Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2024, 08:31
Static task
static1
Behavioral task
behavioral1
Sample
b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607N.exe
Resource
win10v2004-20241007-en
General
-
Target
b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607N.exe
-
Size
305KB
-
MD5
d08a11b7cc3ed1f3a174e580d0d42a50
-
SHA1
7c90aaa1c5148d4db7303cf149801576f83f391d
-
SHA256
b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607
-
SHA512
4f458c904767aa70cebb8ae223d4ded9a733f4fe7fd69d30130a748cf46a37bd24e36ba58cb85c776640d51411890ef705a84e0e93537cf724afdf7f76124d43
-
SSDEEP
3072:VJTmvixyuqXkPdgKXz+lc802eS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVDbd:jmk80PdXKlc85dZMGXF5ahdt3b0668
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmngqdpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkifae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djgjlelk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioqq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjcgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjjhbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdhhdlid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmidog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgnilpah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnckp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnjnnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmiflbel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogbipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beglgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqdqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnlaml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbipa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oddmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofcmfodb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cabfga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmngqdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqppkd32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1304 Ofnckp32.exe 4532 Oneklm32.exe 4844 Olkhmi32.exe 544 Ofcmfodb.exe 1868 Onjegled.exe 2868 Oqhacgdh.exe 2296 Oddmdf32.exe 1624 Ogbipa32.exe 1416 Pnlaml32.exe 760 Pqknig32.exe 4904 Pjcbbmif.exe 4572 Pmannhhj.exe 2900 Pdifoehl.exe 5084 Pfjcgn32.exe 1028 Pnakhkol.exe 3908 Pqpgdfnp.exe 4800 Pdkcde32.exe 1724 Pgioqq32.exe 4600 Pflplnlg.exe 2188 Pncgmkmj.exe 2384 Pqbdjfln.exe 2196 Pdmpje32.exe 4556 Pcppfaka.exe 3492 Pfolbmje.exe 404 Pjjhbl32.exe 4612 Pmidog32.exe 4376 Pqdqof32.exe 4256 Pgnilpah.exe 3892 Pjmehkqk.exe 4496 Qnhahj32.exe 4204 Qqfmde32.exe 4384 Qdbiedpa.exe 736 Qgqeappe.exe 180 Qjoankoi.exe 3292 Qnjnnj32.exe 4244 Qqijje32.exe 2648 Qcgffqei.exe 4124 Qgcbgo32.exe 3916 Ajanck32.exe 4952 Ampkof32.exe 2876 Aqkgpedc.exe 3332 Acjclpcf.exe 2644 Ageolo32.exe 5028 Ajckij32.exe 1588 Ambgef32.exe 2492 Aeiofcji.exe 2972 Agglboim.exe 428 Ajfhnjhq.exe 1480 Amddjegd.exe 2692 Aqppkd32.exe 1548 Acnlgp32.exe 3712 Afmhck32.exe 3692 Ajhddjfn.exe 3372 Amgapeea.exe 1748 Aeniabfd.exe 2032 Acqimo32.exe 1088 Afoeiklb.exe 3076 Anfmjhmd.exe 4696 Aminee32.exe 1836 Aepefb32.exe 944 Accfbokl.exe 2028 Bfabnjjp.exe 3068 Bnhjohkb.exe 4792 Bagflcje.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Doilmc32.exe Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Pncgmkmj.exe Pflplnlg.exe File created C:\Windows\SysWOW64\Pdmpje32.exe Pqbdjfln.exe File created C:\Windows\SysWOW64\Pqdqof32.exe Pmidog32.exe File created C:\Windows\SysWOW64\Bfabnjjp.exe Accfbokl.exe File opened for modification C:\Windows\SysWOW64\Bfabnjjp.exe Accfbokl.exe File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe Delnin32.exe File created C:\Windows\SysWOW64\Pncgmkmj.exe Pflplnlg.exe File created C:\Windows\SysWOW64\Ljbncc32.dll Afoeiklb.exe File created C:\Windows\SysWOW64\Fjbodfcj.dll Accfbokl.exe File created C:\Windows\SysWOW64\Bnhjohkb.exe Bfabnjjp.exe File created C:\Windows\SysWOW64\Cdlgno32.dll Bganhm32.exe File created C:\Windows\SysWOW64\Ddmaok32.exe Dejacond.exe File created C:\Windows\SysWOW64\Pjcbbmif.exe Pqknig32.exe File opened for modification C:\Windows\SysWOW64\Pgioqq32.exe Pdkcde32.exe File created C:\Windows\SysWOW64\Odaoecld.dll Pfolbmje.exe File created C:\Windows\SysWOW64\Qcgffqei.exe Qqijje32.exe File created C:\Windows\SysWOW64\Afmhck32.exe Acnlgp32.exe File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bganhm32.exe File created C:\Windows\SysWOW64\Bganhm32.exe Bcebhoii.exe File opened for modification C:\Windows\SysWOW64\Bgcknmop.exe Beeoaapl.exe File opened for modification C:\Windows\SysWOW64\Oneklm32.exe Ofnckp32.exe File created C:\Windows\SysWOW64\Onjegled.exe Ofcmfodb.exe File opened for modification C:\Windows\SysWOW64\Pfjcgn32.exe Pdifoehl.exe File created C:\Windows\SysWOW64\Ekphijkm.dll Pdifoehl.exe File opened for modification C:\Windows\SysWOW64\Qnjnnj32.exe Qjoankoi.exe File created C:\Windows\SysWOW64\Hmcjlfqa.dll Aqkgpedc.exe File created C:\Windows\SysWOW64\Gmdkpdef.dll Oqhacgdh.exe File opened for modification C:\Windows\SysWOW64\Qqfmde32.exe Qnhahj32.exe File opened for modification C:\Windows\SysWOW64\Qgqeappe.exe Qdbiedpa.exe File created C:\Windows\SysWOW64\Ambgef32.exe Ajckij32.exe File created C:\Windows\SysWOW64\Agglboim.exe Aeiofcji.exe File opened for modification C:\Windows\SysWOW64\Bmngqdpj.exe Bjokdipf.exe File created C:\Windows\SysWOW64\Oneklm32.exe Ofnckp32.exe File created C:\Windows\SysWOW64\Qoqbfpfe.dll Ageolo32.exe File created C:\Windows\SysWOW64\Afoeiklb.exe Acqimo32.exe File created C:\Windows\SysWOW64\Dhfajjoj.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Eokchkmi.dll Cegdnopg.exe File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Pgnilpah.exe Pqdqof32.exe File opened for modification C:\Windows\SysWOW64\Ambgef32.exe Ajckij32.exe File created C:\Windows\SysWOW64\Beeoaapl.exe Bmngqdpj.exe File opened for modification C:\Windows\SysWOW64\Ofcmfodb.exe Olkhmi32.exe File created C:\Windows\SysWOW64\Acjclpcf.exe Aqkgpedc.exe File created C:\Windows\SysWOW64\Ajfhnjhq.exe Agglboim.exe File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe Cdabcm32.exe File opened for modification C:\Windows\SysWOW64\Qnhahj32.exe Pjmehkqk.exe File created C:\Windows\SysWOW64\Accfbokl.exe Aepefb32.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Acnlgp32.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Fpnnia32.dll Bgcknmop.exe File opened for modification C:\Windows\SysWOW64\Chcddk32.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Delnin32.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Pnlaml32.exe Ogbipa32.exe File created C:\Windows\SysWOW64\Ciopbjik.dll Pqbdjfln.exe File created C:\Windows\SysWOW64\Pjmehkqk.exe Pgnilpah.exe File created C:\Windows\SysWOW64\Jfihel32.dll Bhhdil32.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Ehfnmfki.dll Ampkof32.exe File opened for modification C:\Windows\SysWOW64\Dmefhako.exe Djgjlelk.exe File created C:\Windows\SysWOW64\Acqimo32.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Kahdohfm.dll Dmjocp32.exe File created C:\Windows\SysWOW64\Olkhmi32.exe Oneklm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5180 6068 WerFault.exe 200 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjhbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbplc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqimo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgioqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjohkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnhahj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddjfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcebhoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnilpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjoankoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmngqdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjinkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqpgdfnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgffqei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfmjhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjokdipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglboim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amddjegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcmfodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcknmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegdnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oneklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkcde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beglgani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beihma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkgpedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqppkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmhck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceckcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdqof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageolo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgapeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeniabfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcbbmif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnakhkol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgqeappe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjclpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgehcmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkhmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoeiklb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oddmdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll" Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll" Accfbokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceckcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Balpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll" Bmbplc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll" Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmannhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll" Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll" Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bagflcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll" Bgcknmop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cegdnopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll" Oddmdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogbipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll" Ajfhnjhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bganhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll" Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqpgdfnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeiofcji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqkgpedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aepefb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bganhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pncgmkmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnhahj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajfhnjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll" Aminee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" Cjinkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dopigd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmidog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll" Pjmehkqk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2896 wrote to memory of 1304 2896 b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607N.exe 83 PID 2896 wrote to memory of 1304 2896 b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607N.exe 83 PID 2896 wrote to memory of 1304 2896 b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607N.exe 83 PID 1304 wrote to memory of 4532 1304 Ofnckp32.exe 84 PID 1304 wrote to memory of 4532 1304 Ofnckp32.exe 84 PID 1304 wrote to memory of 4532 1304 Ofnckp32.exe 84 PID 4532 wrote to memory of 4844 4532 Oneklm32.exe 85 PID 4532 wrote to memory of 4844 4532 Oneklm32.exe 85 PID 4532 wrote to memory of 4844 4532 Oneklm32.exe 85 PID 4844 wrote to memory of 544 4844 Olkhmi32.exe 88 PID 4844 wrote to memory of 544 4844 Olkhmi32.exe 88 PID 4844 wrote to memory of 544 4844 Olkhmi32.exe 88 PID 544 wrote to memory of 1868 544 Ofcmfodb.exe 89 PID 544 wrote to memory of 1868 544 Ofcmfodb.exe 89 PID 544 wrote to memory of 1868 544 Ofcmfodb.exe 89 PID 1868 wrote to memory of 2868 1868 Onjegled.exe 90 PID 1868 wrote to memory of 2868 1868 Onjegled.exe 90 PID 1868 wrote to memory of 2868 1868 Onjegled.exe 90 PID 2868 wrote to memory of 2296 2868 Oqhacgdh.exe 91 PID 2868 wrote to memory of 2296 2868 Oqhacgdh.exe 91 PID 2868 wrote to memory of 2296 2868 Oqhacgdh.exe 91 PID 2296 wrote to memory of 1624 2296 Oddmdf32.exe 92 PID 2296 wrote to memory of 1624 2296 Oddmdf32.exe 92 PID 2296 wrote to memory of 1624 2296 Oddmdf32.exe 92 PID 1624 wrote to memory of 1416 1624 Ogbipa32.exe 93 PID 1624 wrote to memory of 1416 1624 Ogbipa32.exe 93 PID 1624 wrote to memory of 1416 1624 Ogbipa32.exe 93 PID 1416 wrote to memory of 760 1416 Pnlaml32.exe 94 PID 1416 wrote to memory of 760 1416 Pnlaml32.exe 94 PID 1416 wrote to memory of 760 1416 Pnlaml32.exe 94 PID 760 wrote to memory of 4904 760 Pqknig32.exe 95 PID 760 wrote to memory of 4904 760 Pqknig32.exe 95 PID 760 wrote to memory of 4904 760 Pqknig32.exe 95 PID 4904 wrote to memory of 4572 4904 Pjcbbmif.exe 96 PID 4904 wrote to memory of 4572 4904 Pjcbbmif.exe 96 PID 4904 wrote to memory of 4572 4904 Pjcbbmif.exe 96 PID 4572 wrote to memory of 2900 4572 Pmannhhj.exe 97 PID 4572 wrote to memory of 2900 4572 Pmannhhj.exe 97 PID 4572 wrote to memory of 2900 4572 Pmannhhj.exe 97 PID 2900 wrote to memory of 5084 2900 Pdifoehl.exe 98 PID 2900 wrote to memory of 5084 2900 Pdifoehl.exe 98 PID 2900 wrote to memory of 5084 2900 Pdifoehl.exe 98 PID 5084 wrote to memory of 1028 5084 Pfjcgn32.exe 99 PID 5084 wrote to memory of 1028 5084 Pfjcgn32.exe 99 PID 5084 wrote to memory of 1028 5084 Pfjcgn32.exe 99 PID 1028 wrote to memory of 3908 1028 Pnakhkol.exe 100 PID 1028 wrote to memory of 3908 1028 Pnakhkol.exe 100 PID 1028 wrote to memory of 3908 1028 Pnakhkol.exe 100 PID 3908 wrote to memory of 4800 3908 Pqpgdfnp.exe 101 PID 3908 wrote to memory of 4800 3908 Pqpgdfnp.exe 101 PID 3908 wrote to memory of 4800 3908 Pqpgdfnp.exe 101 PID 4800 wrote to memory of 1724 4800 Pdkcde32.exe 102 PID 4800 wrote to memory of 1724 4800 Pdkcde32.exe 102 PID 4800 wrote to memory of 1724 4800 Pdkcde32.exe 102 PID 1724 wrote to memory of 4600 1724 Pgioqq32.exe 103 PID 1724 wrote to memory of 4600 1724 Pgioqq32.exe 103 PID 1724 wrote to memory of 4600 1724 Pgioqq32.exe 103 PID 4600 wrote to memory of 2188 4600 Pflplnlg.exe 104 PID 4600 wrote to memory of 2188 4600 Pflplnlg.exe 104 PID 4600 wrote to memory of 2188 4600 Pflplnlg.exe 104 PID 2188 wrote to memory of 2384 2188 Pncgmkmj.exe 105 PID 2188 wrote to memory of 2384 2188 Pncgmkmj.exe 105 PID 2188 wrote to memory of 2384 2188 Pncgmkmj.exe 105 PID 2384 wrote to memory of 2196 2384 Pqbdjfln.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607N.exe"C:\Users\Admin\AppData\Local\Temp\b3e722febbfe600e958e103a4dd9dbd3220da257c5090b45400ae98b32aa2607N.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe23⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe24⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:404 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4256 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4496 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:180 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3292 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4244 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe39⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe40⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:428 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3372 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3076 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4696 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe72⤵PID:1608
-
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4084 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe74⤵
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4352 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5052 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe85⤵PID:208
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4132 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe87⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:220 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe92⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe95⤵PID:5192
-
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5364 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5444 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe103⤵
- Drops file in System32 directory
PID:5528 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5576 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5620 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe106⤵
- System Location Discovery: System Language Discovery
PID:5652 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5740 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:5780 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe110⤵PID:5820
-
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe115⤵
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe116⤵
- System Location Discovery: System Language Discovery
PID:6068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 408117⤵
- Program crash
PID:5180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6068 -ip 60681⤵PID:6132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD56719aa0b0a7cdf91e463f20b80f12885
SHA1ee86fe119fe858bb887c6a1c80d89b51c6710254
SHA256769b45cad02a525022fe2b1c2b0edadf15de0d02fbb01c21ce38e169ff5327e8
SHA512b5e6c525c6b3e625716e276d919d3cc965f55cc5c557fb04e0fd1a47ae8e0fb7cfb8f3bfa46da9f12f293275fd8390fad6e7e56ce6f1d947fd80d964d168d0fb
-
Filesize
305KB
MD5df1db280ac7850ae1ec8914f0ff14841
SHA1b9902fa8a1f051811438f236eab49aeed0f3a358
SHA256b7fc246e6457a8fb9833b42e535aa811c6710436a36e02902fd3113c5c23dcac
SHA512efb8f353a5550abbafa83952176c173ad4e8e04ac7f947687d4eee061b1c33832d2f5285b3f984fafe0210f0215c4c59112a425949b9482e59af897fd4126b26
-
Filesize
305KB
MD5390e73d01d5e5aa891fd3142d47f143b
SHA1ff1249f0165847ba7290209b221cf5055e90ff78
SHA256e10ca5fd1c478a1c20a3f5513c2d7b0bf9dc8e0e3a0ab31ad1a18f9985afc722
SHA512ab6002d641b6fa7765e5af238fbe7691c0e007ca31011c16489e1c96d6a57fca05f7f8153d672ba822142ab74b099f9a8c3f39559a8645f5e884f13f9f1548d5
-
Filesize
305KB
MD51b7058090afcefae4d113084c8676437
SHA17b28dd7add7e02e6c4a3ba6909caf5f4f0718218
SHA256217c350179c81e5cc34a9682d9824d90253ddeb527bd7dce85ef59c70030f2f2
SHA512cd7836c8250d30a8b56d9678a2ebc56bfdc43a6f0d0492c814947101ea6f9595124f166d0faa75377f407dd1ba8bb687eaa38b2566595e4835e7dce29ce0ab22
-
Filesize
305KB
MD5c422c8f1190d9396b1d89cd1f09437e7
SHA194a5cad66c53a0eaabd93a954f23209a723b2fd1
SHA2563522c9bfb77ef692737fe47fecb8bab0b704d6095b603d74ef4802414c05afe4
SHA51281e557e6d4e45574e11ecc58b70343124f17e9e3e977cc3ea2c9d7a6bba9772caa8353d4ebfc99b349464a9971c718857b835ca0b007cb1e43367567c27acf32
-
Filesize
305KB
MD5c3055f2c893de6d0e67c61482fa2f90d
SHA13e9a197c0d091eba935b8602cda0727ca4ba30cf
SHA25604eb662ce48a39be7bfd6ea0a5a41a05e820fc16d3e74f3c1100bb49ee0edd69
SHA5124e52484e9c30763e85d86d7d314c688ea2c77c519bd58742a4b460737979acc4a429f73b9ac12ebf0164d45b50b05b4879121d1085a90d59872136eb0e0f4c98
-
Filesize
305KB
MD567a09d4d66568ffb993d40e25ce2a630
SHA17bb786f7380faa79beae1a864ae9856fd3348384
SHA2561b49f2666d164717b3e8d2af8119bf3b6da384b53f4cab763a096cb89a8539fc
SHA51278e7d9e2ae3b53ebe02401ad14f5f074dcf3170b45216e0f9570ec2237680a47181545dbd9cc575983ab642393de35bf9afeaeaf5ef093498534122be8d0a5b0
-
Filesize
305KB
MD5e896cf9c5ba7b1a1f25564956322f096
SHA1a178230964f84cdd74c9a69eee2226de86df5855
SHA256e5f71c2abb28861f820612d7a02d5df4dbb461a48de593a23239a224a039eb46
SHA512ae91e1a9af5134137950c75fd1489ca7ceae64646a6c754de617c16709737458a627592da96e10a68cfb52f3251d7d0fcf44f89285cdc01b8eab5aa1a59c8a71
-
Filesize
305KB
MD54daecdb43379ef92983348a1732cd421
SHA198783d3253dce7a0e1fef5c57fa5af020d989988
SHA2560e2409ed267b2c5c8b6d93228c7a9ec29053cb01880b08b15c14a807927fb56b
SHA512dbd61d1eaa8e8c843c9ac687b3d0717cfc6f161d865903690df3756b3edf2a7b52c7ba1d3224a6f34a9ea687c9026dc97700df1d0ea401244b23bbbb2cd7e1de
-
Filesize
305KB
MD5fa25d7257479c740cc0f7da8dc8be047
SHA1c7a49b91d6daac7197aad08a8c8bb5c632c23b27
SHA256fafa073d5cff33eb55b59fbc2ffd8ad5d58f6801c3e5e6d3cff15061542297e9
SHA5124b6999d71a17c004fbbddbf89b2f540ad75349e06d58cf865def42abf4d55a49a032d2f97592cd12860e7ed72c0bdf26d3bf00b2d1f6e56ab29da281e744be06
-
Filesize
305KB
MD55237a5217c4b8f6b4ab2040f19d87060
SHA13b9d3e433176642f0db53f05ca6899646036197b
SHA25642ee23263c3f1a28854e75fb43ca92bfdd6215b8600933cddf615202ba3b260e
SHA512be6b8ceba653d604c83bcfe2b079f12f8c7566e1ff41b0b17387f8751a05817ecc29a76f4b6718bdefb7991d6d2fccd23cc4bbdeb29e4cc4e07b5b8990078c2e
-
Filesize
305KB
MD5f3ce9c95a51b8d8677d3c88e3ef5441b
SHA1b448ea35be9fc92f1c685de4f1ceb5b510d07d7f
SHA256a7950ff0f356c8cb95281a2683790fb5888d109f175c74fe6baf49c878a7308e
SHA51262f34e11bd528460a9cee3362eacc1d030feb67e88a8322e93c65b7b2fddee59be6e4a935a81781468e749a64f8f5fdbdcc3a58a3f4f4765bc232f541f11338e
-
Filesize
305KB
MD5d1f900afc8b11da2d9035699cca6c466
SHA16771ff3567190bf0d601a9fe16e56ddfe17c0e87
SHA256d9ce3778f96846b502754d93da78e4c6eca53742a9e0ae9b9c2cd0202fa2bd2a
SHA512b881e66b538bfe70353587288a74993ad9dd1fca61c0c785a0680c1c267b143cda8e2ff8c1bc7821b4b51812dcf70818ece17181fb557d30c8f03df58c49e70d
-
Filesize
305KB
MD5d1b3b6c7c5880df5acb8b7445772b6b5
SHA1bf52d65d680974e801c5e332d4ca19c6a4b8c762
SHA2564f4b203ca36a26694ed5d5318eb1d26721391b629b1c9ff0527e8a72cd15b5f4
SHA512bb0c70663b81ea95d05bdf96c79db58b3444185373be4299dc1bf2177f214f38f07847f4df91caa9cec51749755b3603169278f01aacac3b5abcf343aefd1cfd
-
Filesize
305KB
MD5b13b29e4fca6bb3b7aba836a43a5edab
SHA185759f9a9a05a23a734d95b0ebfa2ccf08f7dec1
SHA25670740d43ca4140a0cdf77f3729df899c587591b046afb6ff322f6d7ce6576bbd
SHA5128de8a1f8b67f7ff718fcae4bf16977497060de8db95722e2ba99058691e2c3e1f6b3b5627d09a8c8ae580b08f3f5db7684f654ef2c6796820e451589cfddf52c
-
Filesize
305KB
MD500ab6a331105ffabf23d657b317c7b10
SHA1c1835a4ca88b8ef1b1b12154d1fb5a6b03df1fc4
SHA25655f87bfa72b621952652661a9e480f193ee41549182c5244bcf1b729bf617a59
SHA5123621cad767db0b3e96e92c281b41c3aef1e71827a99aa2b46e608f65746e74eb2f7da8e0b4927db7181b7ecbcfcbcfa4235275f82cbbd6b5fcb6f62cef926775
-
Filesize
305KB
MD56a28b226f525e1afa98d2f27f0f8ba6c
SHA1fe2e246f1f7f22d2bbf70718ba4143ffcaaaae4b
SHA256eacda2a84b2be1fea4785a5621cad2588ad1c541504c08617503e25662bb01a7
SHA51217daf037aca403d0239382424bfd4e201c5c1a7842558d8393354dad62f733add3bbead93b56116bc27c4020330b6ca41b60bd26b1d84656d8ab284d0d18c711
-
Filesize
305KB
MD5f881d82130affea7b8d3ce78006e1575
SHA1e61d5acd902753969f4ee743c3b59306071b25c8
SHA256259074f866ef0f598957df8e2eb7c9e198ae788a50aa90fb4ca1303d273fb92b
SHA5128e37f401df04047991da83f9d2023394cf66ad2d05c7c6a2597dc8bcbc52cc684a47906e768c8db6341c459786dd03eb81e667c57ef9376232a8cd173b685799
-
Filesize
305KB
MD572d8f4b853c24dfc83859fce62497de8
SHA1a2e68cea4d3bc2a7de356d32824f89ad4be79db6
SHA256da9bd77340979161b2f53e0e92b8ab04c6cab6cb194ff17b21c7054bae922788
SHA51297e54a1097881ebf9dde1c0e56d3864a29042ff81bac1aae78d1be64abd47cd657b60de51a28b2d095e1990f89df2214477e1d111639ca280cf778fef84bca5b
-
Filesize
305KB
MD583aa8aa65e27566ce8a48a7bcad4bf73
SHA137de2ef6f5be6a589d4e62592ad730c3d3ef7214
SHA256abaa21085666bb3ccc0ac90ee4adef6831aec71f93dfd11a6825b47b9e4cef1e
SHA512582684c47e7c762267adcdbe2c260dc6332792749b1f9d5e695f4af32f74851ed87784d77b4720c2e07ca64755e2a7af5e901bddde221021f9246410bf264543
-
Filesize
305KB
MD5c827a62e69e0df9a94d95a844559f38c
SHA12d4e99c1dfcb21e6b0104d3cc786fa16d8c5a018
SHA25691287e1fdac3a52373ee09752397b041e3e556ea1630471a72f2ed12b1ddd6fc
SHA512c7f598607f92a966bc0461774da7d115e2766b3161b085d47d2eec9592bc1da6273a2a229e683be7f67c0c5fcd98da860dfa1555904a57591545e3ede8c90db4
-
Filesize
305KB
MD5fc04a07f3c8d8269739a98cac15e435b
SHA14c7eb1a620aa312ee81e04be93e6ffa04bb5d19a
SHA256307bf7c9e77eb0c6e7a5ce1da6695a097c50b4115a19868484ff5aa3b08b1bd5
SHA51209e28c00897644f4fe542b6b169a5283f1da43ef8d61e4e844b02cd01677907fe8ffa0bb9e452b8bc5f54126a61eeb473d82427e43c308cd4ccb3895f85dddb0
-
Filesize
305KB
MD5fe568ecf8b6aea839812cab507585efe
SHA1192e59371e3e8c298db66896fe944e8ae44b1b6e
SHA256a7224b38ccd6feb00b4a7c223303ee17567c6b2072eabe89f93391148ce753d0
SHA5124a12e2aad364d2da8be6464f06deb75b497cf9a478620abb52f3bd0b80502437e30933348a73de732780c43e2a688e3fe81bbf0fa7b420d00fcb2eeb49fcf093
-
Filesize
305KB
MD511d25e5aae807d4858020bca546cd3b6
SHA1e5397bdcc24c3846af64eb04cd63d6d21df88828
SHA256dda5c3d571d60571087e2fc01cec6d824e87cc150e56a3f71ab2d05ca0c83d16
SHA51239874ff58bdb4d5086f3cb464304f49e391db2f5be6f37288b571c2f76945a6735151348980fcbc59a3beca3d641f0182ff2415001394975a5f10de231262c34
-
Filesize
305KB
MD54d30057001b4aebc3efd42c24ecf2663
SHA1cd4066d92de2eb298c3e3d89acb9463f084beb8f
SHA25637ecbe4cc2e7fbb0e4371b766f20c4860a774d6c3655e39f73fb419a6048c1ef
SHA512a7d553bda5e7adb40cf88e96ff80d46fbaf5303c0ea248797b55a97e9360052e351e60f4bc9c60947bc7817bd33cb3e1c8027eb2457b573cd3c9f6b709129177
-
Filesize
305KB
MD5aeb94e7550dd5a700c6a3d1af71b4d9c
SHA171e204c14748c64c67b38658b5143317a3658352
SHA256f9ea951b61d38b979c94a8062eacb0ce30549943d5c30c9382fa3e9a93be6bef
SHA51257f9286894d8164683bdbcd0742e74a10f9ff243bc40314388b7b7d34d861a8d5b16d2c3c2c7797d84fa90dcc15eb4257626722781e715f61808583abcff2a32
-
Filesize
305KB
MD5eaf654cfcff81f647239215275e5f60b
SHA1409d66f3bf97c371e452b2447ae78e0d4c949995
SHA2563e7d0e177a8054f05e178761c572d1e81324256f1a7917715ac1c32b246b512b
SHA51293d8b8abdf037d1714474d7fd3bd83f12d1c60df717bc1f3def38339bd1ba0a5252597d946aebbabdefe58c13777dc137e7f98895dec9dadfe7a6fa72b180b40
-
Filesize
305KB
MD5f61bc410776a85c65f392aa5c67e74fe
SHA1efdf3715a7bcc0f0a0c9b3e6a2d695d2a1c28d04
SHA256583c4fafd96db12d888ee88d79da6253a2bf0076e4dee36357a7d6445e572641
SHA512d330b0616253b9507c2ac05a67cd5a791ac8b43f22ad2dc236b8d389ebc642cfd635a013513261244a74dd46935b1ed1f1366fa718130067feaa9880ac1bf158
-
Filesize
305KB
MD5a66d07d4cf2e0ec322249f6b4e12e513
SHA1d2aa0734615dfdcc36659400ba583c14d20e056e
SHA256698361c056cd5845e55b519791921557b0c63688cab141fdced852f0990be729
SHA5123ae7bbfd4a2f797261ead89a5ca07222fdcc68cc65e9e8bcc1726312ca0e3844461fef5076906fc4a1ec89c317865e3648fc03e0e30165d18419a4f3563132f7
-
Filesize
305KB
MD54cab6d1594073cff7759448790f2e387
SHA10453995a78aa49e725e85da1c78838efa2f9416e
SHA25676de42095b146b741d455c50845ff40748d1bf9600de8fcb9ea80aed6a935ed4
SHA51255d0567211694e9ed6de20ca58b6ec5e13118cd068e01e636a289f6283675336952926c889b718f7f1375f80469eb856126777b8a9dfe666e85b0c6abaf18507
-
Filesize
305KB
MD5bf655254f26d69e72c86521540ed1525
SHA136dbba79cbc8dd17c5880ba0c444396429cc22f5
SHA256ca320f8fab0b648899c561a2cdd2185e8676b349172de916a18b20488d070cd9
SHA5120f5afebba91c94bd76be0c3d68b5f2ad41745d04f70474634aa8155a514fddd4090fd8b317ba8afc43ab33be907f400d69ec3aaf2e59f7d38488d62540f85a22
-
Filesize
305KB
MD5d101b39d2acb958d03212b23eec4756f
SHA1831ea2701cec0721e35129b2bed6419b8c1b1845
SHA256c858f32412e17ed011677a0a48f8667c0f721fda8139b1730a078a5771bc2028
SHA5120a667baa2017a8fddce15c6e3ce915166937f02a574a499340afb967caa78543587fe40fd6023eb855abba86ca9927e72f953ac9433506bb7fbea63d54ad3468
-
Filesize
305KB
MD520f52280eeb82fb268998173498d9f9f
SHA100a2f9398f87c27d3dc0c9072f2822bb1bd409da
SHA2565e336329baa6ebc9351df1de5417527ac50038a58ba1dd5557513c6d7baba127
SHA512dd82c1c83ea45035766096e4ce424b77d5201c73accfc1c80ce5184f92b98ddefc801a26316995c830ff9ef8144cba5841c0467d3a775f8e60409ee5e1029732