Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe
Resource
win10v2004-20241007-en
General
-
Target
562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe
-
Size
55KB
-
MD5
64876dd17eeef3cc362598def1050351
-
SHA1
ddb4e811626869ba40a0e3e0417700a71a6676a2
-
SHA256
562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499
-
SHA512
92d6bfa1ae16352e2b3bbcf2190fdcc270ade9dbc2fecd9dc3d8bbdea69a39942566e474ce735a20e2db186324a7d3a57a65f88ac7d537a33157d591873b604e
-
SSDEEP
1536:BnMFtQWcGKf6kVxQP+2ydbc7YzNSoNSd0A3shxD6K:eEG6Exya7YzNXNW0A8hhz
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambgef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfdcjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjokdipf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdmod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcijeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgbfocc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcijeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbplc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odocigqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokdipf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlcbbcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnjidkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcpbam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqpqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofqpqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfcfml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnneknob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opakbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amddjegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofeilobp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcbbmif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgcknmop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdbiedpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmnoi32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3244 Ngdmod32.exe 1732 Nnneknob.exe 3216 Ndhmhh32.exe 4012 Nfjjppmm.exe 4540 Olcbmj32.exe 4388 Ocnjidkf.exe 2060 Ojgbfocc.exe 1708 Opakbi32.exe 2092 Ogkcpbam.exe 2184 Oneklm32.exe 4588 Odocigqg.exe 1780 Ofqpqo32.exe 992 Olkhmi32.exe 4208 Odapnf32.exe 4072 Ofcmfodb.exe 4140 Onjegled.exe 800 Oqhacgdh.exe 3236 Ofeilobp.exe 1704 Pmoahijl.exe 1600 Pcijeb32.exe 3408 Pjcbbmif.exe 1952 Pfjcgn32.exe 1668 Pqpgdfnp.exe 2016 Pgioqq32.exe 4020 Pncgmkmj.exe 4032 Pqbdjfln.exe 4036 Pgllfp32.exe 1936 Pjjhbl32.exe 1212 Pnfdcjkg.exe 432 Pqdqof32.exe 228 Pdpmpdbd.exe 2708 Pcbmka32.exe 4328 Pfaigm32.exe 464 Qmkadgpo.exe 448 Qdbiedpa.exe 2012 Qceiaa32.exe 1168 Qfcfml32.exe 3768 Qnjnnj32.exe 4684 Qqijje32.exe 4560 Qcgffqei.exe 1332 Ampkof32.exe 1480 Acjclpcf.exe 2868 Afhohlbj.exe 4092 Ambgef32.exe 1588 Agglboim.exe 4056 Afjlnk32.exe 3784 Amddjegd.exe 3300 Aeklkchg.exe 2312 Ajhddjfn.exe 3948 Aeniabfd.exe 2948 Afoeiklb.exe 4760 Aadifclh.exe 3604 Bjmnoi32.exe 4592 Bagflcje.exe 392 Bcebhoii.exe 4112 Bjokdipf.exe 2128 Bgcknmop.exe 4924 Balpgb32.exe 3148 Beglgani.exe 3952 Bfhhoi32.exe 804 Bmbplc32.exe 944 Bhhdil32.exe 1388 Bmemac32.exe 5072 Belebq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dpmdoo32.dll Ambgef32.exe File opened for modification C:\Windows\SysWOW64\Opakbi32.exe Ojgbfocc.exe File opened for modification C:\Windows\SysWOW64\Qnjnnj32.exe Qfcfml32.exe File opened for modification C:\Windows\SysWOW64\Ofeilobp.exe Oqhacgdh.exe File created C:\Windows\SysWOW64\Qcgffqei.exe Qqijje32.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Ceckcp32.exe File created C:\Windows\SysWOW64\Jbaqqh32.dll Oneklm32.exe File created C:\Windows\SysWOW64\Pcbmka32.exe Pdpmpdbd.exe File created C:\Windows\SysWOW64\Hfanhp32.dll Cjbpaf32.exe File created C:\Windows\SysWOW64\Hpnkaj32.dll Ddjejl32.exe File created C:\Windows\SysWOW64\Ekphijkm.dll Pjcbbmif.exe File created C:\Windows\SysWOW64\Kofpij32.dll Beglgani.exe File created C:\Windows\SysWOW64\Ceqnmpfo.exe Chmndlge.exe File opened for modification C:\Windows\SysWOW64\Pjcbbmif.exe Pcijeb32.exe File opened for modification C:\Windows\SysWOW64\Ofqpqo32.exe Odocigqg.exe File created C:\Windows\SysWOW64\Pcijeb32.exe Pmoahijl.exe File created C:\Windows\SysWOW64\Jdbnaa32.dll Qqijje32.exe File opened for modification C:\Windows\SysWOW64\Balpgb32.exe Bgcknmop.exe File created C:\Windows\SysWOW64\Daekdooc.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Ocnjidkf.exe Olcbmj32.exe File created C:\Windows\SysWOW64\Ojgbfocc.exe Ocnjidkf.exe File created C:\Windows\SysWOW64\Afhohlbj.exe Acjclpcf.exe File opened for modification C:\Windows\SysWOW64\Afoeiklb.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Akichh32.dll Bjokdipf.exe File created C:\Windows\SysWOW64\Beglgani.exe Balpgb32.exe File created C:\Windows\SysWOW64\Eifnachf.dll Cmlcbbcj.exe File created C:\Windows\SysWOW64\Ndhmhh32.exe Nnneknob.exe File opened for modification C:\Windows\SysWOW64\Pmoahijl.exe Ofeilobp.exe File opened for modification C:\Windows\SysWOW64\Pgllfp32.exe Pqbdjfln.exe File opened for modification C:\Windows\SysWOW64\Ampkof32.exe Qcgffqei.exe File opened for modification C:\Windows\SysWOW64\Acjclpcf.exe Ampkof32.exe File opened for modification C:\Windows\SysWOW64\Bmbplc32.exe Bfhhoi32.exe File opened for modification C:\Windows\SysWOW64\Nfjjppmm.exe Ndhmhh32.exe File created C:\Windows\SysWOW64\Pjcbbmif.exe Pcijeb32.exe File created C:\Windows\SysWOW64\Odaoecld.dll Pgllfp32.exe File opened for modification C:\Windows\SysWOW64\Belebq32.exe Bmemac32.exe File created C:\Windows\SysWOW64\Ceehho32.exe Ceckcp32.exe File opened for modification C:\Windows\SysWOW64\Ojgbfocc.exe Ocnjidkf.exe File created C:\Windows\SysWOW64\Cfmajipb.exe Belebq32.exe File created C:\Windows\SysWOW64\Bjmnoi32.exe Aadifclh.exe File created C:\Windows\SysWOW64\Qceiaa32.exe Qdbiedpa.exe File created C:\Windows\SysWOW64\Djnkap32.dll Qdbiedpa.exe File created C:\Windows\SysWOW64\Gokgpogl.dll Qceiaa32.exe File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Mnodjf32.dll Ocnjidkf.exe File opened for modification C:\Windows\SysWOW64\Qfcfml32.exe Qceiaa32.exe File created C:\Windows\SysWOW64\Bkjpmk32.dll Aeniabfd.exe File created C:\Windows\SysWOW64\Ooojbbid.dll Afoeiklb.exe File created C:\Windows\SysWOW64\Deeiam32.dll Pgioqq32.exe File created C:\Windows\SysWOW64\Dbagnedl.dll Pncgmkmj.exe File created C:\Windows\SysWOW64\Pgllfp32.exe Pqbdjfln.exe File created C:\Windows\SysWOW64\Mjpabk32.dll Pfaigm32.exe File created C:\Windows\SysWOW64\Ampkof32.exe Qcgffqei.exe File opened for modification C:\Windows\SysWOW64\Ambgef32.exe Afhohlbj.exe File opened for modification C:\Windows\SysWOW64\Afjlnk32.exe Agglboim.exe File created C:\Windows\SysWOW64\Halpnqlq.dll Pmoahijl.exe File created C:\Windows\SysWOW64\Ofqpqo32.exe Odocigqg.exe File created C:\Windows\SysWOW64\Odapnf32.exe Olkhmi32.exe File created C:\Windows\SysWOW64\Daconoae.exe Dkifae32.exe File opened for modification C:\Windows\SysWOW64\Ogkcpbam.exe Opakbi32.exe File opened for modification C:\Windows\SysWOW64\Pnfdcjkg.exe Pjjhbl32.exe File created C:\Windows\SysWOW64\Qgppolie.dll Ofeilobp.exe File opened for modification C:\Windows\SysWOW64\Pqbdjfln.exe Pncgmkmj.exe File created C:\Windows\SysWOW64\Pjjhbl32.exe Pgllfp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3508 2112 WerFault.exe 163 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjhbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncgmkmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oneklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odapnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmkadgpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfcfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjlnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoeiklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opakbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqpqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amddjegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadifclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbplc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjjppmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjcgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglboim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoahijl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcbbmif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbiedpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeklkchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beglgani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceckcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbdjfln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkhmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqijje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjclpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagflcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcebhoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgbfocc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocnjidkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odocigqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcijeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeniabfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnneknob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpmpdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmlcbbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfdcjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhohlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfaigm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjegled.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhacgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofeilobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qceiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgffqei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll" Olcbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll" Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofeilobp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjokdipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opakbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll" Ogkcpbam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnjnnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll" Nfjjppmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgbfocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll" Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll" Pfaigm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgioqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfhhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhmhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkhmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" Qceiaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhddjfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bagflcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceqnmpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll" Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcgffqei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agglboim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll" Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqpgdfnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll" 562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll" Opakbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhddjfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqijje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll" Pfjcgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcijeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll" Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll" Cfmajipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olcbmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll" Oneklm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4296 wrote to memory of 3244 4296 562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe 83 PID 4296 wrote to memory of 3244 4296 562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe 83 PID 4296 wrote to memory of 3244 4296 562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe 83 PID 3244 wrote to memory of 1732 3244 Ngdmod32.exe 84 PID 3244 wrote to memory of 1732 3244 Ngdmod32.exe 84 PID 3244 wrote to memory of 1732 3244 Ngdmod32.exe 84 PID 1732 wrote to memory of 3216 1732 Nnneknob.exe 85 PID 1732 wrote to memory of 3216 1732 Nnneknob.exe 85 PID 1732 wrote to memory of 3216 1732 Nnneknob.exe 85 PID 3216 wrote to memory of 4012 3216 Ndhmhh32.exe 86 PID 3216 wrote to memory of 4012 3216 Ndhmhh32.exe 86 PID 3216 wrote to memory of 4012 3216 Ndhmhh32.exe 86 PID 4012 wrote to memory of 4540 4012 Nfjjppmm.exe 87 PID 4012 wrote to memory of 4540 4012 Nfjjppmm.exe 87 PID 4012 wrote to memory of 4540 4012 Nfjjppmm.exe 87 PID 4540 wrote to memory of 4388 4540 Olcbmj32.exe 88 PID 4540 wrote to memory of 4388 4540 Olcbmj32.exe 88 PID 4540 wrote to memory of 4388 4540 Olcbmj32.exe 88 PID 4388 wrote to memory of 2060 4388 Ocnjidkf.exe 89 PID 4388 wrote to memory of 2060 4388 Ocnjidkf.exe 89 PID 4388 wrote to memory of 2060 4388 Ocnjidkf.exe 89 PID 2060 wrote to memory of 1708 2060 Ojgbfocc.exe 90 PID 2060 wrote to memory of 1708 2060 Ojgbfocc.exe 90 PID 2060 wrote to memory of 1708 2060 Ojgbfocc.exe 90 PID 1708 wrote to memory of 2092 1708 Opakbi32.exe 91 PID 1708 wrote to memory of 2092 1708 Opakbi32.exe 91 PID 1708 wrote to memory of 2092 1708 Opakbi32.exe 91 PID 2092 wrote to memory of 2184 2092 Ogkcpbam.exe 92 PID 2092 wrote to memory of 2184 2092 Ogkcpbam.exe 92 PID 2092 wrote to memory of 2184 2092 Ogkcpbam.exe 92 PID 2184 wrote to memory of 4588 2184 Oneklm32.exe 93 PID 2184 wrote to memory of 4588 2184 Oneklm32.exe 93 PID 2184 wrote to memory of 4588 2184 Oneklm32.exe 93 PID 4588 wrote to memory of 1780 4588 Odocigqg.exe 94 PID 4588 wrote to memory of 1780 4588 Odocigqg.exe 94 PID 4588 wrote to memory of 1780 4588 Odocigqg.exe 94 PID 1780 wrote to memory of 992 1780 Ofqpqo32.exe 95 PID 1780 wrote to memory of 992 1780 Ofqpqo32.exe 95 PID 1780 wrote to memory of 992 1780 Ofqpqo32.exe 95 PID 992 wrote to memory of 4208 992 Olkhmi32.exe 96 PID 992 wrote to memory of 4208 992 Olkhmi32.exe 96 PID 992 wrote to memory of 4208 992 Olkhmi32.exe 96 PID 4208 wrote to memory of 4072 4208 Odapnf32.exe 97 PID 4208 wrote to memory of 4072 4208 Odapnf32.exe 97 PID 4208 wrote to memory of 4072 4208 Odapnf32.exe 97 PID 4072 wrote to memory of 4140 4072 Ofcmfodb.exe 98 PID 4072 wrote to memory of 4140 4072 Ofcmfodb.exe 98 PID 4072 wrote to memory of 4140 4072 Ofcmfodb.exe 98 PID 4140 wrote to memory of 800 4140 Onjegled.exe 99 PID 4140 wrote to memory of 800 4140 Onjegled.exe 99 PID 4140 wrote to memory of 800 4140 Onjegled.exe 99 PID 800 wrote to memory of 3236 800 Oqhacgdh.exe 100 PID 800 wrote to memory of 3236 800 Oqhacgdh.exe 100 PID 800 wrote to memory of 3236 800 Oqhacgdh.exe 100 PID 3236 wrote to memory of 1704 3236 Ofeilobp.exe 101 PID 3236 wrote to memory of 1704 3236 Ofeilobp.exe 101 PID 3236 wrote to memory of 1704 3236 Ofeilobp.exe 101 PID 1704 wrote to memory of 1600 1704 Pmoahijl.exe 102 PID 1704 wrote to memory of 1600 1704 Pmoahijl.exe 102 PID 1704 wrote to memory of 1600 1704 Pmoahijl.exe 102 PID 1600 wrote to memory of 3408 1600 Pcijeb32.exe 103 PID 1600 wrote to memory of 3408 1600 Pcijeb32.exe 103 PID 1600 wrote to memory of 3408 1600 Pcijeb32.exe 103 PID 3408 wrote to memory of 1952 3408 Pjcbbmif.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe"C:\Users\Admin\AppData\Local\Temp\562e8a7536992f9fad774c96a5f3d0c94cf986475a2e23bf87c39208460ac499.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Ojgbfocc.exeC:\Windows\system32\Ojgbfocc.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4036 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:228 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4684 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3784 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3300 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4760 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4592 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:392 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3148 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe66⤵
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe74⤵
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe75⤵
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe76⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe82⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 39683⤵
- Program crash
PID:3508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2112 -ip 21121⤵PID:3264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD576b50aa18b4ccac6f004010f7510a9ef
SHA1d628085184706d6c6ed686d992eca5fd31de12b6
SHA25687ed21893a321c02fea6394e433aeba00258b80f92f98a078a3b04ed8b0ed585
SHA512584748f053fe42ebdb906c93385014927519819cf0f7c993cd0dae0b673840af2df530b197421321395ec3488ae71da2be2a7d0bd93d04ebb778c4b438b8eeb2
-
Filesize
55KB
MD56981e0f5225495e27747acd70ede2bee
SHA1d8e9921e2be24e0c456f9d9f712e7db8558d6429
SHA2564844e436302de236159fdc1304a02ad30ca406b1bfcd0deacfe79941a274c470
SHA512bd0c35667f22203f5dfe59c24df4913022b18840af5adde511c8fb17beb21aeb228f7dbc4c042d1235f37cecf047d1cb32189fd4df85bc328fe58bd76bb0fe09
-
Filesize
55KB
MD5a8b38204464acfea637a5d0cf4f5bb15
SHA1dafd8b05763a5f0a00ad9b38a0d7afefc26d5b40
SHA256af8464d2253b2b9e0109c84ae98c549b481f225ee1015b1e1e8bf24db4e95033
SHA512d8887b1d62f9f6e6f9be22f583ee72bdfe64b02a4a9e2d2ff4e5da80e086251e31c678be3c35aeae6a3ea1921e07e9b1ea4f6885208cafeb1930063d4e94098e
-
Filesize
55KB
MD57b12a01e7da416961269fbd5d56eeef4
SHA16d109f3352beda1eabd15a430fae96b463df058c
SHA2565f531d7292ec86c509b2b519a52f4485d3042b82426331cc85519e130a9270f5
SHA51250ea5751cc92bdb7ac95291cf5bd22cc34c933c1376704d3577b9c95702ddb0a74119e493521b14deeed4cdadbe429c26cf2fcca29787b8fc35ea40f687d0f37
-
Filesize
55KB
MD55cc0630480a0d19fc8f71a78e61fe0a6
SHA1173b964fae46fc5e7d44d2f3ec11e03f22166810
SHA256368414a8373569e9ac2508410770e498a4252a369e24d8340788e01377d668b5
SHA51238ed69c4c9d0f540ee993a1260772666d50ef2193d4ee2b43c099b80cf1546900347685565d7b30d378391d3999525bb8fbb665336f8ac949eadc31e652072bb
-
Filesize
55KB
MD5ae1f2fe44ac0ee4989685865c803b85f
SHA169a21205e4df9560e1368a4db9d1eaaa5d36767e
SHA2561c5eef2688522d11995185e082b337e0ae61dcaa0d395e1d83da70c8db16f743
SHA5127233cd80fcb1674a919c70c2ae02f4e2e83bc98c49b5d2869f7c689cc15e9e02e3b54153ded93a039f22f2b889b61dbd955000d142291f56951399b873c0a147
-
Filesize
55KB
MD52159adbb30b2d9763a4e1373909440a3
SHA18220afc7f40dd5130be4671f2553e56d05f74e16
SHA256bcf2482bc87629bb5276fe003f815f4e1581efa17ef9eff39bc67e7187d8160c
SHA5123ac5c825d1524eb5c9cf47d6ede6d292f35474b5e0b5fd84c8c14af1bb630e484d9441173db2ff809a9fadc00fad65d6685e34c5ee986a3b470aff21f8841cef
-
Filesize
55KB
MD591588a7f76c6b632cb523c813aabaf02
SHA18eb072bbeac4dbe1826b9d444cea8dbc5b071593
SHA256f35996b1fdfc29979bce08228654477afbacb0be255fc1b7e3ee9ca8b8040e1d
SHA512db1a008e3fc42f1b448bcc4f82cbfbfe564e95ce4516362fa58027228e7003f45d4b03a8da8b80372e9ff0461a00e42d51463093c3c890cdf2871c76a3e21caf
-
Filesize
55KB
MD5fa92a7b37839f404cc7dc019da74857d
SHA1fe1c707cd6633db8ceb5ca4111ef4346514030e0
SHA25610d9b2fc875e64c15515bcce94706184fe36bbb41498bf20916c40181d7ac500
SHA512f685c56c412a6ce1612b3ae61d5be97ae956908d6f7cac501f9743aa2f772ad080e93b5d7bbdf9de732c0cbbc2d5ec2aafcb1db0c00574ba2a9dc65f96aeacd9
-
Filesize
55KB
MD516278eae22fdbc06a80375505c1b0997
SHA1d2ffa3ec764a08b1a16b71b54922f5070951348d
SHA256223d7489a32508705ee44762ee232819e0c31ad2bdc599cc6b983e9d359f7702
SHA51293753bb3829d47a3bb19243fdfb4da2eabfec455a29c44ad210ee69b3d8d157e5ed1d5dc5b5e736beec32c648dd8553dc4aea785ff77a256ace225d593aee844
-
Filesize
55KB
MD5f583f9e7b90fb10548196e8d6424ee30
SHA147fbf9008045069ac988c98db78f91428252bce0
SHA2566ea0dc89657151149bdae5b53b75f8d36304675820f392dcae62a3414d3743d0
SHA512e192daf3a969bd762854be33e666805b5e7d4454501bb231806e5f69e003c7bd99b789a2a5caf9219ec009aecf11bc71f78a881d8227514d9b1032452b5b81f6
-
Filesize
55KB
MD569a574886e3c75700bae688b8bd4516f
SHA195c2ca6aff2d19c0e9bad5242152e97f654e5a53
SHA25631b536f05f6a0a55993f757c9c1501aff888085b5ff8891f31394c7d5eb11985
SHA5123b81c1e39b3b414fb77ff1e2c8c422ebbb335944f60fdc555346c6fa4c15f7eb0141f4bc179a34ab4d04ba2030a9e96be33543aa89097f96185e0004fb69e7ef
-
Filesize
55KB
MD5fd1520260c59934daca1aad737da13df
SHA169881cf1c10c94b50aabb76f36b3dc2cb92c82cb
SHA2568d422c417b975d32519d39cbd96605b8e51a2fb70bda1813fa307d58a0c37870
SHA51245b8802fc4279a2dd39013b04cb242cfa3f0d3c3a25926362003ace9347eef995f1e85df6308e9c63bf63e8031e0a41002e8efd19465cb226fa0f5441767d40f
-
Filesize
55KB
MD56106283d2b7ff6f6ffcea1bdafd13afd
SHA1ee8ed428f4b7aef089d7d9d72fb469af72387a97
SHA25625c417dde458a967df3137c0bca5a084a81fe35f9a1db93d61525ee9883aabeb
SHA5129c42cbdd5ebed0e81a694b55b2e91c037d8cf1782c1caafce0ae4d31503228b455b0068dd0e1971a1efc03e5962a40548ee70e0147f98d22adcd90cf4cc6879e
-
Filesize
55KB
MD5de1b9e30b33c41ae1d3a36656c117955
SHA133105eeaac250db56d70b0cc285c123b3a473508
SHA256e1350f09403fc4b35c0d8c0ca9e6c8bd7b12bbd1d508a1f4794475edb0d52328
SHA512a7d568c3649469d2d6201d292f8ee62f10e2f1e4311a308b73ca58bf1865d8055234b184ea7573a83fd490bb0861379cc7ad53896f939b85dc6905889e3ba9e3
-
Filesize
55KB
MD539eca305b8e9ab6bc12b848e96d440c6
SHA162439f398b23cf933bac63c17b24927398f543c3
SHA25694f187855e5be5f86a35bb60ed1fea6fa69742ad241dde8a0ed2880b2129ff3d
SHA512f5a605c978cfb8814b32c77917183542ffa1f9e217c9a96f4969f0d7a3621dbeb8ace2fe7929beed8c9aa660ee0e7536252530dfd3991ce03a9b6ec18b5d727c
-
Filesize
55KB
MD51d7897488d9f61722e047acb4974d6e0
SHA1d837d5796c5ee936623fd4c56dfe2910be7fd6d8
SHA25617f6b4006aff99fef249caa101c87a236bc0dc9594b2b60a177e0332416d51c8
SHA51266cd90781d6a35c482768ca9a64d6bd5c313b277772360379fbb7a359e4a62e85b26a6dd1b39ad8d9575207f08f34e2c9d258db5bfab896bff08cd8716be7a55
-
Filesize
55KB
MD51ee28e447f19d3eb1224386e7d5920a9
SHA14a304729771598a5e18c6071f02ed2a4866aae2a
SHA256a5599252313331b0267cc2d4d5f03f0b27299b1d5bda86c09437eba644d49716
SHA51207d5a8b90f708b7ee3daf5bd41261ec3a1cda8b07d074478cb6c0f63f7222d5946879535490cbfd55ff31231e23268c74fbfd1f109227130e234466304ab6ae9
-
Filesize
55KB
MD51d96e6d211b925f923ed27027f6d038c
SHA1e312de66ceb97a44b871682a0358afa1adb8f4ea
SHA2568cd677ad9c92a2e69ea6e0f1bd008f21fdc50cb6c79fa625508a4e80bb04c10b
SHA512e3c8839ad6357b8236e9e8b3f36c1bd721913ebd7ef793fcf44f5fc7ab752598a0a891e79b0a45bdff6c6870b61485aa250dde12d550318c0ac8b8d66ab15aeb
-
Filesize
55KB
MD57430db3531f1535434a360d22eed8845
SHA1a6cae609a25d567a57d0b066740f5e8e3eb23e64
SHA256a7a88ea434f0a7296e39abb62ea9ca7ce737b5cacde30c7ddaf43ff32a259475
SHA5125253b591576f906a0140e4a7d704183e7f65fa2e98cf0e698a4e7960c05575116e194274b62c47e0ad6ff5337f27b00839fadcf6de3db8d224d3016637452d6a
-
Filesize
55KB
MD5c74a3c1d261035a52aa7544d63f4462d
SHA188a450aef6a55ef96fa36013d3a2e1234da6239c
SHA25648447518697b7b92643b4a4e2d530692a2d3be48b9511465f21908aba415f227
SHA5123ad4f66b239695a66dac79fb7bd26f5743fcc1cbd20a384acddbe55f87f10bd6e429f4ee2f223f0e1ba8f98adb0b5d7218b4059bd3d06e3a6f1305cfc5d77456
-
Filesize
55KB
MD5a0398a3eda3aa7d36999a723fedacfcc
SHA18f00bcecde3895b8701091e37787f4d43eb8a455
SHA256878d19e4e58b86f383e659bb0e405287b1433aa32ede19e6813e2749b7677783
SHA512dfa44d7c36b5b235a4354fa6e8fafc0b3a50f0495371475161cf6e78c1a11fd58d83deb8fee2a7d24be06f9574ee878fc68d919ecd5397feff95827248a140d4
-
Filesize
55KB
MD588b5d558fe8ca14e26208dd2ec5f1a54
SHA166717de81bb06990f9d9ea22efe26d373e020989
SHA256cbe33441309ddc732b45b6b81b635c9294cfd7efa604a41ae61cd314ae41d077
SHA512290b782bb805466a2f05c4390b86feb054adc8240c423dba6487e8502757e1c44108976bf4e9f53dfc64ce3116e73b933786a3d6ce9f4185688ce34e0338eb5f
-
Filesize
55KB
MD5f220381fb27684446a7a5678892f29dd
SHA186b7ed3c32c4487e64f62d8da8875e6f3a43aa26
SHA256d7cb56336cc748676fc17ea6e0bec927c0b5512835211777183056e2a7800825
SHA51212d48f3d7a6842f95841e0248675994e0ba724d4ff5b51ecac7ad8232f85ffd852589a6abc29265f70347c3c8410c7e5d74a2b5f1b75d556c881caef43f73c33
-
Filesize
55KB
MD5f799c9ffb29bb0998e0a9211fce1c817
SHA1e236a74cc8f191296dd41a5781ac0a92cf17187a
SHA25637366dab8506b398c545fbdd311d2fcf6befaafcf250249e062143a3dc2a6fca
SHA5121345a997d1acedf647945de504452a477babdfb41c146ffaab849f3c128ef0b2ae2d4c592b66a0134c66fddda6f3d7de6381e8a3fcceae64320ff7c13e7dbbc3
-
Filesize
55KB
MD5304c7272d897c80f1c03d3e62a2f338a
SHA1191ad5b16b49c0e5826399d87473a924c204b4f0
SHA2568ebb23a45598a3293ae7dc3834b8070db6616a9f40c994e5b57d024fd03f4c41
SHA5121980a4e47f9a1bb3ee2ae57dbbaf9aa8231545307e55040664e5c89819de59c8671514793b6cdc3d3cbfe3dfb5b64d7925bba895d1815db80458f126ca672ac8
-
Filesize
55KB
MD51cafc98f58f3fae6e6aadcf57cb7cfe9
SHA17581ad50d714704255d3477501e54efb9dbceff0
SHA2566304ddd2160349bc45012e58ca245947569deafd47df0f87bd3fcb12f13b5ca6
SHA512bbdce3d828168d34e15ee3bf0fa21a4eb5992aec6cfe4a868c0a2f7dc302cafe38c39b00aac9d65194b37b360782be71805ac039cdac7d2dc66f9dae28e71d8d
-
Filesize
55KB
MD5c2dfc373f25f93fb9a452e1eb085145c
SHA10569abd287ba57db08aece92c7e28269b7770f43
SHA2562fb5eba91fef62440520ffaf34b6e06cbbf79f30e68819348d1296e17369a1f1
SHA512633e1315fe65bc00cfe41f7b22a49e7cf563a492c3736f1a6bf973b3a1bfd7ad18c2605ef5459dc8806d18ed109f2ab77221f0cf0bbd5ad5b198f8f8eb3499a2
-
Filesize
55KB
MD51daed21f321b347ba107286ea584a071
SHA1a3640970d89d000913a8eb89d3b4ec72b5752ad9
SHA256172f592b41061e92a683e2d8d6a4afb0f123817da5c64bf517edb87b8f78eeaf
SHA5122f27fa6fdf61cc6aeee7bc5a2d184cd2d601c7e25505796a912226a2f413b33ef5820238fe5632dd5fd2ac34dec82fab50419a157ac2b5e11b0d36e674490c67
-
Filesize
55KB
MD5703694c537b0668ffecbcb603c60d104
SHA1da06e5a3cf44e23b3c4c3aa4a82688f757b13f5f
SHA256115c39538cc58beb5a59a53817d6eec8c3ab8dcf219ad7bc12afcf543715d83e
SHA5123b26e5407f3e3f69d650fde5c3f4821c6ee48e2a8d13f32d452de327d47bb241c7cab51815155ca83f2eecaf43eeb3336d0a2165400896c831353344864c84fb
-
Filesize
55KB
MD5cdee68ecf832a70ae98273136c5db2fe
SHA1e134b320344b862acb5589eda1424c660b6633b7
SHA2566473d39a08ad90d1a216b07f9a3a888f08cf365322e7b5928a77210ef8bda2ba
SHA5129f119fe8b12c9d512e4867d556a48eb1d1ccf022972b0e32910888e0ef0030fd17cfd73fa89aa9dc2c80d8cb00c9e32ccf7903ad62a98aaaa1091c498ddd046f
-
Filesize
55KB
MD58f4f1c3f113619694759557266dbde58
SHA108de8b43362aa6c8a7d03b69c066076ac2df7e4d
SHA2563edaad27fb416d9417b29a300b6a5cf6becffb1235994fbc886bc6362002043d
SHA5128df973eeb852590602181b4cd60c7971473f20b401ffa207d8b74e83037f74f96a2631132e2876deb7e50e9dfbda6bd8b9a1683a392f433367aa532e44a2edb2
-
Filesize
55KB
MD5a1187aea8704eac8a0a8156dabdb7e70
SHA10ac4264a46ec578c4e71db3a44a24679a73e7bc0
SHA256edb08f21b6c506e81d154c1087274f17dd3281e693f4eda9fd93bc10e8050e3d
SHA512a812628a0aaf61a746b41a9ff4e2348972499ad551bf7b9c07b395fc2e3b6a2e8c2f8cca6d6e81f45f3f8f132323633a29885ee3c50ea4d6dcb1a857ebc788cf
-
Filesize
55KB
MD58e0ecccab1ea12f2d2b44a32265a1700
SHA16b55574b24fbb663aa8c4053d81ae97a4d0533b7
SHA2566cefdb61ca1d19d6310fe1c476a3c52a1c1e55ffbcba2095703c517f4e2813ec
SHA5121341023b8bc655e43350b2211e56e0c721fb427fba1907e252105d4c8f32d7afd007226f453cdf26c440e1be65873cd7cca29661866809f3caf9473df7c85eec
-
Filesize
55KB
MD5454b973984b124174a8982ba716411e3
SHA119362d14a105873afc9f4cc23268bc321ef0e059
SHA2562cd16c672c65d4fbd5f8390f660768b7f94f365079028c724c48ef67b61cafc3
SHA5120e8594b87291b32da2827353113e9d29037623ead045f63d30d39d5fba63d7c3842dc50b15b862a10b6f06f711e4ae5864fd4bb3f7576c6c1fa3fe383905e2fd
-
Filesize
55KB
MD54b9ace2f7323798cf1ca6787ec3a9a3f
SHA15a483365a31438f5caaa555b4f8fb131240ab918
SHA2561f77c4eef5bd9cf114cf1c69a35a91bf1bae273b98a9acd0b3556227bbf6387e
SHA512c3d7a59c5f972e497e15c6d0c6cc46d9bfaedc11b3b30ddccc4bc0363c622102769be42526e30e534e47588603e10cdb53c63e1dbd9acd2ad7720268a9bf224c
-
Filesize
55KB
MD5e50c961394f8ec7e2dd7661c7dda520d
SHA1c55bdcd8e9b0f665595ca45b6c75d1043650b49f
SHA256440a18109c37d57b528f257e78598b49a10b48136a65c4457ca7efa844258f0e
SHA512c4756343467f02f195c6faf8024ce17c46e53f1a11d77f2cf4f76a19a4f3ccac38d3ab8f1ab3bf8c8e023c23fe803c067349a037d62c66d7bc7c702929da4dfa
-
Filesize
55KB
MD5ebc41c73792c16f87d7871fe38db2161
SHA1c70d0c130e56334d492c4f463a1896944fcd111e
SHA256aa1858dbae789bf0bc0df46f97fb146bc7dbcd303a2500ec415cb7de25dac7af
SHA512ae1c32113d55e4662f9951ee460d1b8e98e2ca24aec9a85fc424eb37d334ed25ed403e8560968d1c06c0849728bfb40ef33eee3fffce829f9e11cd94005e8d0c
-
Filesize
55KB
MD574a84aba929cee1c0dd2d475e989b4d4
SHA1d7c9389bc498b6c0e61a787599066e85ed574c30
SHA256ac74c103c0766c77655c809ad12246fb5a15384c13e9ad864780b21879ca1d65
SHA51269fcf16020ab1a4a311c445a00fe54095515945c79b36d51c6a5bdecff1e9944533b9e84e743e6b115f0e46d52ae5a0bb629fc4a718b1c545e6324658f97d0f3