe 3228 Anogiicl.exe 4636 Aeiofcji.exe 2216 Ajfhnjhq.exe 4948 Amddjegd.exe 3480 Acnlgp32.exe 2332 Ajhddjfn.exe 1500 Amgapeea.exe 4764 Aabmqd32.exe 4420 Aglemn32.exe 5108 Afoeiklb.exe 2520 Aminee32.exe 4448 Aepefb32.exe 4932 Agoabn32.exe 1116 Bjmnoi32.exe 412 Bagflcje.exe 3060 Bganhm32.exe 4540 Bjokdipf.exe 3420 Bnkgeg32.exe 2084 Baicac32.exe 1616 Beeoaapl.exe 1904 Bgcknmop.exe 1484 Bjagjhnc.exe 1040 Bmpcfdmg.exe 4128 Balpgb32.exe 4956 Bgehcmmm.exe 4816 Bfhhoi32.exe 1260 Bmbplc32.exe 2248 Beihma32.exe 396 Bjfaeh32.exe 1512 Bmemac32.exe 3932 Belebq32.exe 2596 Bcoenmao.exe 916 Cjinkg32.exe 4644 Cmgjgcgo.exe 2640 Cenahpha.exe 4560 Cdabcm32.exe 4736 Cjkjpgfi.exe 1952 Caebma32.exe 5056 Ceqnmpfo.exe 440 Cjmgfgdf.exe 1488 Cnicfe32.exe 4828 Cmlcbbcj.exe 1208 Cdfkolkf.exe 4684 Chagok32.exe 2388 Cnkplejl.exe 1192 Cmnpgb32.exe 2960 Chcddk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pfolbmje.exe Pdmpje32.exe File created C:\Windows\SysWOW64\Cjmgfgdf.exe Ceqnmpfo.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Bjagjhnc.exe Bgcknmop.exe File created C:\Windows\SysWOW64\Bmemac32.exe Bjfaeh32.exe File created C:\Windows\SysWOW64\Dkkcge32.exe Deokon32.exe File created C:\Windows\SysWOW64\Ndhkdnkh.dll Beihma32.exe File opened for modification C:\Windows\SysWOW64\Caebma32.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Jgilhm32.dll Chcddk32.exe File created C:\Windows\SysWOW64\Qoqbfpfe.dll Adgbpc32.exe File created C:\Windows\SysWOW64\Dqfhilhd.dll Aepefb32.exe File created C:\Windows\SysWOW64\Bjmnoi32.exe Agoabn32.exe File opened for modification C:\Windows\SysWOW64\Bjagjhnc.exe Bgcknmop.exe File created C:\Windows\SysWOW64\Idnljnaa.dll Amgapeea.exe File created C:\Windows\SysWOW64\Dejacond.exe Dmcibama.exe File opened for modification C:\Windows\SysWOW64\Deokon32.exe Dmgbnq32.exe File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Gidbim32.dll Dobfld32.exe File created C:\Windows\SysWOW64\Qffbbldm.exe Qgcbgo32.exe File opened for modification C:\Windows\SysWOW64\Cnicfe32.exe Cjmgfgdf.exe File created C:\Windows\SysWOW64\Ckmllpik.dll Cjmgfgdf.exe File opened for modification C:\Windows\SysWOW64\Cdfkolkf.exe Cmlcbbcj.exe File opened for modification C:\Windows\SysWOW64\Ajhddjfn.exe Acnlgp32.exe File created C:\Windows\SysWOW64\Alcidkmm.dll Dhhnpjmh.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Cjbpaf32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Qgcbgo32.exe Qddfkd32.exe File created C:\Windows\SysWOW64\Qopkop32.dll Bagflcje.exe File created C:\Windows\SysWOW64\Qlgene32.dll Cdfkolkf.exe File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe Deagdn32.exe File created C:\Windows\SysWOW64\Pqdqof32.exe Pfolbmje.exe File opened for modification C:\Windows\SysWOW64\Anogiicl.exe Ajckij32.exe File created C:\Windows\SysWOW64\Baicac32.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Djdmffnn.exe Cmqmma32.exe File created C:\Windows\SysWOW64\Anogiicl.exe Ajckij32.exe File opened for modification C:\Windows\SysWOW64\Bagflcje.exe Bjmnoi32.exe File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bganhm32.exe File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe Chcddk32.exe File created C:\Windows\SysWOW64\Hjfhhm32.dll Cjinkg32.exe File created C:\Windows\SysWOW64\Qmmnjfnl.exe Qfcfml32.exe File created C:\Windows\SysWOW64\Ajhddjfn.exe Acnlgp32.exe File created C:\Windows\SysWOW64\Bfhhoi32.exe Bgehcmmm.exe File opened for modification C:\Windows\SysWOW64\Bfhhoi32.exe Bgehcmmm.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bmpcfdmg.exe File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe Dejacond.exe File created C:\Windows\SysWOW64\Djnkap32.dll Qqfmde32.exe File created C:\Windows\SysWOW64\Gallfmbn.dll Bmemac32.exe File created C:\Windows\SysWOW64\Cmnpgb32.exe Cnkplejl.exe File opened for modification C:\Windows\SysWOW64\Dmefhako.exe Dobfld32.exe File created C:\Windows\SysWOW64\Amgapeea.exe Ajhddjfn.exe File opened for modification C:\Windows\SysWOW64\Aepefb32.exe Aminee32.exe File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe Cenahpha.exe File created C:\Windows\SysWOW64\Dmefhako.exe Dobfld32.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Dmefhako.exe File created C:\Windows\SysWOW64\Ccdlci32.dll Pqdqof32.exe File created C:\Windows\SysWOW64\Aabmqd32.exe Amgapeea.exe File created C:\Windows\SysWOW64\Balpgb32.exe Bmpcfdmg.exe File created C:\Windows\SysWOW64\Olfdahne.dll Cjkjpgfi.exe File created C:\Windows\SysWOW64\Dobfld32.exe Dhhnpjmh.exe File created C:\Windows\SysWOW64\Pdmpje32.exe Pjhlml32.exe File created C:\Windows\SysWOW64\Ldfgeigq.dll Agoabn32.exe File opened for modification C:\Windows\SysWOW64\Baicac32.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Cmgjgcgo.exe Cjinkg32.exe File created C:\Windows\SysWOW64\Aeiofcji.exe Anogiicl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1220 516 WerFault.exe 166 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdqof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffbbldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aminee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbplc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajfhnjhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beihma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmnjfnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogiicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjokdipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoenmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgjgcgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgbpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amddjegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhlml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddjfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabmqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepefb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfaeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgioqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglemn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caebma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjagjhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfolbmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnilpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcknmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnicfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmjcieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnhahj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmgfgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chagok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfcfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgehcmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgapeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjinkg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll" Pgioqq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acnlgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deokon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" Afoeiklb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll" Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Caebma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpcfdmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll" Anmjcieo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhnpjmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qffbbldm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmemac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgcbgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adgbpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Belebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll" Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deagdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll" Amgapeea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll" Pfolbmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgnilpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgioqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Bjmnoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll" Pqdqof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll" Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmgbnq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3464 wrote to memory of 4212 3464 cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe 83 PID 3464 wrote to memory of 4212 3464 cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe 83 PID 3464 wrote to memory of 4212 3464 cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe 83 PID 4212 wrote to memory of 4744 4212 Pgioqq32.exe 84 PID 4212 wrote to memory of 4744 4212 Pgioqq32.exe 84 PID 4212 wrote to memory of 4744 4212 Pgioqq32.exe 84 PID 4744 wrote to memory of 4372 4744 Pjhlml32.exe 85 PID 4744 wrote to memory of 4372 4744 Pjhlml32.exe 85 PID 4744 wrote to memory of 4372 4744 Pjhlml32.exe 85 PID 4372 wrote to memory of 1368 4372 Pdmpje32.exe 86 PID 4372 wrote to memory of 1368 4372 Pdmpje32.exe 86 PID 4372 wrote to memory of 1368 4372 Pdmpje32.exe 86 PID 1368 wrote to memory of 4300 1368 Pfolbmje.exe 87 PID 1368 wrote to memory of 4300 1368 Pfolbmje.exe 87 PID 1368 wrote to memory of 4300 1368 Pfolbmje.exe 87 PID 4300 wrote to memory of 3760 4300 Pqdqof32.exe 88 PID 4300 wrote to memory of 3760 4300 Pqdqof32.exe 88 PID 4300 wrote to memory of 3760 4300 Pqdqof32.exe 88 PID 3760 wrote to memory of 2688 3760 Pgnilpah.exe 89 PID 3760 wrote to memory of 2688 3760 Pgnilpah.exe 89 PID 3760 wrote to memory of 2688 3760 Pgnilpah.exe 89 PID 2688 wrote to memory of 4980 2688 Qnhahj32.exe 90 PID 2688 wrote to memory of 4980 2688 Qnhahj32.exe 90 PID 2688 wrote to memory of 4980 2688 Qnhahj32.exe 90 PID 4980 wrote to memory of 4156 4980 Qqfmde32.exe 91 PID 4980 wrote to memory of 4156 4980 Qqfmde32.exe 91 PID 4980 wrote to memory of 4156 4980 Qqfmde32.exe 91 PID 4156 wrote to memory of 1824 4156 Qceiaa32.exe 92 PID 4156 wrote to memory of 1824 4156 Qceiaa32.exe 92 PID 4156 wrote to memory of 1824 4156 Qceiaa32.exe 92 PID 1824 wrote to memory of 1548 1824 Qfcfml32.exe 93 PID 1824 wrote to memory of 1548 1824 Qfcfml32.exe 93 PID 1824 wrote to memory of 1548 1824 Qfcfml32.exe 93 PID 1548 wrote to memory of 2880 1548 Qmmnjfnl.exe 94 PID 1548 wrote to memory of 2880 1548 Qmmnjfnl.exe 94 PID 1548 wrote to memory of 2880 1548 Qmmnjfnl.exe 94 PID 2880 wrote to memory of 1844 2880 Qddfkd32.exe 95 PID 2880 wrote to memory of 1844 2880 Qddfkd32.exe 95 PID 2880 wrote to memory of 1844 2880 Qddfkd32.exe 95 PID 1844 wrote to memory of 2628 1844 Qgcbgo32.exe 97 PID 1844 wrote to memory of 2628 1844 Qgcbgo32.exe 97 PID 1844 wrote to memory of 2628 1844 Qgcbgo32.exe 97 PID 2628 wrote to memory of 3332 2628 Qffbbldm.exe 98 PID 2628 wrote to memory of 3332 2628 Qffbbldm.exe 98 PID 2628 wrote to memory of 3332 2628 Qffbbldm.exe 98 PID 3332 wrote to memory of 3148 3332 Anmjcieo.exe 99 PID 3332 wrote to memory of 3148 3332 Anmjcieo.exe 99 PID 3332 wrote to memory of 3148 3332 Anmjcieo.exe 99 PID 3148 wrote to memory of 1640 3148 Adgbpc32.exe 100 PID 3148 wrote to memory of 1640 3148 Adgbpc32.exe 100 PID 3148 wrote to memory of 1640 3148 Adgbpc32.exe 100 PID 1640 wrote to memory of 3228 1640 Ajckij32.exe 102 PID 1640 wrote to memory of 3228 1640 Ajckij32.exe 102 PID 1640 wrote to memory of 3228 1640 Ajckij32.exe 102 PID 3228 wrote to memory of 4636 3228 Anogiicl.exe 103 PID 3228 wrote to memory of 4636 3228 Anogiicl.exe 103 PID 3228 wrote to memory of 4636 3228 Anogiicl.exe 103 PID 4636 wrote to memory of 2216 4636 Aeiofcji.exe 104 PID 4636 wrote to memory of 2216 4636 Aeiofcji.exe 104 PID 4636 wrote to memory of 2216 4636 Aeiofcji.exe 104 PID 2216 wrote to memory of 4948 2216 Ajfhnjhq.exe 105 PID 2216 wrote to memory of 4948 2216 Ajfhnjhq.exe 105 PID 2216 wrote to memory of 4948 2216 Ajfhnjhq.exe 105 PID 4948 wrote to memory of 3480 4948 Amddjegd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe"C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3480 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4764 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4736 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:440 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4828 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4684 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe68⤵PID:4620
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4876 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3232 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe72⤵
- Drops file in System32 directory
PID:3120 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe74⤵
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe82⤵
- System Location Discovery: System Language Discovery
PID:516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 39683⤵
- Program crash
PID:1220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 516 -ip 5161⤵PID:4824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD59cde5f6667871c17b17e7c82c85c5ee3
SHA1c688ee39ee36d09e82cd8567579327cd0f7820dc
SHA256510ae036815610d43879d8ba0c7d9182ca766ab0f04c7ebe090b3c8ccc9fe787
SHA5125802aefe80f8c7e256e1b6eff061653a76e1bf5303c64dfe401c3f1fdb08ef5a6af1a4ac8fff0484dc3c24c8ab7272ebf572cca86dd02b1613c62aabbfab9c06
-
Filesize
84KB
MD514fe7d8f99bba2d53d4ac0c43da8efc4
SHA14fb66a5786c01e0befa5a8434127f6fca8d6f2c3
SHA256139073bafd44e522d0d9b4d4592bc83625f169f7df55024124c81215ea90fdfc
SHA512c12fe42b6359ccb54489706a7c8f42d3b8c9cf9bb59ca8f616246a4fe09bf6d36e869490a3d8894bcc33bda7036b867d8b296c3e06ba5f6e94c66eded5327a95
-
Filesize
84KB
MD513d0487e778763f10852fbd39a4765e6
SHA11aa267e52bb95d559bc0e10ac5fb413f043bb0e7
SHA256e8041c6aa1b06ee52d0cc93309143a6fa3cd7d4ae6922cb7849bde18ed612f44
SHA512e6f6b9adddf9e55e3395d147ed74ff28bd1323be31f84446ce52436d11e29e2880fa8ffa954d8360b27715ffe0a02eecfcf8263ab90c105d58ed4822af6709bd
-
Filesize
84KB
MD56e2970210acc798ea2b5579581ab3de5
SHA1d7f1cbc056d644f0da507b4424983880073bf8f6
SHA256373493d513809c17e5f5c84a7f47090ea84b2ddd903571a2b87ccda797046316
SHA5120a01000c61999c7bb9009cd16d56881bc7620ad4d16d5c27892382e9627be2f4beae6f80580ca1c1830af653bbc9b7b901834524efa3fedee1d6ab50bcd4eb99
-
Filesize
84KB
MD5f61a01138bd782ad5d14b09a1a93d340
SHA15cc955cd0627f60cec5dc40f3bf30d0a781e80e4
SHA256867d8e02b62bf0a6592248712186b6729d88bdf4d22221412e1e8e276197fbcd
SHA512696716cb8d22eb16c151edae399e039af6c93cbd47205389095a5097b21b129cb83eba1e89d8de51442cbe26a5d412713f00eb19e14a66a8ecc3d33fd06a826e
-
Filesize
84KB
MD5d889c9d0582dfa43cf6668312ff985ab
SHA12086969bc73149e2b3b4ca530d763885dd5cfdb3
SHA25648898de0938da526f1588a1864140ba1fcc0fd074dde74630ae99624ebad75e7
SHA512ee0eb63a66a0cc29000592770c6d807f92cbf958e966809377b0cb1929082eba9f26724846931692fe2a25ec76958c02817487b6a0804ac9f63bd260a48a73fd
-
Filesize
84KB
MD5764e2de16177aba2b1434bedab1d65f9
SHA1eeeeeb5397686e81aa139f24d4c5262072ec0369
SHA256bd2386b2738f7d691cc97e74bad18d1a5630fccb560394497f6f633e9ce5a097
SHA512ee6b5cf188d9fd02a8dad3539c06d5dae2fa5b977fe77ff8500c5993ca9467128fec2631cffeca469eac1a1051120f2b284f66842aee3f238edde3d0814d668e
-
Filesize
84KB
MD553d74d3c47775a5a29e9e79818015168
SHA13d72077fbe33496a1018c77ec7e7d6171e7238c5
SHA2567162fd4b78800052df348b51bfe53fb4f7ba0aec8e2c5a5502bcbf6bcf24708f
SHA5128615a3f9170cfe9d205b2f757254ec85d53e5ffa6f5b9dfe09e1b7361d8781b9bb7b99c1227a6e26901d78e88699e41c52ed5202de9c5706246f0b91ffa1ef98
-
Filesize
84KB
MD56b4648a7c25c96fc189737cceb3eb422
SHA15290ea249507f44fd2f773a80a26974c6f809a2d
SHA256d362bf9f04a7d3cab744f6cf478e81dc37fd62d0e76f22517dc241cb1015dc95
SHA51288661b3c895089b15fc106976488edb17dda961c6d21c43204422a26a9deb8ec81f7ac5f99e38a46622eb972944ea76323fabe4bce735899b40e93d19e9b7717
-
Filesize
84KB
MD5c6ab9347dcbcab482f583b0d6a77530e
SHA164b5d117212356e46afdc0130656fd059393d3e1
SHA2567c5652c998b29092acdd58d374e3753cf939085b8999ffa32f19fdbba47fff88
SHA5126849595017f8f46c0643ee211355f5eb390b3bc536e9518f7874051e8900cdf52e70f9361b8d5b8a19f819897e084d6021f84c3736082e30de1ab840321ef7e0
-
Filesize
84KB
MD5e4ba53a81dd353080a8b516c3d9b3568
SHA1aa11e383a62e46e9ffa96ad3c0fd9b29934288db
SHA2566df25b620f280dd9e5d31da65fb41fb062987d06d37be8df6c54f51e50b73816
SHA5121732840280e4c62a0cc93ce4cbae25ddbba7c0e51c34cef24d86bcfcd6ceec3de26e7c937a0de33441e943f3f483e6a8836e543c6efa8570478011b54afba62b
-
Filesize
84KB
MD50b18cd10a1d894e4f4a7fa016ddc89c5
SHA1499cf02270bbfef70f9ccad388b2dbde66edb55a
SHA256ad4167899989a9079d360af135b41ab8e714e6169fcc434b56fe71065c2c4ba3
SHA512a4503d0de91b6d7ac2169f212dff69cf0f6ddea2c3e72a026596fcd57edd8828ecc3bd409db2d28997fb89889f864fb8a0f6dc413ef220b91091766bf449aa83
-
Filesize
84KB
MD583a7e54039fb0c3340d4871787514e8d
SHA10908289ad111df5d7029c65decdf51caa98efb4e
SHA2568b0e1de9265c3c4e88d56e6650e9f26dd3f60e7bf84ec9c040d85e53180d1813
SHA51244333903dfec100d5ac9a145fb2220dbf621c568bfbca34d47ee132e590db3471253d6fe6d9b19be2414fe41023a8cfe2d190c9b1ebca6124ecc9be35967c8b9
-
Filesize
84KB
MD5f8cc38d06589429d7127add45e1eb898
SHA18d47e619b2551cbbc6cac85c41d9939c14d32823
SHA2568047c1a696bf506e74bc90d44f67e6cdb901e7d8469959c444069d78d7cdb116
SHA512ef9363037e5f0a6e297f96dc85fe7512f297b0307015d55c6db842b66af086dcf81d58a9cb6a0b5aed7b4cef16bdeb7c243d3595a400f8ba74adf9611571985c
-
Filesize
84KB
MD51f620d2a41e8093bb57e328defd2ff88
SHA1df627741f0188facc6629a8fc043c3c62a5f673d
SHA256c64758bf7c1ec403e59ef049969bf388664157c45aea472bf7d78d2758557fda
SHA51220d85db8940ce6c22acaec6ba061b8480890b2a72b44bede1921cd6a4c09c374ccadec029d27e6b7ed714bd94ebc97ef5356239eb967db4d3dcbbfb2b9361f3c
-
Filesize
84KB
MD58b7144ab3b09116a30efa8dbbe5df786
SHA1fa05d33f43b08ca59978f324f6da9cab8777b93a
SHA25620285cd9e391cc55cbfd8b9ad908c507aabd3f6dbcd01842b35b1da36b79e2c7
SHA512c22e0d33dc8e39c25a9d85c4c4486218552021c0127f3bc67d48bfdff5d492518cf42505b840db0b303a2fea99632ec5769157539c82a16ced1856febabff3a5
-
Filesize
84KB
MD573f91fc5ffcb711a679e962d5f7daf7b
SHA16294c03ab673424c496dd6d69cc8bf9ca81b8c32
SHA256e74f717cb14b81dab5d47550bd118518ffa2877017c9a33c8b1226ecbce48dd2
SHA512c4197ed8e1c4d7374fc3ff367f6c16ed80e3837401c23266718753830708500155f60c93bfdc301d5b5dc50591620174972018f6066f5eae7e44125b4a70151d
-
Filesize
84KB
MD5cea60416c055b30c457cd5d5c5961b38
SHA1e6e7fe8a508b457db45a2fad4293c7daaf0c2eb2
SHA2569c23ae8011cfd733d4ca8064ee7a773a9d92019398fc5f9d95eaf113170f95b9
SHA512a10d1d420ac979e8db0c7219d8b249e725411077e513c141fb8dcc1a53c6fc4b40668ed63ca9a0c81ca244c37514eff07c201c00b4095f80c551a153193d2683
-
Filesize
84KB
MD5263f76738f1fa2d8f6b132af16a37d87
SHA1ca1c7062f0b02edc1a13a9576b45b072fcdc36d0
SHA256539d61c6ff402bd3642be4f9ec40e513a240e0c6d02c24bc72f80bf0124131d8
SHA5124c161032a6f10777cf8695e064ee836aa56550d1dcb29fb1736285d1feebafa857c8c96863d77090e1fb08e93c314feac33807f43da729424b7ea293a33955c5
-
Filesize
84KB
MD5609806c31d7767dce064ad518149d09f
SHA1a34f8a56bcf5163d2325fe16251ccc3f5d5f0cb0
SHA2569b813eb3ef960ac4e33164e070d356f73f9963585d78497d2d167299a648b3d3
SHA512f744d56d43615487eb7c71a55a0047a1b24fe617fca263906cc31bfed096f5a5c1b7a387557af64ba6b3c640c28c802bf624a14bd0c24f7465a003524c6176c5
-
Filesize
84KB
MD52403f2fb921699ca0d5f67e0c1444df8
SHA133cd4e45a4b3f127da1d5ab621de5da965392f38
SHA2563294fab36601934f0c025787ad33c6410416771170d62e267f0b8b187bd68e92
SHA512118ff5e27ac0287d8e118c3128a562f77974875cd64e40ade6870968aaa32c13690027418fc4534295c3348738894d02d8dc66d87550a36c122dd8678ba03ae5
-
Filesize
84KB
MD51f416978c8808c88bfa93ffd4d17a1c9
SHA1ee00a3630b9ecafda50e1b5c2c2f0f64aac24456
SHA256007399f8677426b74bdc8110cb63579d2120a8255b20cfd6179066c0bd9ca7ec
SHA5121a8c23690665bd358c6eb2ca35f4be5128314b0b375ffa99fd1cf4098967c7fd055ece5698b1013b3ae20922588704d87847afc372129947a6c6b831367ebcbe
-
Filesize
84KB
MD51640d8fe06b0a655361388378eeb5fdb
SHA10a3efe3721e435e2954dc8183c04925f2afebe94
SHA256af8751f3a5e7423fb708b52afdca8a6c85130536dfae89e5087f5b5fffb22ae3
SHA512ab3d9259a5cd74e5d8cf1e687302694f16a22857fe48e0cac1465cfb5af3d452bb8d78f709bd8c6ec4bf19f57b4ba4475accff3d0f93ef1ae44678da31e8001a
-
Filesize
84KB
MD51e468e5a8e0351ae559ea17d024035a8
SHA158aec073e1762050aa013d1a61e28bfb013c6b5b
SHA25615116b40cd7ea0b9c767acc54f23e293867d0d7342ea03c9afbd442e33d99570
SHA51277582c6adef4e7eae340a2d3d5cdc4f3a7a0f0dbe61c54e1a269630e089762a97e097e9bc44af546d98cb0f5ef92d32abb10d41463bdcc12734bd29acf8831fc
-
Filesize
84KB
MD594ded773bf2ddc7b98e32792f942c234
SHA151eb9eae3edf0f1bf35afb4364f40747d96b11a1
SHA2563fc33446d6a6ea6e00a5178fcf770341e2818d653a7a16acaf53b13df1bf0f1d
SHA512c2c515b8f612072e7d028331ab73ede8e28377f3fb52c55102602138f0d3c3cf95436efb008a8ef052b0f61f52aa7246d81d3878b97711bf8aa9d768e09eb617
-
Filesize
84KB
MD504ef37c49a17b74efdcf76a85f4913b1
SHA1521ea48d8c9d2db098561be63614f0156e058160
SHA25658d7dcdd801318a99f086f37c2ae216996ff7f8546bcf1972137f0645814a086
SHA512d615c8f92930d265079d0a94507e8b8199c2c4f7b3188085d61dd27ba1c3461ac0afeb6b431f5ccb082f599de1bb86c4b64320d0e795971560074d299d3e66ac
-
Filesize
84KB
MD5c5fd08b4ad670753aef3c6e8f03e3d27
SHA12f0f577091f3db46f85aa298dfec0b2423e99329
SHA256cc06d8ef6153de7895b74fb205d444ae630367e14ad957f8408eafafff654450
SHA512f48a4b3d8cae27857dcb687bd007cd6ac14b3596315f5c78a3ce8df12ac5ad07679682a8f7d221f7d0f70c737dc11b7995ce1d40ff21fbf31c6073b128dc98a7
-
Filesize
84KB
MD5f4f17ddb404c8c0a793fc1ec23df36fe
SHA1495d9f2ff9831cd6c61fc9f0406f18a79e41e756
SHA256d3a8493941539210f2385b355ff890b3b2a4c99cb9ff7c22009ac5fc538a3206
SHA5126f135e9dd5dd7266141124d2565e1d83f8fb191781d4272a17ad4471bf4aa97a0d36055d1fe14882137e68f7d1552dcbf92fa46d87959c83be02ddd6dce4ca35
-
Filesize
84KB
MD5ae59499b491fe61864d386fc847a2f1c
SHA195a38a3c40280c3959949bdddd1558e229bd5b90
SHA256e3b961b04c97daf90316161f229b91c0781f5449a1d495441b6b5131bee9302e
SHA512b4360a3f660ff67f4752d5cc1bf2d432c33c8a245295b0d171f212ba3a46b1106d508b9ef31170a8f83c9452aea532b590bf7cc9c16126d29f06e09ce18b6cb3
-
Filesize
84KB
MD56b627ea92b774aee174e379214036e5d
SHA11fdaa0e106e2b2fb0a04a70d45c0f1521afec0d5
SHA256c3116a9dda27e3c6a5d4f14848c6676bd52f06aac0f1fe0d52b7b406cb3615ba
SHA5129999687420954dc8a98d0bfc848b5956fa9afd30ec780776035c8ef133e2db45d825fcfd25593a3c18ffb704a1b4de9ef88e9c16bb2d61a4b4057eee87e5c629
-
Filesize
84KB
MD54c0679cf95b95634f1cacafbbb54637e
SHA1772439fbe25501cf0c653ab93e515ef6a02b3ca4
SHA256a9fc991ba3c741ad2af2ce55b4aae8c4f67b9f55a49b863c075bec6c6c2ee8ef
SHA5129a06a71731a14455db26fe6391f1425b514e423f84053d3661724a50e8700621664ef9f540b17ec4d4b5a323d375eb1b89a58f636eec9d76beacfe0f055c9e3b
-
Filesize
84KB
MD52eb476b6c27125ada520f644fe3fdd7c
SHA1331306f3f462d72f25d704bae9236365b7f0f160
SHA256fb13cc40c71b8b5775a3f9ce7b25d74f5ef81298bf5f31ed4e31ef639fa68262
SHA5123ecfae30f5efec2834f75b112ef12fddd35e84058da0a66c3ae25ccd71389d85d80ca59ee66478b38f1e7a37c7de6b0d83ad9dc7c2ccb7903a5f58c4594672cb
-
Filesize
84KB
MD5b3b39cb1788f27d16d436708416326fb
SHA1d9b96ef362c6c3e277d61230d0543f0f355cf716
SHA256541d44da6647330a096cb9d38d18d6315f07e87cc0ec1508206d500ebddc2a82
SHA512b38445d9d79ae9feeff96e0cd3cb8d0c1e4ab0cb15fad6db2ebe35c7d3894368745931c73c33fea48a744cd6394fcb8cdaabe7b858f8b3c3e2bac72d494efba9