Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2024, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
f3f001ded4c9600e040f483ca67e76d8b18fdbe97e34f663b4ef85af8e3967e4N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f3f001ded4c9600e040f483ca67e76d8b18fdbe97e34f663b4ef85af8e3967e4N.exe
Resource
win10v2004-20241007-en
General
-
Target
f3f001ded4c9600e040f483ca67e76d8b18fdbe97e34f663b4ef85af8e3967e4N.exe
-
Size
664KB
-
MD5
db73b4a50e5c945cb22ef15661b3d8ae
-
SHA1
c4a5aede4a4ee361f37e81aca0be27bd63b1de93
-
SHA256
0c8f7f8bf9ee12a7b2d0bbac6334900609e06fbe5415e634dba5550e2f3e3f50
-
SHA512
2b49911ca1b3b192f1aa7f9caff094a6b3ea73f201899a9773e4facfc8ae0d8e940751cb5f2fbd6e45f2695b2b2faad51fe5619f0681dcb7fd09d098c0d3783e
-
SSDEEP
12288:8JzwopV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjmw:gDW4XWleKWNUir2MhNl6zX3w9As/xO2c
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqkgpedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhhdil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnhahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmjcieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cabfga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjegled.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmfhig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqpgdfnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqppkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmnoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfhig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgnilpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqijje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnmcjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajfhnjhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amgapeea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agjhgngj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfjjppmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdqjceo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnkgeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajanck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnicfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acqimo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmcjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmhck32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1372 Nckndeni.exe 5032 Nfjjppmm.exe 2392 Oncofm32.exe 4384 Ocpgod32.exe 4104 Ognpebpj.exe 3228 Olkhmi32.exe 1436 Ocdqjceo.exe 4796 Onjegled.exe 3164 Ofeilobp.exe 1952 Pnlaml32.exe 440 Pgefeajb.exe 4460 Pqmjog32.exe 624 Pjeoglgc.exe 2768 Pqpgdfnp.exe 4080 Pflplnlg.exe 2976 Pmfhig32.exe 1192 Pdmpje32.exe 60 Pfolbmje.exe 4180 Pgnilpah.exe 388 Qnhahj32.exe 2404 Qqfmde32.exe 3348 Qnjnnj32.exe 408 Qqijje32.exe 4328 Qcgffqei.exe 1360 Qffbbldm.exe 1296 Ajanck32.exe 224 Anmjcieo.exe 4264 Aqkgpedc.exe 3188 Adgbpc32.exe 3128 Acjclpcf.exe 372 Afhohlbj.exe 3796 Ajckij32.exe 4288 Anogiicl.exe 2712 Ambgef32.exe 1156 Aeiofcji.exe 3552 Aclpap32.exe 860 Afjlnk32.exe 5080 Ajfhnjhq.exe 1812 Anadoi32.exe 5064 Aqppkd32.exe 1424 Aeklkchg.exe 1868 Agjhgngj.exe 1956 Afmhck32.exe 2548 Andqdh32.exe 1552 Amgapeea.exe 1352 Aeniabfd.exe 5036 Acqimo32.exe 2096 Afoeiklb.exe 1672 Ajkaii32.exe 664 Aminee32.exe 2356 Aepefb32.exe 4916 Accfbokl.exe 3652 Bfabnjjp.exe 5008 Bjmnoi32.exe 3672 Bnhjohkb.exe 1560 Bagflcje.exe 216 Bcebhoii.exe 4956 Bganhm32.exe 2320 Bjokdipf.exe 2604 Bnkgeg32.exe 3336 Bmngqdpj.exe 1580 Beeoaapl.exe 740 Bchomn32.exe 4808 Bffkij32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Afjlnk32.exe Aclpap32.exe File created C:\Windows\SysWOW64\Acqimo32.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Cjinkg32.exe Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Cabfga32.exe Cjinkg32.exe File created C:\Windows\SysWOW64\Jocbigff.dll Pjeoglgc.exe File opened for modification C:\Windows\SysWOW64\Pflplnlg.exe Pqpgdfnp.exe File created C:\Windows\SysWOW64\Chcddk32.exe Ceehho32.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Chcddk32.exe File created C:\Windows\SysWOW64\Dfknkg32.exe Ddmaok32.exe File opened for modification C:\Windows\SysWOW64\Beglgani.exe Balpgb32.exe File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe Cfpnph32.exe File created C:\Windows\SysWOW64\Qffbbldm.exe Qcgffqei.exe File opened for modification C:\Windows\SysWOW64\Bnkgeg32.exe Bjokdipf.exe File created C:\Windows\SysWOW64\Fpnnia32.dll Bchomn32.exe File created C:\Windows\SysWOW64\Belebq32.exe Bnbmefbg.exe File created C:\Windows\SysWOW64\Ceckcp32.exe Cnicfe32.exe File opened for modification C:\Windows\SysWOW64\Dobfld32.exe Dfknkg32.exe File opened for modification C:\Windows\SysWOW64\Pgnilpah.exe Pfolbmje.exe File created C:\Windows\SysWOW64\Jdbnaa32.dll Qqijje32.exe File opened for modification C:\Windows\SysWOW64\Aeiofcji.exe Ambgef32.exe File opened for modification C:\Windows\SysWOW64\Bchomn32.exe Beeoaapl.exe File created C:\Windows\SysWOW64\Ohmoom32.dll Dogogcpo.exe File created C:\Windows\SysWOW64\Aoqimi32.dll Qcgffqei.exe File created C:\Windows\SysWOW64\Ajckij32.exe Afhohlbj.exe File created C:\Windows\SysWOW64\Beeoaapl.exe Bmngqdpj.exe File created C:\Windows\SysWOW64\Gallfmbn.dll Bnbmefbg.exe File created C:\Windows\SysWOW64\Elkadb32.dll Daekdooc.exe File created C:\Windows\SysWOW64\Olkhmi32.exe Ognpebpj.exe File created C:\Windows\SysWOW64\Pkmlea32.dll Ajanck32.exe File created C:\Windows\SysWOW64\Aminee32.exe Ajkaii32.exe File created C:\Windows\SysWOW64\Kmfiloih.dll Aminee32.exe File opened for modification C:\Windows\SysWOW64\Nfjjppmm.exe Nckndeni.exe File opened for modification C:\Windows\SysWOW64\Afmhck32.exe Agjhgngj.exe File created C:\Windows\SysWOW64\Ogfilp32.dll Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Dhocqigp.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Pqpgdfnp.exe Pjeoglgc.exe File created C:\Windows\SysWOW64\Pmgmnjcj.dll Bjokdipf.exe File created C:\Windows\SysWOW64\Qqfmde32.exe Qnhahj32.exe File created C:\Windows\SysWOW64\Nckndeni.exe f3f001ded4c9600e040f483ca67e76d8b18fdbe97e34f663b4ef85af8e3967e4N.exe File created C:\Windows\SysWOW64\Qnhahj32.exe Pgnilpah.exe File created C:\Windows\SysWOW64\Bagflcje.exe Bnhjohkb.exe File created C:\Windows\SysWOW64\Hmcjlfqa.dll Adgbpc32.exe File created C:\Windows\SysWOW64\Amgapeea.exe Andqdh32.exe File created C:\Windows\SysWOW64\Gdeahgnm.dll Aqppkd32.exe File opened for modification C:\Windows\SysWOW64\Dodbbdbb.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Mmcdaagm.dll Onjegled.exe File created C:\Windows\SysWOW64\Blfiei32.dll Pdmpje32.exe File created C:\Windows\SysWOW64\Chjaol32.exe Belebq32.exe File created C:\Windows\SysWOW64\Cmqmma32.exe Chcddk32.exe File created C:\Windows\SysWOW64\Agjbpg32.dll Djdmffnn.exe File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe Dhocqigp.exe File opened for modification C:\Windows\SysWOW64\Ognpebpj.exe Ocpgod32.exe File created C:\Windows\SysWOW64\Eiojlkkj.dll Aeiofcji.exe File created C:\Windows\SysWOW64\Kofpij32.dll Bcjlcn32.exe File created C:\Windows\SysWOW64\Bjddphlq.exe Bfhhoi32.exe File created C:\Windows\SysWOW64\Bhicommo.dll Cabfga32.exe File created C:\Windows\SysWOW64\Dobfld32.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Dmgabj32.dll Olkhmi32.exe File opened for modification C:\Windows\SysWOW64\Anadoi32.exe Ajfhnjhq.exe File created C:\Windows\SysWOW64\Afoeiklb.exe Acqimo32.exe File created C:\Windows\SysWOW64\Iphcjp32.dll Bnmcjg32.exe File opened for modification C:\Windows\SysWOW64\Bffkij32.exe Bchomn32.exe File opened for modification C:\Windows\SysWOW64\Bnbmefbg.exe Bhhdil32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5952 5836 WerFault.exe 190 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnhahj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmcjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqimo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkgpedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhohlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqpgdfnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfolbmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcebhoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aminee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chagok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajanck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmjcieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmhck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoeiklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqppkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjddphlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofeilobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjclpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckndeni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqmjog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnilpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffbbldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeniabfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffkij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjokdipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnicfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjohkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiofcji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabfga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfajjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjegled.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjeoglgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfhig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjlcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdqjceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagflcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmefbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgnilpah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qffbbldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll" Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Bnhjohkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Beeoaapl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dodbbdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfolbmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll" Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll" Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocdqjceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll" Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll" Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajanck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ambgef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acqimo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll" Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" Cfbkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll" Bchomn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll" Pqpgdfnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pflplnlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qffbbldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll" Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dodbbdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node f3f001ded4c9600e040f483ca67e76d8b18fdbe97e34f663b4ef85af8e3967e4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll" Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" Dkkcge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ognpebpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocdqjceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll" Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeniabfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdabcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ceqnmpfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4576 wrote to memory of 1372 4576 f3f001ded4c9600e040f483ca67e76d8b18fdbe97e34f663b4ef85af8e3967e4N.exe 83 PID 4576 wrote to memory of 1372 4576 f3f001ded4c9600e040f483ca67e76d8b18fdbe97e34f663b4ef85af8e3967e4N.exe 83 PID 4576 wrote to memory of 1372 4576 f3f001ded4c9600e040f483ca67e76d8b18fdbe97e34f663b4ef85af8e3967e4N.exe 83 PID 1372 wrote to memory of 5032 1372 Nckndeni.exe 84 PID 1372 wrote to memory of 5032 1372 Nckndeni.exe 84 PID 1372 wrote to memory of 5032 1372 Nckndeni.exe 84 PID 5032 wrote to memory of 2392 5032 Nfjjppmm.exe 85 PID 5032 wrote to memory of 2392 5032 Nfjjppmm.exe 85 PID 5032 wrote to memory of 2392 5032 Nfjjppmm.exe 85 PID 2392 wrote to memory of 4384 2392 Oncofm32.exe 87 PID 2392 wrote to memory of 4384 2392 Oncofm32.exe 87 PID 2392 wrote to memory of 4384 2392 Oncofm32.exe 87 PID 4384 wrote to memory of 4104 4384 Ocpgod32.exe 89 PID 4384 wrote to memory of 4104 4384 Ocpgod32.exe 89 PID 4384 wrote to memory of 4104 4384 Ocpgod32.exe 89 PID 4104 wrote to memory of 3228 4104 Ognpebpj.exe 90 PID 4104 wrote to memory of 3228 4104 Ognpebpj.exe 90 PID 4104 wrote to memory of 3228 4104 Ognpebpj.exe 90 PID 3228 wrote to memory of 1436 3228 Olkhmi32.exe 92 PID 3228 wrote to memory of 1436 3228 Olkhmi32.exe 92 PID 3228 wrote to memory of 1436 3228 Olkhmi32.exe 92 PID 1436 wrote to memory of 4796 1436 Ocdqjceo.exe 93 PID 1436 wrote to memory of 4796 1436 Ocdqjceo.exe 93 PID 1436 wrote to memory of 4796 1436 Ocdqjceo.exe 93 PID 4796 wrote to memory of 3164 4796 Onjegled.exe 94 PID 4796 wrote to memory of 3164 4796 Onjegled.exe 94 PID 4796 wrote to memory of 3164 4796 Onjegled.exe 94 PID 3164 wrote to memory of 1952 3164 Ofeilobp.exe 95 PID 3164 wrote to memory of 1952 3164 Ofeilobp.exe 95 PID 3164 wrote to memory of 1952 3164 Ofeilobp.exe 95 PID 1952 wrote to memory of 440 1952 Pnlaml32.exe 96 PID 1952 wrote to memory of 440 1952 Pnlaml32.exe 96 PID 1952 wrote to memory of 440 1952 Pnlaml32.exe 96 PID 440 wrote to memory of 4460 440 Pgefeajb.exe 97 PID 440 wrote to memory of 4460 440 Pgefeajb.exe 97 PID 440 wrote to memory of 4460 440 Pgefeajb.exe 97 PID 4460 wrote to memory of 624 4460 Pqmjog32.exe 98 PID 4460 wrote to memory of 624 4460 Pqmjog32.exe 98 PID 4460 wrote to memory of 624 4460 Pqmjog32.exe 98 PID 624 wrote to memory of 2768 624 Pjeoglgc.exe 99 PID 624 wrote to memory of 2768 624 Pjeoglgc.exe 99 PID 624 wrote to memory of 2768 624 Pjeoglgc.exe 99 PID 2768 wrote to memory of 4080 2768 Pqpgdfnp.exe 100 PID 2768 wrote to memory of 4080 2768 Pqpgdfnp.exe 100 PID 2768 wrote to memory of 4080 2768 Pqpgdfnp.exe 100 PID 4080 wrote to memory of 2976 4080 Pflplnlg.exe 101 PID 4080 wrote to memory of 2976 4080 Pflplnlg.exe 101 PID 4080 wrote to memory of 2976 4080 Pflplnlg.exe 101 PID 2976 wrote to memory of 1192 2976 Pmfhig32.exe 102 PID 2976 wrote to memory of 1192 2976 Pmfhig32.exe 102 PID 2976 wrote to memory of 1192 2976 Pmfhig32.exe 102 PID 1192 wrote to memory of 60 1192 Pdmpje32.exe 103 PID 1192 wrote to memory of 60 1192 Pdmpje32.exe 103 PID 1192 wrote to memory of 60 1192 Pdmpje32.exe 103 PID 60 wrote to memory of 4180 60 Pfolbmje.exe 104 PID 60 wrote to memory of 4180 60 Pfolbmje.exe 104 PID 60 wrote to memory of 4180 60 Pfolbmje.exe 104 PID 4180 wrote to memory of 388 4180 Pgnilpah.exe 105 PID 4180 wrote to memory of 388 4180 Pgnilpah.exe 105 PID 4180 wrote to memory of 388 4180 Pgnilpah.exe 105 PID 388 wrote to memory of 2404 388 Qnhahj32.exe 106 PID 388 wrote to memory of 2404 388 Qnhahj32.exe 106 PID 388 wrote to memory of 2404 388 Qnhahj32.exe 106 PID 2404 wrote to memory of 3348 2404 Qqfmde32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3f001ded4c9600e040f483ca67e76d8b18fdbe97e34f663b4ef85af8e3967e4N.exe"C:\Users\Admin\AppData\Local\Temp\f3f001ded4c9600e040f483ca67e76d8b18fdbe97e34f663b4ef85af8e3967e4N.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe23⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4328 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3188 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3796 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3552 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe38⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5080 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe40⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5036 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4916 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5008 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3336 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5112 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe68⤵
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe71⤵
- System Location Discovery: System Language Discovery
PID:4476 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe75⤵
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe76⤵
- Drops file in System32 directory
PID:4728 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe80⤵
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5016 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe83⤵PID:2808
-
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4164 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe85⤵
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3584 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe89⤵
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe91⤵
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe94⤵
- System Location Discovery: System Language Discovery
PID:5320 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe95⤵PID:5368
-
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5412 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe98⤵
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5584 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe104⤵
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe105⤵PID:5796
-
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe106⤵
- System Location Discovery: System Language Discovery
PID:5836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 416107⤵
- Program crash
PID:5952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5836 -ip 58361⤵PID:5896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
664KB
MD5df86e3fb2030e3cc6dd9d17ff76d766b
SHA1967764625da30f03f154916d8811b2c85a207c54
SHA2564da3dd5e31a2709d42b622683bdc5fc29b9b6edadc75ec9efc1ac7f75fdcbf96
SHA512841b9968d89aa7c6815249060cb7135470958c64fed4669ddd7965e864197ee3fcb38a22d7ddb839faa2bcb970392ad50c5fdcea9a1ca810bde9c5810bdd5fd5
-
Filesize
664KB
MD556511a91ad8bfa0443a1bad7dfe7f1ee
SHA1fa3c08d95ea7eaffec9e17a789abaed1af792e93
SHA256e6e7cd5eee1ec10c7a87ed61d72a457182dce2fb0d0a02527e351090b596b5aa
SHA5125df080135f9aa7a530d7e6db22642f2dfe148ae9f82dfd0cd160c19973e2191e4e12076029769f6a54d0d4542d637fb178dba472e50c5ef62bb95656ab52eb02
-
Filesize
664KB
MD5b4348cee65e01eba07a3534f4da1a8f3
SHA151a77bd22afc752c53539f114172d06fc9a60901
SHA256830cd9dbcdbea1baea9dc186d26a73bc36b1ed4a24fe6d92e57750cdbb717657
SHA5129f696da7d561949adf91f9cef739ea0d3c84b0ed67a8fc9faadd55e4e20af5e2d2fc8d167c55da3ab44f7cc9ca142eeabb0bf5cea1150e41e5b2f83b5a0651d0
-
Filesize
664KB
MD55c55941a6b6b3e9377fad6ea9f9f2c5b
SHA1b11c8d9474aff20a762011b97a5067d6d57f8c3f
SHA2569073afeae70de62380a63357e851d5cb91303edf6bbcf83d556d2ec880a42aec
SHA512e26ffe011727ff22df67a5092f374b38c348c4d4baa1fef679f741da3a5b011e6d5c21dacad6604e5353396f855d455532973dcd1d78beb135ce97184e6d201b
-
Filesize
664KB
MD514157109d8a9aea6e15df33e50e8e3b2
SHA15b9fc9798f2510adb92e66cd6feca1ca6c37964b
SHA2565d624bfba3b7eb42b4529aafefaf6b763761de4375accfe031ee3d71e32d9ce1
SHA51270852c88acd5d17f6bbb1c67f73a699340183d0720f38f28236543c1ce9cc8c5d5519e9cea9cff1c73d5728c4a09ae3b5dca0d167dc033b96e9928da4b1631f5
-
Filesize
664KB
MD5f9b738f950d2993e1c67e43308dbcab6
SHA1102cc261193fc5956c1fb4f10b527452d0735a7f
SHA25657e4dbf9d1a10c403e911df98bf4869c7dee6f5190fd5be87a15d8cdce02ceb1
SHA512bfd0ed911629840a8dd9a914c2cdd843c7ac43f3bd781438639798da28a374bf322dbc9ca00e50aacb62e4867fc40fef8e7b69c4fb148530f6ecf06897306781
-
Filesize
664KB
MD54e92234ec2e9fb3f901a2ae690490827
SHA11f39fae5522208b4ac798072415d40dadeb329bc
SHA2567e7865022fa1d992a8f88ffd92ac913864639ed71125fc2422c9e344e312b760
SHA512bf2d2b96227a39e6b038f03d7872a988f6cdaf3a824e45e35581fec45000807b477968559edff1489af816333adbd9f05962143edc9113d2193b38dafdb0f78d
-
Filesize
7KB
MD5de025fc10d4d90485e36a5781827dd88
SHA1ca9369c06753520787d2a1769103e83b0145c7ed
SHA2564346693d764b6448a0397d0192f57a5dd2d20e2939ffb7e3416dbe32c8e032db
SHA512401aa255595eb5ad7a09ec9511b8fdc4f58124c71742f26d8849a5a13b2d24b629b6f82228c799d91ac5bbf3b23bd9f91c8fb15e0c5bd148db88732923d194db
-
Filesize
664KB
MD574d2b7419444fc390502e0df23071c52
SHA1a24c111081a9bdf8afda4d6d12d8f7b8cba41069
SHA2563d2b1471b4f3376ce83f432eb78e0ad44ec164b0fa90e4b8f3377401fac49777
SHA512bfa51083c4166bedd9b2596936aca02478a41b3b46730562e796c122c074d9ead070e722ff96ad3e9d61eefc3f926c85f4d3183a5edf85ce0cae10ebfd265326
-
Filesize
664KB
MD5812bb535c754ef7f827f8657ae284b8d
SHA16adf6181a8449fe0d0a57bef804f8cda1c860959
SHA256f1ab80c5c780861e492fe60a8307bdb88217a452a5451025e037ebd6c7329ee3
SHA51206dba56fcba803cbade54407d8f75a85df80aa0e3be7ffc9eb56bb1593152a9f15dec2c4a9ba2d7951ce8b2ed49e3fa2099fcc2f8b2fafde396d0b2ce2d8b81a
-
Filesize
664KB
MD55727dd657bf9ebd208c80c0646bed5d1
SHA16e896de031ba9d3dcb78bd5c31558a296ab427c5
SHA2563b99e5074ae0f31d68302133e8da4e08b233945c9bc74f3f20fd0630a2694fd7
SHA51286c0f1a030dac4bc642abbf81a5aad997bfc7547fb05d57da017d125c294a17ec8a9b579c0841918d4765f98b962e375e61dd431806078409237636530f65d9a
-
Filesize
664KB
MD5d6e920fc50856d49576d7bb063ccccfe
SHA14cd68a50365bf3df62058a8200062e8727c5dbbd
SHA2563f4b3a0ddcd36af6c46592b1845248b09c90c468ad603c3bac1f1effb4e37ba1
SHA5124d77b358d66f580e3d9edf4dbb170a3a6b0018248bcf54571e100960e4494c7c82323527dd6445bd5d2ecfcc5df28ac448e0dd9890e7f0b1813befce86a2519a
-
Filesize
664KB
MD553925339626d420fc6ad1821210436a7
SHA16fe7a7494f8e2c5998995d2c03cd852af6790dcf
SHA256598254545efb3941a9db7414e718a28900deb75552f6f3f9a98c6361dd941cdc
SHA512bda76dca7a5100ef8b048457f24f1ed450a250765530bbe53075a996ff50f162965fe682ab25e0ca772e79785b36e6ddf5e8238269aeda7304782cc8e5ca25bf
-
Filesize
664KB
MD55f595a8b5b900877f454b49a5baecaec
SHA1bd1dbb8a438717ec9a51315c5f0ea033632311b7
SHA2567849ed33d08c00ca7591a9a02c433f8c8b9aaa2d096491716cc70f36df7fbbd3
SHA5121c3e766f09517a78031bf37ae9357ff4b2513843ff6580439371034137533a57094063190fb07ade42426c670d876f4fa47d12ba8ef1e93148e3dd444fd13649
-
Filesize
664KB
MD5fdedded0819139d7e7db1191cf7e9118
SHA124204e9edf8e2707c0d59ec2be9ccac1a54dfd79
SHA256b15a98dedd560988b2bf83cfdb1c747fb838c42476bee553d1b4edf7c0cb4a47
SHA512e35e22db25561414174946534c1f68d5727544c068c9256efc5e0199baff07b7baa43e43dc20162c0234e709b7552f8014921dc3398858d990af61e7488baa20
-
Filesize
664KB
MD5f2bece9ec79e0279e2705af6814057cd
SHA1c20928201f2505c340bae1a3c8d5f22470a4d3d5
SHA256ccdeb7f94129134bf9e4fa5da4097e831f451a370d36c49f92b47f160b5599be
SHA512c156ad4778c55c40d915ace7947e27810288d4f1ba6d003f657c79a794096ecd1b0ed8896e6fd2aaa3a11d89d5cb29a797c9d8b9bb0454985dbd2960ef6d21bc
-
Filesize
664KB
MD5d0bf075a66e4a5988946890e07fa543a
SHA131c87ae0ed72fcc4bdc64ba202e59225cae42ed0
SHA25649619018d0ab5c9152f933732081d6d9944a4634a985b190714cc1af437ce6fb
SHA51251ea1bc71c00b389006b110461daf97d6b86c0389bb70788ab68cf4656517e654950620a131a8ada5e0a5eb5a48886067a57149670e5747a42f1c74f22b1e88e
-
Filesize
664KB
MD546c21d4cc3a4e1b4141fb8f8db6b3f8e
SHA176f8e63124fa34195e420fd27f997be297d17e32
SHA256db5cec5aa113e7af352be8a974cb191739fc81b3994e8ccfb8712aaac65a3c4a
SHA5122ac8e5da49a728526faf07d556334ddbc1b16e7cd851d150f9e5b33942e91927f73643de42d0ed73614314b9705cb1f78a13e3be17c1688dff7e3e1a50d3e740
-
Filesize
664KB
MD55f9df92db56a34f10efeb0ce39875599
SHA1e2fa67b1e6719f4d6be1cf1f3759cfbebd960b13
SHA256db23faa01c752a880450dd3de300e727f323f858e7a4955f020759bd8a916b03
SHA5127c7f4de72937d808df0461ef02039245fa54b68214a0eb54ed53b550afe9a00e58b8b19795a6aac3988ea7f328d3b803f621e7cfdbb595d7d10ca45394f35761
-
Filesize
664KB
MD5855be876687eaa3c4666f9d21010a10d
SHA138db1ecf90262d5f1f51ea6f398eb0685bee2cb8
SHA2563b7a4ed68e3e6cff0bd4ba498717dff08e4a7412b3b0a8c3b812e491390765c2
SHA512266098ef85aaae872cc52a81f302d1a6d0a1d0588bc089dbc4d9850c2494c052bc7d0b9b9f8c6ffa4c155f6a94d8fcdf41a8a8f974a8bb2c08d90e1fbffa0b4d
-
Filesize
664KB
MD5cdd24921152cd936cb3f641659671d47
SHA1e815dd2f50279e726a676fd71c065dc50b8f35b0
SHA256cd8a64114c555eaaa273d2f6a196ed86f05d617af9d78cd900a46bbd9c5b7be9
SHA512abb141732d2bb3d0544d57bb94a6f8babe77a36f52d216e81ef0657245bee5c75f60e07de7494759d25f295ee1ca4cb56220e79b32aca3163460087fe954eeb2
-
Filesize
664KB
MD5488e388a198d195ef0bcae09e8249307
SHA1c4141e46f360fa6ef14354bf7d91c7fc544708a4
SHA2566fb609906155ebff420e80ec0899199b5393b3a6e27771c857cc0dd05831f2f1
SHA5128d43867c6235d3dac14d2d7f982b4ddc60a405edd07f9311557f0a70c9413c6bff51f9ff6241d7ca54854da6f33ac446a3c7e1acd8b79654b7caa4e6f9d0db41
-
Filesize
664KB
MD5f41fb8b838bedd7134a080b41cd4594c
SHA11e625fbd47f85836208dc2349674df560c557e3e
SHA256ed5984498109d97187a46ab7ec53b3f60a2010622b416e3b371e8c98d3aa9f5f
SHA51228c5476fd693c704018d2f401ffed5f851efb10f195f977edd93f9487359b74122dd38f0e9804a042f44e6a44e6ddce18a465e1d0d0a7da54f04397df16e65c7
-
Filesize
664KB
MD5c61508af2c5453b7810aa2a4e11188ff
SHA127e762c9b3761e4abac39b7aacb4b886cc7a8f9f
SHA256d6056c7dde964e174c34e4ff17f2117dcf81af201cbd8befafb0b8ce6db31fa7
SHA512fc08ec196c66a87b6cc33264cd95404cdb9cae503f9009849d02c66b94bc2e7ff78577005262241c90d9c04e28a1b9878049d55d573b7a7911523ff3a55c3ce8
-
Filesize
664KB
MD5647341a22a8365b67286143eed557b50
SHA1b5adfe9ea96093ac899acf2ea7451dce6eb7cdb9
SHA256cb0fadb1e57c5f42c74824202fda6dd7a421b4a4ddb5ed653678da951aaedec3
SHA5120d9f1c237fb1a2c53d35097f4f42be6b1255208abcc67b2c9ca4e064f2799ffb8d289b74890dc923ea92e94707c8b8490ee67328d1346a32912e7e91c8b57371
-
Filesize
664KB
MD5869d6ada3c3d6141594646ed22a1f6c5
SHA1386c19ff56c17b571cb8d0e7ca01b633e490bce7
SHA2560987315fda004ac71b6263e1a308ced3f9cc0d0b3075aa05704bdb6bace3fb75
SHA5125f814865a79049f346ba2e8e81f6f46490c2162f14bddd6cbf4fb22eb8e9ee250bf2efc70acac86cb1703ef8e31e4abfea4dbd8efe5bbfe9ef37752c968cee46
-
Filesize
664KB
MD5411f3f303f4c59c11c2466ef84146521
SHA12327fda00b25f6e541830b776034f14d0d49c83b
SHA2560f695b790a5af7c7f9680a50b3da3aa7639e0416addd14491cf08d4863d3fe59
SHA5127cf92e0571f2699ec221aef747d2eea704591d695bc0df6ff1a3835eb621553ef15d12094e37a9d5e79b95864dc0d9622e80e8a5a5ee9ea5b4d4aa0d674a62ff
-
Filesize
664KB
MD5919294aa149b82bf64e9f2c133608a0a
SHA150933ae55e1f8dc32da80a01e9f31725fefe977d
SHA256f83ff6c520e6b6628cfacb6a70c7a9eb2182bc1088adc4e16a5776550c57a40e
SHA5124586fb627d67cb43a5fe51c9d94941f3a2b991da7490e40c77729491d79f5137d4bfde6d3330ac94d15340d11ee57cf132ef0d2e42bb6d5b309945c6be3e465e
-
Filesize
664KB
MD571cbba972fc08019d64821c3c396086e
SHA1954a9febbf74a532b7b9b7ede44ab373bf9db875
SHA256873c648519750fecc4e0dc107b6dee2c56a4457f77e7c693592596d987a6ae6b
SHA5125dbdb5908c8085e411d5515c5fc03d26663e207af20c1281f05601a9cee86df3b6fd31ebbb38ec8fab0bb4de70537b85f9c997ec86e0efd2a834a56e968cdd9e
-
Filesize
664KB
MD5884f81798076d3c0a5bab8f4a78efad1
SHA15795637ebc25ef0c977d328465a696110e7b5b73
SHA2568c70437d8a4d23c124f96dd4b9eee9b2abb82412b95abf69643c798c3aecd0ea
SHA5122ff3c75919e3740dcc1ffc3ab3f1d02f4f08d10104ed8ad020d6e20d37bbc959f45f9552196a8b45b2039e7e756924a52cdb36ea0ad3e700cad9d25100f35ba6
-
Filesize
664KB
MD5186aa3ad56ca865d495cffb396b9e256
SHA1246a73bca9ce168a5779033669e4004c2e1666ba
SHA25697b8a926e2b7801d860c2b51a86407963b39e3147d340e044cf5507ecb05c9e7
SHA5120a0633f4e8db7d15738ac2c85aa2300ce5390f111eb50df67d4b3f990e9b6ba4564ef3f5ab2d84381ab437726923534eb94e0053c3d95357ec3149627a93152b
-
Filesize
664KB
MD53c7e727ebcbe8d8df3fc8a977ff514d1
SHA1f552f7445f269425d45a1e693df670c214223817
SHA25609b33ab9f9e73dfd0ea607f22b3833e3a210e1c2a9cc14ce76776bf7c5496bfc
SHA512a042b68165eaa8b1226c6ebe8fb42284127e2b9832a646611bca5597c73b4f2b9871e700bd37a4eed37335b58b5833acfe0f598136cda6ed8e3cf0ed3172a7f8
-
Filesize
664KB
MD543587d165b1325e6e024cf2bf0c92675
SHA10ce1ab1688afe335e3b44011dc35eaa89d93d937
SHA2568f731dcdb72917d46848171c2bba03f2fd0f6ec739a05499151b6d63efafe222
SHA5120de516255aef62b4fda5929399e89f0eb7210f74daaa03bbd7cf0e1704673800d4b6680d0e0220c37da187b74d60eb7a90d15258408a6940f216fc5b405fb2e0
-
Filesize
664KB
MD5404920a7fe4108867b6f33cceb073613
SHA1855b7b86766d1a3e81242f92f7216c712ee860cf
SHA25639150cf4c986e202790a645bde3b00a356685328bba870d7fa2d35937331eeee
SHA512458c9551efca37fb01696756a3ac1519dae00f683771bf7e6166a04a75f8c07441506010587cb9efb7d564c6a7509ce63479fef1ea25809fd71431a277ca0603
-
Filesize
664KB
MD5ca499e94955026b103efd3823afe4909
SHA1779008e302b75e23c45c54b57857c478603dff3a
SHA256cf7f620eb0461f56ab46b7da6500f0a1960bd9b6ebcf068fb76fec4e6ad795e4
SHA512bd43f4c5b0a919b709c0a932601ba857e8e14ac69ee71be94610074f97adcaa90f5f81dad0b4ed294fc5438621e458c78c0d789b5720cef8bf2caf845506735b
-
Filesize
664KB
MD5261939533940b1561f06fae7109f3880
SHA1810b237c4b5e2e0c72cf2a0abbee79ff77b88ab4
SHA256b5b8e036679af435d6609e611f99d487e3a6e0033ba42c88002e81c3baadea4f
SHA51279f0ea3193fcac74f4070bc43f4bc698c5824fcd5ae8c65bb319584118d83b39dc5ba942fbb107a58352bb6b01d3c967834615b3087ec607dc14b3abf4c149da