Analysis
-
max time kernel
94s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 20:56
Static task
static1
Behavioral task
behavioral1
Sample
3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe
Resource
win10v2004-20241007-en
General
-
Target
3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe
-
Size
96KB
-
MD5
8a8dac66ee82f2a53d6ed181cd0fc9ba
-
SHA1
cd2423566fe2e0b8d7830b9e5d0d81e6094e9fd0
-
SHA256
3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684
-
SHA512
a78ade0cda2315f73c2a93d420db988e67d258401da1b2e2ce7ea8f01610f344d1b630801a302155d2e10ad5bf08a88c84f36d6e1bbed2c8a92b2fd6955d5464
-
SSDEEP
1536:zjyesN0FugpMcHHpE2Ve5cxuLeWZnFto3STX7fjnLvz3b/DHrP7fjnLCWS+sOK2g:6esN0XpzE3XLeWZFKCTX7fjnLvz3b/Da
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhohlbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkifae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfpnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjclpcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeiofcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doilmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdfkolkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnhahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnkgeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmjcieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjokdipf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbmefbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anogiicl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmkjkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfhhoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhdil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bapiabak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdabcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djdmffnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdabcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chokikeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeiofcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amddjegd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2964 Pdpmpdbd.exe 3904 Pfaigm32.exe 4896 Qnhahj32.exe 2032 Qmkadgpo.exe 2292 Qdbiedpa.exe 4764 Qceiaa32.exe 1464 Qfcfml32.exe 3772 Qmmnjfnl.exe 3560 Qcgffqei.exe 4656 Qgcbgo32.exe 208 Anmjcieo.exe 4056 Ampkof32.exe 3704 Acjclpcf.exe 4812 Afhohlbj.exe 2240 Anogiicl.exe 4840 Aqncedbp.exe 3748 Aeiofcji.exe 5116 Amddjegd.exe 4804 Agjhgngj.exe 3688 Acqimo32.exe 1564 Ajkaii32.exe 3156 Aminee32.exe 2488 Accfbokl.exe 4172 Bfabnjjp.exe 2900 Bmkjkd32.exe 652 Bcebhoii.exe 3040 Bjokdipf.exe 1496 Bnkgeg32.exe 3548 Bffkij32.exe 2784 Balpgb32.exe 2112 Bcjlcn32.exe 2960 Bfhhoi32.exe 1640 Bjddphlq.exe 5088 Bnpppgdj.exe 4148 Banllbdn.exe 3092 Bhhdil32.exe 1400 Bnbmefbg.exe 3756 Bapiabak.exe 3972 Cfmajipb.exe 3732 Cndikf32.exe 2512 Cabfga32.exe 4128 Cdabcm32.exe 4072 Cfpnph32.exe 3044 Cnffqf32.exe 2128 Caebma32.exe 2172 Cdcoim32.exe 2460 Chokikeb.exe 2884 Cjmgfgdf.exe 2092 Cdfkolkf.exe 2204 Cjpckf32.exe 4280 Cajlhqjp.exe 1692 Ceehho32.exe 3680 Cffdpghg.exe 3760 Cnnlaehj.exe 5084 Calhnpgn.exe 220 Ddjejl32.exe 3180 Dhfajjoj.exe 2824 Djdmffnn.exe 4424 Dopigd32.exe 3500 Danecp32.exe 4788 Dejacond.exe 2020 Djgjlelk.exe 4868 Dmefhako.exe 936 Delnin32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qgcbgo32.exe Qcgffqei.exe File opened for modification C:\Windows\SysWOW64\Amddjegd.exe Aeiofcji.exe File created C:\Windows\SysWOW64\Bhhdil32.exe Banllbdn.exe File created C:\Windows\SysWOW64\Caebma32.exe Cnffqf32.exe File opened for modification C:\Windows\SysWOW64\Delnin32.exe Dmefhako.exe File created C:\Windows\SysWOW64\Mjpabk32.dll Qnhahj32.exe File opened for modification C:\Windows\SysWOW64\Qmmnjfnl.exe Qfcfml32.exe File opened for modification C:\Windows\SysWOW64\Qcgffqei.exe Qmmnjfnl.exe File opened for modification C:\Windows\SysWOW64\Afhohlbj.exe Acjclpcf.exe File opened for modification C:\Windows\SysWOW64\Bcebhoii.exe Bmkjkd32.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cajlhqjp.exe File created C:\Windows\SysWOW64\Gidbim32.dll Djgjlelk.exe File created C:\Windows\SysWOW64\Mjelcfha.dll Delnin32.exe File created C:\Windows\SysWOW64\Anmjcieo.exe Qgcbgo32.exe File opened for modification C:\Windows\SysWOW64\Ajkaii32.exe Acqimo32.exe File opened for modification C:\Windows\SysWOW64\Bffkij32.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Iqjikg32.dll Banllbdn.exe File opened for modification C:\Windows\SysWOW64\Cndikf32.exe Cfmajipb.exe File created C:\Windows\SysWOW64\Pkejdahi.dll Anogiicl.exe File created C:\Windows\SysWOW64\Ffcnippo.dll Amddjegd.exe File created C:\Windows\SysWOW64\Kofpij32.dll Bcjlcn32.exe File opened for modification C:\Windows\SysWOW64\Cjmgfgdf.exe Chokikeb.exe File created C:\Windows\SysWOW64\Daconoae.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Balpgb32.exe Bffkij32.exe File created C:\Windows\SysWOW64\Iphcjp32.dll Bffkij32.exe File created C:\Windows\SysWOW64\Hjjdjk32.dll Balpgb32.exe File created C:\Windows\SysWOW64\Clghpklj.dll Cjpckf32.exe File opened for modification C:\Windows\SysWOW64\Cajlhqjp.exe Cjpckf32.exe File created C:\Windows\SysWOW64\Delnin32.exe Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Dddhpjof.exe File opened for modification C:\Windows\SysWOW64\Qmkadgpo.exe Qnhahj32.exe File created C:\Windows\SysWOW64\Ehmdjdgk.dll Anmjcieo.exe File created C:\Windows\SysWOW64\Mbpfgbfp.dll Aeiofcji.exe File opened for modification C:\Windows\SysWOW64\Bfabnjjp.exe Accfbokl.exe File created C:\Windows\SysWOW64\Chokikeb.exe Cdcoim32.exe File opened for modification C:\Windows\SysWOW64\Acjclpcf.exe Ampkof32.exe File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe Bfhhoi32.exe File opened for modification C:\Windows\SysWOW64\Banllbdn.exe Bnpppgdj.exe File opened for modification C:\Windows\SysWOW64\Cfmajipb.exe Bapiabak.exe File created C:\Windows\SysWOW64\Ampkof32.exe Anmjcieo.exe File created C:\Windows\SysWOW64\Banllbdn.exe Bnpppgdj.exe File created C:\Windows\SysWOW64\Cffdpghg.exe Ceehho32.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dhocqigp.exe File created C:\Windows\SysWOW64\Pdpmpdbd.exe 3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe File created C:\Windows\SysWOW64\Ingfla32.dll Cffdpghg.exe File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe Cnnlaehj.exe File opened for modification C:\Windows\SysWOW64\Qfcfml32.exe Qceiaa32.exe File created C:\Windows\SysWOW64\Kboeke32.dll Acjclpcf.exe File created C:\Windows\SysWOW64\Cndikf32.exe Cfmajipb.exe File opened for modification C:\Windows\SysWOW64\Danecp32.exe Dopigd32.exe File created C:\Windows\SysWOW64\Bcjlcn32.exe Balpgb32.exe File created C:\Windows\SysWOW64\Cajlhqjp.exe Cjpckf32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Doilmc32.exe File created C:\Windows\SysWOW64\Hmphmhjc.dll Pfaigm32.exe File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe Anogiicl.exe File opened for modification C:\Windows\SysWOW64\Bmkjkd32.exe Bfabnjjp.exe File created C:\Windows\SysWOW64\Hfggmg32.dll Bjddphlq.exe File created C:\Windows\SysWOW64\Qihfjd32.dll Bnpppgdj.exe File created C:\Windows\SysWOW64\Jpcmfk32.dll 3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe File created C:\Windows\SysWOW64\Accfbokl.exe Aminee32.exe File opened for modification C:\Windows\SysWOW64\Cnnlaehj.exe Cffdpghg.exe File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Deagdn32.exe File created C:\Windows\SysWOW64\Jffggf32.dll Cjmgfgdf.exe File created C:\Windows\SysWOW64\Qmkadgpo.exe Qnhahj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1584 2760 WerFault.exe 161 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjclpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjlcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnpppgdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnffqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmgfgdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfkolkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajlhqjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnlaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnhahj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhohlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiofcji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgffqei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogiicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfajjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqncedbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkjkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qceiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfaigm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabfga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbiedpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcebhoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjokdipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffkij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banllbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmefhako.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjhgngj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqimo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aminee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgjlelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmefbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caebma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpmpdbd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll" Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll" Bjddphlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcgffqei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll" Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdcoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll" Agjhgngj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll" Banllbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll" Cdcoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll" Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll" Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll" Bffkij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acjclpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll" Anogiicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dejacond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll" Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcjlcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdpmpdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Bapiabak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" Ajkaii32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 2964 1544 3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe 83 PID 1544 wrote to memory of 2964 1544 3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe 83 PID 1544 wrote to memory of 2964 1544 3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe 83 PID 2964 wrote to memory of 3904 2964 Pdpmpdbd.exe 84 PID 2964 wrote to memory of 3904 2964 Pdpmpdbd.exe 84 PID 2964 wrote to memory of 3904 2964 Pdpmpdbd.exe 84 PID 3904 wrote to memory of 4896 3904 Pfaigm32.exe 85 PID 3904 wrote to memory of 4896 3904 Pfaigm32.exe 85 PID 3904 wrote to memory of 4896 3904 Pfaigm32.exe 85 PID 4896 wrote to memory of 2032 4896 Qnhahj32.exe 86 PID 4896 wrote to memory of 2032 4896 Qnhahj32.exe 86 PID 4896 wrote to memory of 2032 4896 Qnhahj32.exe 86 PID 2032 wrote to memory of 2292 2032 Qmkadgpo.exe 87 PID 2032 wrote to memory of 2292 2032 Qmkadgpo.exe 87 PID 2032 wrote to memory of 2292 2032 Qmkadgpo.exe 87 PID 2292 wrote to memory of 4764 2292 Qdbiedpa.exe 88 PID 2292 wrote to memory of 4764 2292 Qdbiedpa.exe 88 PID 2292 wrote to memory of 4764 2292 Qdbiedpa.exe 88 PID 4764 wrote to memory of 1464 4764 Qceiaa32.exe 89 PID 4764 wrote to memory of 1464 4764 Qceiaa32.exe 89 PID 4764 wrote to memory of 1464 4764 Qceiaa32.exe 89 PID 1464 wrote to memory of 3772 1464 Qfcfml32.exe 90 PID 1464 wrote to memory of 3772 1464 Qfcfml32.exe 90 PID 1464 wrote to memory of 3772 1464 Qfcfml32.exe 90 PID 3772 wrote to memory of 3560 3772 Qmmnjfnl.exe 91 PID 3772 wrote to memory of 3560 3772 Qmmnjfnl.exe 91 PID 3772 wrote to memory of 3560 3772 Qmmnjfnl.exe 91 PID 3560 wrote to memory of 4656 3560 Qcgffqei.exe 92 PID 3560 wrote to memory of 4656 3560 Qcgffqei.exe 92 PID 3560 wrote to memory of 4656 3560 Qcgffqei.exe 92 PID 4656 wrote to memory of 208 4656 Qgcbgo32.exe 93 PID 4656 wrote to memory of 208 4656 Qgcbgo32.exe 93 PID 4656 wrote to memory of 208 4656 Qgcbgo32.exe 93 PID 208 wrote to memory of 4056 208 Anmjcieo.exe 94 PID 208 wrote to memory of 4056 208 Anmjcieo.exe 94 PID 208 wrote to memory of 4056 208 Anmjcieo.exe 94 PID 4056 wrote to memory of 3704 4056 Ampkof32.exe 95 PID 4056 wrote to memory of 3704 4056 Ampkof32.exe 95 PID 4056 wrote to memory of 3704 4056 Ampkof32.exe 95 PID 3704 wrote to memory of 4812 3704 Acjclpcf.exe 96 PID 3704 wrote to memory of 4812 3704 Acjclpcf.exe 96 PID 3704 wrote to memory of 4812 3704 Acjclpcf.exe 96 PID 4812 wrote to memory of 2240 4812 Afhohlbj.exe 97 PID 4812 wrote to memory of 2240 4812 Afhohlbj.exe 97 PID 4812 wrote to memory of 2240 4812 Afhohlbj.exe 97 PID 2240 wrote to memory of 4840 2240 Anogiicl.exe 98 PID 2240 wrote to memory of 4840 2240 Anogiicl.exe 98 PID 2240 wrote to memory of 4840 2240 Anogiicl.exe 98 PID 4840 wrote to memory of 3748 4840 Aqncedbp.exe 99 PID 4840 wrote to memory of 3748 4840 Aqncedbp.exe 99 PID 4840 wrote to memory of 3748 4840 Aqncedbp.exe 99 PID 3748 wrote to memory of 5116 3748 Aeiofcji.exe 100 PID 3748 wrote to memory of 5116 3748 Aeiofcji.exe 100 PID 3748 wrote to memory of 5116 3748 Aeiofcji.exe 100 PID 5116 wrote to memory of 4804 5116 Amddjegd.exe 101 PID 5116 wrote to memory of 4804 5116 Amddjegd.exe 101 PID 5116 wrote to memory of 4804 5116 Amddjegd.exe 101 PID 4804 wrote to memory of 3688 4804 Agjhgngj.exe 102 PID 4804 wrote to memory of 3688 4804 Agjhgngj.exe 102 PID 4804 wrote to memory of 3688 4804 Agjhgngj.exe 102 PID 3688 wrote to memory of 1564 3688 Acqimo32.exe 103 PID 3688 wrote to memory of 1564 3688 Acqimo32.exe 103 PID 3688 wrote to memory of 1564 3688 Acqimo32.exe 103 PID 1564 wrote to memory of 3156 1564 Ajkaii32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe"C:\Users\Admin\AppData\Local\Temp\3fd686ccc427ca4fe312ebd7ae49c9f16c557211582eff8a27d9a649ab8cd684.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3548 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5088 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4148 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3092 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3732 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4128 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4280 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3760 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4424 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4788 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4440 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3872 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe80⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 41681⤵
- Program crash
PID:1584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2760 -ip 27601⤵PID:932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD50820bed4cd17fc676dd2b518aa5c5fbf
SHA12832b52f81fc9f668eb48841eb92db78e6255cb1
SHA2563d6eba6dd53c8380d7b05128e19b916bb77f4324a7c92e880fdeaa621c74bdc5
SHA512d70377dce10a037bebe06e835808faa98820446e0d6f5f46baea130a603c34139e644c5da8e500431436fa2d252fc5751cbc552552892c593174f169608a4db5
-
Filesize
96KB
MD54eb6e202440be630965a5c9cb1ef0ad1
SHA193f2811f9a27dbeca762097d2164204848a2746e
SHA256b0f7e4861c64cb93c064f5b7957cd915814cf0274c4ac0dd6ee5fe23d1745bd7
SHA512740a4d76af093b4b7dc36df21c5e9106aff710fa9efeea19fa5a2297be80e647e8cc5d0dde8122c7dbf81e43b94c196a3e9cbbdc84edbd0e8cf6c9f12a729dc2
-
Filesize
96KB
MD5839b69facf29c5a10667db87eb2ba42a
SHA19e2f58c4adae852e7c3ebb2152c2a6d6e117b938
SHA25615210e01cd8be64035a9bc11bbf5459f2c2d06ea83df44a2267bf62ec8012be0
SHA5124a5d804befb2b666967b86e2999d17b8adda4352c2476e183f06a94a77493704e6af1aecfbbf9327cd5a6423e7b6cdc7c7e4ed29936209366d5cd3d481c3c15d
-
Filesize
96KB
MD5d87ddd2579687b099e0f8f56906c70d5
SHA17c2a314752f934156c716a57e40d34f7b0d59646
SHA256306f3374288ecb8b8dd59da6627d946055b3148b60c74b71ea2fed7221a50f6f
SHA5128d096b49c917e7f9ef941250741a30993c5c604f0ace88d437ccbf701788403ec56bd6aefd6c1187db7b6cd2b37e4e7d94f97575ce5a3be43123aa4f30359d89
-
Filesize
96KB
MD54862ebdd140f544d4b80d25551925d3f
SHA17d5d8507a6846c20aab53e1acf3e36577ea9d0be
SHA2566bdc21a2146da8dd513e8149b66eb522cabebf24129c1456f91e85428aaa09ca
SHA512e5b84a50cf27e5951486670c7a29db79e94a7bfcf3ee970a26def00d88198d6d0adc278a3e56cffb70a9b66f133e117b244fc250f9da582aa7db90bbdd9508a9
-
Filesize
96KB
MD5eca353a71e44bfaf8b50d8722052ab55
SHA174f0b8a5a98de5f9f9590f6903d0b87b65c5b088
SHA256cfb8443c49e2b6b80c340fe0929b04d268159f66b35b24ba3535b0508b055970
SHA51257eb2134cd07d63326e3943c7aea3980a4e98c7d083b114c3f5aa125f6edc497ad9f3ba28dcf89aaa8d415e95c3c19c6a010165b98f10c837c73ebeda1e7b4bb
-
Filesize
96KB
MD5b2ec89585ec854d73eda7c4fae50ed36
SHA1c6b930860d34e6567c1f091391904eff9f563f49
SHA256b9c77923fe20163d7283a4bc713c740757e22d61951e64a44cbf3a5ea18bab06
SHA5122cbb01a82f4d77b1afa130d30af0f2165f0d8963fdfbbffccfec08da7a2b49d27bde7fe90bac6e69edadb6a09d330f761fa6f8bd56e74c0b3a7e2281562215fd
-
Filesize
96KB
MD520fb26d83f14f8596a0c1e95eeeae535
SHA15f42d3aeb3e1af9522341fb82ecc5c5996ed8c06
SHA256090c633a8a1ea512cf1ff185181dc18977cea42133b6ad227f632544a4a28e3b
SHA5126e11fe275a5d45e73c9474c66896b6b6259af632b8feb4b8311962cb4ed7b739d42d80f38970a94ab37f2a24fdeaea019775967ce0b99c5e3e6af038be48f864
-
Filesize
96KB
MD539d9971c2d4f485a98df4b0c536e07c9
SHA16e155a5f301bc5886475cae5685a6eaa41ef65d4
SHA25684815a6c0d6b12907012c21e4bce70419e22861b0d23c29281c5a49db734f12c
SHA5128f970629b32e907fdb4406ca557d03bb9eaea889156b3b97ef272be5f71389ef3e9096389114fb4d09dffc26f13d39018090e6ecae8bdf8966a921d39f0a6a0c
-
Filesize
96KB
MD5a4c0d053eebe2ef079c3c23f6bbf3d10
SHA10038aacffb5dbe1cc9071d2991e8aee18b5a93a1
SHA256f7c48e285a637bed696a06143bd03f24671a74fb7c8017a366281c58136d1818
SHA5120b21b25c9c107dede4937f7df8e5992ecd506872b999d3d36c4dbe4c8ceee1f80c0697a9dfa1b7ad28e570109240e86ba68931ce640e24343f491c6113f0933d
-
Filesize
96KB
MD5180bdf29137e8fd352b09db25d5f19d8
SHA194f1f0f34bc37e3a717455b479da5feffbdeb963
SHA256a3256f661daf755e2e030dd94db8ad930a4eab66a42c2dcf7b7c77295bc2c554
SHA5126449ebec01a7109d0ce35cd4f07212b013dcde52fb8de95ffb1406e6b887f45f3f03178507c749c7d6a4642c58d21b88c6099042599e3a4ad16abf7345d948f0
-
Filesize
96KB
MD53ad1a9eb36d7a9389130dd43984c34c4
SHA1f2312d01a022e17e7dac685b3299b57ae35f4578
SHA256a84b87c301da34eb8cb13c91da45d9bd6f7ad947a625d88e4efbebedd8db60e3
SHA51218bace6ab41919a6ca13421f92f70f911c75b2daa3afd18dd818f4e94742a428e2bc2f22d5b007d40264800969e6df39564caa0cfafd085a45c0aa8a356b9806
-
Filesize
96KB
MD52199ee03d721bda5e7dd4390916afd87
SHA10c20cc5a354838f25510da89fea426e3c408adc2
SHA2565f581e8028023c460a1779aa1a39f892a0bdc699933801e7e62e3ad88f644d89
SHA512909ada476dd7f4a2f6d0b1cb64f318c53f10060b899bca8df27c5e58e4d7fdbb08711dd1380eefe5147f64980df76d9a58800285ba7819af635f68803ded2d16
-
Filesize
96KB
MD5b24ffdfd8a2e57192d95e8513b55261b
SHA16b0a8589916398771da4c4b1e215d95ef764857b
SHA256d1ceb8812f07b1d68c80aa52bbaf393e7e8b04ad3f61c5a12f9f65ae458efc49
SHA5120384450a49b3e2a6eea5a352ea833cbf17dbfef8245b96b0c65e2bb239ed81525ece071fc513b55072fceffd9c228b4e566ae2b2e9cefec8d648ef695bb97d3f
-
Filesize
96KB
MD548409bf4f9d339d2edf805821d389169
SHA175371344681d1f10ccbde53f04d689cad8893dff
SHA2562b2ce7ef6303dfa127dcbfa02f4605a6a89f1535f7c22475b29872a7b0140f0e
SHA512c5e1096b6c9145a28ab26a427103785269e0e12f8a511d163198bd58751b92481420ad9051b7fcff42c78f4422ddea3d29f4b790bff2303999d5686f9575b82c
-
Filesize
96KB
MD5770cceeeb405c6f1e026bad5902fd98a
SHA1550f0892c2186d4c70923f4c2545adee583dce85
SHA2560faae2319726ebe32e07b19e648034fe8918237c08454b5af2a2567db9ef488c
SHA512e263b349a83ac6a93773dd66c221c094bd8d719eb423b0858db06f8046123daf12c8e0520e4e0b426d5780126eaedbcf6736785003f1d56b69e4e828d0ce3fcc
-
Filesize
96KB
MD513097f2781ab5de7c2e009d9925fb0a9
SHA126f42083dafed5f486c2de2bba035a9ce5859ffe
SHA256a6046a3ca6eac9772e4d32f1b3c9e3a01cd15b66d8bb6609c90ded02498b257b
SHA512734900f2f55bf6bb69ee5cd1e7165f885146b6ad1d9e57914f6515f605c70969f6671383c1de5e114fe780466ccf14c3133a26af29e9afb7c3240731251c0c01
-
Filesize
96KB
MD53942b980d45a77069bc5fc04f3a26a1b
SHA1d4cb6c9649ebc2601e8315f76b7ec74431971657
SHA25687e7337c58cb7fc279b26595f595d5045247307514c6260168a731e6fa93c423
SHA512637b22ea94470832805edfe0119e7eee835aae49ae48c885b122aa8b586db3d95a1e06cf08b158ff67180ea93312db2eaa89b33d67e69949bd0b443bc97cf9f0
-
Filesize
96KB
MD58da72a136a3c881c4d080742d9008aca
SHA12ba1e01cd9817531749566eb08b33ad9dfd65686
SHA256c0354805667121b47b01d8b79ba67c41693af6cc0cc02e0c8aef46bb79b75f5e
SHA51217d3ccaa17f0af88173e7aedb5a1cf178d308f221af80ee9fcb6588287e3e68604ee2598ba8919d94b34a42db3eda1ea0b5adc3c905b0711e99f9dbca1b6907b
-
Filesize
96KB
MD552ffbb151281485c73063d8aecc452b7
SHA1e94510a7e783e721331cbd497034daed66cdc933
SHA256042217142fa18dccc42644e58cbdd7845f3bf8b1f33198453fa840ce3747782f
SHA512e165b3b8766a9e45a9ebe9e393ae14bb2894a22c1d0dd95838407e63595670ff7489e06aa68ccfe57be93b83994179b1920f50284349d62495632a58a7799a23
-
Filesize
96KB
MD5381c68a0e1422a92c564a095aa7e3d2d
SHA1687ed7575aa0b65ed9e7be4a7b3baf58b793f927
SHA256657765d757e2215e1925e2f39e8ae524a3effd5671ca50e1e982c7dbaf1d757f
SHA5129d782800fbb2728c0fcec561bfa40792ba967651ed96fe1a22474795e7779c6b9ee6823de27fe4f87be75571942f371608236622c0dba261d67807460c255345
-
Filesize
96KB
MD57498aa64840b5ce072a592dc4709a95e
SHA1ca70d800ee9eb894ac8b4fe3f80724339c87ae63
SHA256ad8b38711eef876b2f03e4b98a406a235096f751884eacd195f5db825a35001f
SHA512207d90920adb7e358cb52ef2f24e2269610f6a1134ce04c50bb8d853bf844dd9c8c8b9be606464c7b18ffb723e75c6108ec2dab372b2f9a8d7cf7104bf7a2265
-
Filesize
96KB
MD55d7dbaf17813e501fb52d2b4d137b8a8
SHA1a5ca498d8b7cad733d929a1ae05b02e0ae20da96
SHA2563788467f001db33b0c92096f0f609f293da7be9ad316f36fe768056589a1423b
SHA5126d09c1f087fce879eaee172b0582506ebb44fdf46e4ffcd770524713750a7f26f44a8d4968a3bf6a07281c7f4c8ff9268e9f7034d217c0992148de0987fccc75
-
Filesize
96KB
MD51411cd00a22d6dc93203badf2a31b3ba
SHA1baffeffdc7bd7b97833cd0d8271139222d219fd9
SHA256a1ea53de0cd247281429459e1c577f26f5bca1a61eff4dc5fe1ad80cd78dd671
SHA512050f9321f21ee0f888b248e489b0fda4347f3ce306ca3a354592bb328076957043129f54661f79b2baba86d0e24f6ecd76ae249205eb04165d87a17d818d0212
-
Filesize
96KB
MD56bad43615cf9fbbc00ced7e553f742c7
SHA12af9691b9a05a621edbba67c508c4a04315316ab
SHA2567d7decf88802ee9fe515b2a67c60aa6f69c8f3a4a306c2bb37bc2c97c8d9f5f1
SHA512319e57cce33199627e8d0b32fa875c518c53061449eb5dbe43acdd46a149a965cfedeba7a129a8069edec9b15beb06ed094597508dfa16f65fc1ef70a776def2
-
Filesize
96KB
MD50556b1d596a86980f17fea4f1fbddf9a
SHA103155ce089c94b83c40da060ba9204260ea22262
SHA2569139ff223bab3aaf0f3076ea75399f99134c6bca81fb249fec6ca10c751255f7
SHA5129d7bf38014be5ac598f2dea4bfedaa363faca0e4d86e8cf72a4c23128852eccbe2dae58a8dcae59ab09a84124242b9eac5d49bd1a842f1de1808e14cf4685bee
-
Filesize
96KB
MD554fd462db8768d34cd5853020661d0c2
SHA1eea6e40765a6eb081b9af177da1dfa7d1fd2ad66
SHA256f073a08f9597722538176904819233c0f74e10344e939204ab88e9f4a07c4bf5
SHA51299fcc61641d8504d6c5841a3af5dc865dedefceec439f27181cb59027f85465bab2200967481fc229abf9c6b02790db0e09d8168e777c3cd8ef94177be7440df
-
Filesize
96KB
MD5958fd10a6c6bb871f4647d32409d2db8
SHA118b2fb1f2fec9b19d6dd8db5d79f0e40e42d9b93
SHA256e59ed1c7e019a87184c7a1aa553b9f05b5d3eca531e3316f615967b34dea9ead
SHA512f78dff7421149d6b335f15bd7626c2320a9debdd8509eb272b072f2a8be9b3f345d0366104ffe84f7432c33cfc2bc79e630a368090de743e99e7841ef9cf5164
-
Filesize
96KB
MD5cab713af9c5740e376abd9efef00ff58
SHA1b979db494700b1bb39c0c6d9da8314c28ffd31cd
SHA2563441c33f2a594fe27868c62d85cb544ed243838a685cec4ad1242b6d971476bc
SHA5123fc34ad376a88d4494430b283bd5a35490ab62f4a0794fe9a8852b6e519aaad58d947beb124aa6652ba02dc2a857e39c951348b47efb13e6a43240fb39267493
-
Filesize
7KB
MD50786c3adab115575b0532ab03f00efe5
SHA178bb1a631bb9d0c4ac265b659b4f3a08bbdfd238
SHA256cf7eff28a8db11e9ee6748d834c24d5c0b77b1b90a1a47312665e9ffa65e105b
SHA512623dd5de7a49756fdc9c955f2cc3598c5969e8d9b2b6ab03fc5b2d260c1b173a6d456558f9abcca70916c538c7cb72a865146f797f8dd4619748071d68c416ca
-
Filesize
96KB
MD574098834fe3da6093b5a66d75a57ea9d
SHA14bac8bed88ff5a8f25e0a014cf56771d6a06de3b
SHA256d5bf03b26bf6a9d9e6821d74a2e7c72f72d0e8e5c4a8312619bb05e003a96dba
SHA51239f4c52ac58e111a7a014e268a4ef553046b7b754e73ac0092cee36b37f6cda24a13b115dda27a8d4fcc3d928f7e9734008ce0f8b3886317cfd4aafbc645a2d3
-
Filesize
96KB
MD5cf2922fc102d485562308a1ef90da5eb
SHA16677202d81ea3b15c8434e58bd09a720fd2990a2
SHA256f4c02818461f0c591e60dd9a10c3492174c269826a47afdb5970635db44762ec
SHA512d8f5662ada3e6563a30f703c67bf5f778b99227193e0c66bd9726669ee1bb676a1888c3f2ddaa8fc2631205e638a36b3bf214abfb8e4c93702d49005ff629c9d
-
Filesize
96KB
MD56e0f61a023ff23cf8ec66ec642431880
SHA13c73858db602ceb2e344e29ec83f2120c19332ec
SHA2564fed787cc9d2e9b3dcbfb7de0a3ac4c535b5fd6da685d61a9172feef9a7b6f3a
SHA512c95a02d0a440410286460ef622438d049939cff367797d34b166c66ee3a2497044e2fadc01a6049c0a472306dc50dfa6087ba64ef0876f8ebf88259438eddb41
-
Filesize
96KB
MD5ad7c066fd959f43430ebabddc5a713d6
SHA1fba91903525cfc285fdab065584b45ab55ecc0f4
SHA25690241c836843e9b6d38702722f23c565dab54c285c6f8d79bfffdf9d42c937da
SHA5127685a191d22d0df9a139e1188d9376c7aa5e4e46359114de5d84314cc545e068d561680f1e52d9fc06ebacad51fb49dff3d85fa2efe0e34a0f0b578a74c72f97
-
Filesize
96KB
MD50da90764c3b23fb6b1e4e067cea2478f
SHA1bedf63babc8a8266531a47f939e945daf307f7b3
SHA2568a5dd21ddfef5c8aed8fe2e9f2b616f8484e7d2aec64cb61abf96f95524ee1b2
SHA5126d12c9a006fd01cbef062d7ba5a6b3c0f0363f167719aa069a177dc82d5af5b98b3d240bbf7eb7a24d2640a1f8a6593cae8cdf7eb151c03366906d3afdb3e0c1
-
Filesize
96KB
MD5b6ff2dfd7dcc9aefe4538d77bc234fb7
SHA1b08d0f4c6a14bc439ffb13d9a639526348aeb580
SHA2561855e53e925250b590cbaa5fcb1f783e01524cccaee2e3c2150b191485ca6609
SHA512f5d0d3ab2d0b0a10bf3170f5dc2cce547f6654205a74921791fb2eb9aedbe46b96cae95a3a94018ea6a2ea2dee654753fd94eb2989c0043d95e85e18dbdf20f6
-
Filesize
96KB
MD5676e9c3e321530d6b378f0fbba7a50fc
SHA1715ca7abaeb3d3a90d17233e5aab559e2539142b
SHA256f2ae900c0f7f95b923ff35c39dd9534ac7e33e93fc05a2fd74615ee6a5cbd18b
SHA5127d38e50092d47080145f68bfa033045d4b39a6402c40aa1b23bfece4d2044feb1ba3a2971cadbe4bd75d34d098bd4b076ec4bcec8a5a61ed7746e3bea7fe5c57
-
Filesize
96KB
MD58a8a6a98e809d74919fe768124456140
SHA118aa2a3c5592b433db0256aa45016f4112615704
SHA2567db305a793e56e98114beb385ed0869933bce22db4b7352e3571405ce3c36173
SHA5126ed09f36a010434a1ab51d0e479934526cdc23e53c9eb4c1f98645ef76a4d61b6b9f9b1c7d44629fd46a00c7c6b570dcf7c81be772031b3e4ecdf62201695346
-
Filesize
96KB
MD5baa914ab7d105ab714d7050b5baec87a
SHA13770a34d9b683fa2aa59c74527278461215fc014
SHA2564d390609a56a07df3d42e9ab1690c94e0451420be2d7f012326c51e298ed82d3
SHA51297fbeed8fced3e3ebf9d754757b1c3ea0ce451365d6a19f42e35d388a5a8460114839e48a6a95a77e18fbadeb4b238a6afe4a63ba089d03d7f4f84944d3aff8b
-
Filesize
96KB
MD54948329a5da3f151d2b2f4ca5e1a7a80
SHA18b2babcd92090a82198596451988469a5071e8ea
SHA256d119640b5b173e0126a362cdb7d7a29a7e93c73b93f7b7c5ac107c1b010b7db1
SHA51272164885c82c90c08c63f703a03eaeb6b1ebf67c923f4159d4a24d547a5c6861257ffc38c878cf0a4f6079cf4cc0ebd84d4f287fce5e581114a2d24e79536744