Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe
Resource
win10v2004-20241007-en
General
-
Target
08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe
-
Size
768KB
-
MD5
0c750354d7a0c87f4e707b4e2a40bb3b
-
SHA1
293b2e47f79a82de23971d45ffbd4ea3eb3176dd
-
SHA256
e8eaf9490dbbcc19dc3e90ea6bda091755ee82221b291fe70ed19d48594c9c31
-
SHA512
80c6827144241e041f4b5480d9e033f93f018b9fe5d5a70601cdd6e31ced05c1b7152b9e88fccad959f9525b9e372ea127117c2d3657da943d0a606114c44f38
-
SSDEEP
24576:31Lim0BmmvFimm0Xcr6VDsEqacjgqANXcolMZ5nNxvM0oL+:lLGiTWVDBzcjgBNXcolMZ5nNxvM0oL+
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmiflbel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odapnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdkch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amddjegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banllbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlmllkja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncdgcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggjdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oncofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnonbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ampkof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhhoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphoelqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkjhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgefeajb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmiflbel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnqbanmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baicac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chokikeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgimcebb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baicac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnbmefbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmhck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbdolh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgimcebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnqbanmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmgcgbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnicfe32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1744 Likjcbkc.exe 956 Lbdolh32.exe 1696 Lmiciaaj.exe 2656 Lphoelqn.exe 2012 Meiaib32.exe 2600 Mgimcebb.exe 2232 Mmbfpp32.exe 4784 Mgkjhe32.exe 5024 Mnebeogl.exe 1456 Ncdgcf32.exe 3400 Nlmllkja.exe 1256 Neeqea32.exe 2104 Nloiakho.exe 1972 Nggjdc32.exe 3024 Nnqbanmo.exe 4596 Oncofm32.exe 4616 Odmgcgbi.exe 4992 Olhlhjpd.exe 3004 Odapnf32.exe 4228 Ogpmjb32.exe 404 Onjegled.exe 2776 Pgefeajb.exe 3740 Pnonbk32.exe 3660 Pggbkagp.exe 3252 Pmdkch32.exe 2916 Pqbdjfln.exe 876 Pfolbmje.exe 740 Pqdqof32.exe 2696 Qfcfml32.exe 4416 Qqijje32.exe 1272 Ampkof32.exe 2744 Afhohlbj.exe 4836 Amddjegd.exe 2772 Afmhck32.exe 3344 Aeniabfd.exe 2284 Afoeiklb.exe 3456 Aminee32.exe 60 Accfbokl.exe 4952 Bnhjohkb.exe 1416 Bjokdipf.exe 2688 Baicac32.exe 2368 Bffkij32.exe 4584 Beglgani.exe 3536 Bfhhoi32.exe 2976 Banllbdn.exe 1656 Bfkedibe.exe 1652 Bnbmefbg.exe 3392 Chjaol32.exe 3756 Cndikf32.exe 1076 Cenahpha.exe 4468 Cfpnph32.exe 3948 Cmiflbel.exe 4392 Chokikeb.exe 3048 Cnicfe32.exe 3848 Ceckcp32.exe 3676 Chagok32.exe 2800 Cnkplejl.exe 464 Ceehho32.exe 2132 Cffdpghg.exe 3592 Cnnlaehj.exe 1916 Dfiafg32.exe 4608 Dejacond.exe 1524 Dmefhako.exe 2964 Ddonekbl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lffnijnj.dll Mmbfpp32.exe File opened for modification C:\Windows\SysWOW64\Ogpmjb32.exe Odapnf32.exe File created C:\Windows\SysWOW64\Kofpij32.dll Beglgani.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Deimfpda.dll Likjcbkc.exe File created C:\Windows\SysWOW64\Cmlihfed.dll Meiaib32.exe File created C:\Windows\SysWOW64\Bfkedibe.exe Banllbdn.exe File created C:\Windows\SysWOW64\Dapgdeib.dll Mnebeogl.exe File opened for modification C:\Windows\SysWOW64\Afhohlbj.exe Ampkof32.exe File created C:\Windows\SysWOW64\Mgbpghdn.dll Aminee32.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Dmefhako.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Dfpgffpm.exe File created C:\Windows\SysWOW64\Dbagnedl.dll Pmdkch32.exe File opened for modification C:\Windows\SysWOW64\Bffkij32.exe Baicac32.exe File created C:\Windows\SysWOW64\Bnbmefbg.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Cndikf32.exe Chjaol32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Likjcbkc.exe 08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe File opened for modification C:\Windows\SysWOW64\Mgimcebb.exe Meiaib32.exe File created C:\Windows\SysWOW64\Nlmllkja.exe Ncdgcf32.exe File created C:\Windows\SysWOW64\Gnpllc32.dll Nggjdc32.exe File created C:\Windows\SysWOW64\Afhohlbj.exe Ampkof32.exe File created C:\Windows\SysWOW64\Flgehc32.dll Cenahpha.exe File created C:\Windows\SysWOW64\Cmiflbel.exe Cfpnph32.exe File opened for modification C:\Windows\SysWOW64\Lmiciaaj.exe Lbdolh32.exe File created C:\Windows\SysWOW64\Nodfmh32.dll Lphoelqn.exe File opened for modification C:\Windows\SysWOW64\Pgefeajb.exe Onjegled.exe File created C:\Windows\SysWOW64\Pqdqof32.exe Pfolbmje.exe File created C:\Windows\SysWOW64\Bjokdipf.exe Bnhjohkb.exe File opened for modification C:\Windows\SysWOW64\Cnnlaehj.exe Cffdpghg.exe File created C:\Windows\SysWOW64\Ingfla32.dll Cffdpghg.exe File created C:\Windows\SysWOW64\Odapnf32.exe Olhlhjpd.exe File created C:\Windows\SysWOW64\Fqjamcpe.dll Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe Chagok32.exe File created C:\Windows\SysWOW64\Ochpdn32.dll Pfolbmje.exe File opened for modification C:\Windows\SysWOW64\Qfcfml32.exe Pqdqof32.exe File created C:\Windows\SysWOW64\Lommhphi.dll Accfbokl.exe File created C:\Windows\SysWOW64\Bfhhoi32.exe Beglgani.exe File created C:\Windows\SysWOW64\Naekcf32.dll Olhlhjpd.exe File created C:\Windows\SysWOW64\Onjegled.exe Ogpmjb32.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cnkplejl.exe File opened for modification C:\Windows\SysWOW64\Odapnf32.exe Olhlhjpd.exe File created C:\Windows\SysWOW64\Hjlena32.dll Afmhck32.exe File created C:\Windows\SysWOW64\Cnicfe32.exe Chokikeb.exe File created C:\Windows\SysWOW64\Dfiafg32.exe Cnnlaehj.exe File created C:\Windows\SysWOW64\Popodg32.dll Pnonbk32.exe File opened for modification C:\Windows\SysWOW64\Pqbdjfln.exe Pmdkch32.exe File created C:\Windows\SysWOW64\Pfolbmje.exe Pqbdjfln.exe File created C:\Windows\SysWOW64\Lbdolh32.exe Likjcbkc.exe File opened for modification C:\Windows\SysWOW64\Meiaib32.exe Lphoelqn.exe File opened for modification C:\Windows\SysWOW64\Mmbfpp32.exe Mgimcebb.exe File created C:\Windows\SysWOW64\Nggjdc32.exe Nloiakho.exe File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe Ceehho32.exe File created C:\Windows\SysWOW64\Nnqbanmo.exe Nggjdc32.exe File created C:\Windows\SysWOW64\Amddjegd.exe Afhohlbj.exe File created C:\Windows\SysWOW64\Bkjpmk32.dll Aeniabfd.exe File created C:\Windows\SysWOW64\Bnhjohkb.exe Accfbokl.exe File created C:\Windows\SysWOW64\Bneljh32.dll Bjokdipf.exe File created C:\Windows\SysWOW64\Lemphdgj.dll Mgkjhe32.exe File created C:\Windows\SysWOW64\Nnjaqjfh.dll Banllbdn.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Deokon32.exe File created C:\Windows\SysWOW64\Fmijnn32.dll Mgimcebb.exe File opened for modification C:\Windows\SysWOW64\Pmdkch32.exe Pggbkagp.exe File opened for modification C:\Windows\SysWOW64\Ceckcp32.exe Cnicfe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3564 3280 WerFault.exe 159 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhlhjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odapnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beglgani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphoelqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnebeogl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggjdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amddjegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aminee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbdjfln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffkij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nloiakho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pggbkagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqijje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnlaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likjcbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkedibe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceckcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neeqea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgefeajb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdkch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfcfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgimcebb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjegled.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdqof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeniabfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmefbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnqbanmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjohkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkplejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbfpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnonbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chokikeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodbbdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbdolh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhohlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjokdipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkjhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmgcgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpmjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmllkja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfolbmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmefhako.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbdolh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll" Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll" Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll" Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll" Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnkplejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll" Lbdolh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnebeogl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neeqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oncofm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfolbmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll" Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll" Aminee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll" Afhohlbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll" Nnqbanmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgefeajb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll" Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odmgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll" Olhlhjpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pggbkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqbdjfln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqijje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cndikf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncdgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll" Nloiakho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" Beglgani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baicac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chokikeb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3620 wrote to memory of 1744 3620 08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe 83 PID 3620 wrote to memory of 1744 3620 08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe 83 PID 3620 wrote to memory of 1744 3620 08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe 83 PID 1744 wrote to memory of 956 1744 Likjcbkc.exe 84 PID 1744 wrote to memory of 956 1744 Likjcbkc.exe 84 PID 1744 wrote to memory of 956 1744 Likjcbkc.exe 84 PID 956 wrote to memory of 1696 956 Lbdolh32.exe 85 PID 956 wrote to memory of 1696 956 Lbdolh32.exe 85 PID 956 wrote to memory of 1696 956 Lbdolh32.exe 85 PID 1696 wrote to memory of 2656 1696 Lmiciaaj.exe 86 PID 1696 wrote to memory of 2656 1696 Lmiciaaj.exe 86 PID 1696 wrote to memory of 2656 1696 Lmiciaaj.exe 86 PID 2656 wrote to memory of 2012 2656 Lphoelqn.exe 89 PID 2656 wrote to memory of 2012 2656 Lphoelqn.exe 89 PID 2656 wrote to memory of 2012 2656 Lphoelqn.exe 89 PID 2012 wrote to memory of 2600 2012 Meiaib32.exe 90 PID 2012 wrote to memory of 2600 2012 Meiaib32.exe 90 PID 2012 wrote to memory of 2600 2012 Meiaib32.exe 90 PID 2600 wrote to memory of 2232 2600 Mgimcebb.exe 92 PID 2600 wrote to memory of 2232 2600 Mgimcebb.exe 92 PID 2600 wrote to memory of 2232 2600 Mgimcebb.exe 92 PID 2232 wrote to memory of 4784 2232 Mmbfpp32.exe 93 PID 2232 wrote to memory of 4784 2232 Mmbfpp32.exe 93 PID 2232 wrote to memory of 4784 2232 Mmbfpp32.exe 93 PID 4784 wrote to memory of 5024 4784 Mgkjhe32.exe 94 PID 4784 wrote to memory of 5024 4784 Mgkjhe32.exe 94 PID 4784 wrote to memory of 5024 4784 Mgkjhe32.exe 94 PID 5024 wrote to memory of 1456 5024 Mnebeogl.exe 95 PID 5024 wrote to memory of 1456 5024 Mnebeogl.exe 95 PID 5024 wrote to memory of 1456 5024 Mnebeogl.exe 95 PID 1456 wrote to memory of 3400 1456 Ncdgcf32.exe 96 PID 1456 wrote to memory of 3400 1456 Ncdgcf32.exe 96 PID 1456 wrote to memory of 3400 1456 Ncdgcf32.exe 96 PID 3400 wrote to memory of 1256 3400 Nlmllkja.exe 97 PID 3400 wrote to memory of 1256 3400 Nlmllkja.exe 97 PID 3400 wrote to memory of 1256 3400 Nlmllkja.exe 97 PID 1256 wrote to memory of 2104 1256 Neeqea32.exe 98 PID 1256 wrote to memory of 2104 1256 Neeqea32.exe 98 PID 1256 wrote to memory of 2104 1256 Neeqea32.exe 98 PID 2104 wrote to memory of 1972 2104 Nloiakho.exe 99 PID 2104 wrote to memory of 1972 2104 Nloiakho.exe 99 PID 2104 wrote to memory of 1972 2104 Nloiakho.exe 99 PID 1972 wrote to memory of 3024 1972 Nggjdc32.exe 100 PID 1972 wrote to memory of 3024 1972 Nggjdc32.exe 100 PID 1972 wrote to memory of 3024 1972 Nggjdc32.exe 100 PID 3024 wrote to memory of 4596 3024 Nnqbanmo.exe 101 PID 3024 wrote to memory of 4596 3024 Nnqbanmo.exe 101 PID 3024 wrote to memory of 4596 3024 Nnqbanmo.exe 101 PID 4596 wrote to memory of 4616 4596 Oncofm32.exe 102 PID 4596 wrote to memory of 4616 4596 Oncofm32.exe 102 PID 4596 wrote to memory of 4616 4596 Oncofm32.exe 102 PID 4616 wrote to memory of 4992 4616 Odmgcgbi.exe 103 PID 4616 wrote to memory of 4992 4616 Odmgcgbi.exe 103 PID 4616 wrote to memory of 4992 4616 Odmgcgbi.exe 103 PID 4992 wrote to memory of 3004 4992 Olhlhjpd.exe 104 PID 4992 wrote to memory of 3004 4992 Olhlhjpd.exe 104 PID 4992 wrote to memory of 3004 4992 Olhlhjpd.exe 104 PID 3004 wrote to memory of 4228 3004 Odapnf32.exe 105 PID 3004 wrote to memory of 4228 3004 Odapnf32.exe 105 PID 3004 wrote to memory of 4228 3004 Odapnf32.exe 105 PID 4228 wrote to memory of 404 4228 Ogpmjb32.exe 106 PID 4228 wrote to memory of 404 4228 Ogpmjb32.exe 106 PID 4228 wrote to memory of 404 4228 Ogpmjb32.exe 106 PID 404 wrote to memory of 2776 404 Onjegled.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe"C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3660 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3252 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4416 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4836 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:60 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3536 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4468 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3592 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe71⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 41272⤵
- Program crash
PID:3564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3280 -ip 32801⤵PID:2060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768KB
MD5cdc02ee585e81cf2d586c4b4001272a7
SHA1e8f928ab83337419a1b50ba45e15a7c6f0f68543
SHA256169150a6cc0af693e3e693fc21b3ef26c5dd2729812eb08d8014119ae0fedabc
SHA512884d0eab04ae16f868d3b7950e222f9c0dd06f75063b772341cb2a9298df6ba442e38ab49e605f4b1e6dad74175809602ec1ae8fbbbd0c738599513428599c71
-
Filesize
768KB
MD56b39a5b48be65da56ce495e9cf7121cc
SHA1e2f28df7cf05c085b93da2bbd3913d4eaf94a99c
SHA2567b8f176e7868fb85db214d7a53e1ca0c6ec7c62cffbd85236d8004cb5ade1d20
SHA512165ebdb95478868e2254404866dd37d136260be44d3c40850affc49442d8071866d018192f2526fba75fab8ca455fd1af79435d481bd24e248a876e4768aeb26
-
Filesize
768KB
MD5633166dd4cde66b9ff03393531db2862
SHA12936f1215b5b2fff2aae4047973a7a8126bb4834
SHA256218b685bf44f8e3ab99ca3a5e167cc615d1b9634fa2ad5ff5d9c47fc6224da2e
SHA512c77324d49b39c004d3c995558d5d51f2546611d5bf788a9fd452267d6c82f380876afcd17f5c596d5482f732f797c6831c13acf4dc7dad73acf8706cb7a5ea4c
-
Filesize
768KB
MD507f4a3a9d17d6d3161cb7800ee6093ca
SHA130c6677e8c86d767d27aba85bb318e0ad8aaa7c0
SHA256ad9cef602eb338b8e6cca0e8481b8e1fa8999c1bb671b6cd0a5f60c0eb339447
SHA512d8649dd6c42c3cb409c11a37e5e3c76570fe860bc8829e4f7ddbedb3d51b7f6765cbaeb841c682e8ad12c04ec4234f159e99739ad1904203676205a96d1e100e
-
Filesize
768KB
MD582febd1ff4ebc9389d01033677a33f26
SHA161921ef37d5830af8da7f6ead932a77b51b964a1
SHA256de8d130897ffacb2edbb52ea5db9a7eddc439f5ead886a6e1256b4a090da20b7
SHA51201cfada23cdcbfb2e1162d7bea2d43b61e22327d561bd4d369e72d30d2d200e3cac4b52b6e0bfdd0bdd15e9beebfc69cc153beda7c7fd17e31c28280a1407e46
-
Filesize
768KB
MD5dc331f642ee639cb3fb402b18f02481e
SHA1cd487641af04c08445d1d2e8d253b1934bb2a3c1
SHA256e3e1db43219618e5d0532f912397b981040f8e5f92f71f36bad54611460bb2aa
SHA512a3a63d148d0322f4178018e012cef4398184db58c788a0d2ebe72ddb044962f98e79e77263f49492b83d7497109fcefcff88c4fd4a6145619f92f4803176fd1c
-
Filesize
768KB
MD58f106de90e0c263a79a5e0e1bd06b5e8
SHA13e9bb2ca7f5158c66c18fcd79004bfc98561fb7d
SHA2568a305a2d83f48c19b79b469fbf83aa2f0563b68dec7bc001f8bdf7c6ba01a544
SHA512ece20736ee3773c7d74a1f89793c12c8f36daf83aa4851622f797e9493e9639520a53e223ec81d9740753b8ff7a9b6c74b4f6f6846a231bb531721b47934d956
-
Filesize
768KB
MD5145e9cf48b52996b2769753e5cf4e41f
SHA1bc82691556bc050ce3e25f8c67f0eadae6eb5919
SHA256157cf5b3d5de1b19096ddcb4616e334cb26efeadaa3870c4b5a50433ced97d41
SHA51207c7ad252088091cae782eb058245324f5445e5ee3dd7d9e9aa195e050ccb5442b9e034c8615148534faca953340a021d43e9ef847602900887f170bff7f0fb9
-
Filesize
768KB
MD5eac0413315aabba1311a105b76f0b564
SHA1a41e8157420354b54961e21473a391b1e8ba88e0
SHA256803f09d24a6842769686e12678ca3bca07c721a5dc8bb94d03408c3883beebd4
SHA512c806c13a577f6f2740658726c874884c75306e065410d4641ba49c284090b7472bf84fabead4c968d0dde35aeff8edc46ef0899ae64bdc6356a31962eb0a61f7
-
Filesize
768KB
MD514ee15ec59e31451bf047d0980c25dc2
SHA1d7f113ca01b4d5a6cddb83ceed95fbd1ba0cbc12
SHA25697a0b58457e931f138161d785670d16256ffdd256497e3fb8de82ffaa4e69763
SHA512be62d403826823e21dbf1faebc2c399bb7f6ba9d23380c9d802b943e63328e8784ed58c059e47153f133a359af3a56a94b35cecb3b34d5739170680acec80a57
-
Filesize
768KB
MD54dc5637bece21dbc5324312f4bc7568d
SHA1c19e14d85efc81bf13f64154cba5bcf46f98305e
SHA256fd5ce06a3abc7444f99f80c23ea0a63347d0e71fcc906c104b7992e56f01b518
SHA512a533b4f01f2ae9cc538371d015c44a9157c7f4a68ba18a829323957692331a4489b3ed4609a310dca3db5ce773814140c2be0b52ef4cf26108a40830e88cdfd5
-
Filesize
768KB
MD55ffa25370dbbb4d932a092ae43a0bfc0
SHA11a9ecf36bc6c3f80bda5a69ed524fb90e873678d
SHA256251889203f9d03c10f1ddfe13cded4af3ffe11f87d357000597f1da8bb1f4e03
SHA5128b35b736f89f0fd61949c266e55861f3ad199d65277e06d8e0fdf096edcc41a777796631b52b7e5a7d245eb7d499c5f4102829d0fb69e2f2f20366ad2a9f133e
-
Filesize
768KB
MD579814ccd9d0c8c3f356c77ba097a708e
SHA19aea7ad4db6b9468358fd725147bb4af1230d6d9
SHA256b74f2a6a5bcb3344b6365c6dc856e4451a00c05ffcd18e0bec0394c5672f5c83
SHA512ce1adeb56f1ec9399f4f20a06b05e93999ff78c2795c6f2df81fcc6aa2c6aa5b5e7488e6bdf861ade472476f9b85a03a4891a7bc14af0ccbc10c45e70b56604b
-
Filesize
768KB
MD51efdbffb32f1af6a64ecdbac87f1875a
SHA1dd172992a7f01c7ad45f415ba1af0f4dd0795317
SHA25635152ac9cc1e6c587d93cf503864be5e4f47bdd9f2ad48369093ec691be5abe1
SHA512969ba1e173bf64f0c6dad8065ed5b67eea0849825ae5a6a04cfaeb841c7629fcfcb1ada61b206e32eb78b2be86abbf32fa661d3a51cde79b83703ef09c80e5d0
-
Filesize
768KB
MD522c408ec59f975e571a9716767b9b91a
SHA1be3b0220fb79b4cf3230f4317364deab64b01382
SHA256fd75c06a7480744f000b1a051edd4e06823cf56c5140afdde4789fa1eea6c93a
SHA512b4cbe7f1f2658e2f50e9489dd3aab5a5294b06d4be1075dfaa8b0f5d1e3689183e7bdc139c37fe1e335ad3ad543b2cc31144bf6edd8e49788a81f7da56801776
-
Filesize
768KB
MD50c2d65b99eee76a5b0ff0b4adf9b6488
SHA11f1f0537821e30d6d2a41e0612b5e05bbb00c135
SHA2566889dc4ed004634eeff3a32abed4fd05bf23e9c7c2f3227ed61092c646cb1806
SHA512e4af3d223cdb6b4c01b50cedf06b8839f1951fa569825d14d290f28a5614156093c916897bf8e7f0aab539bb37a3911b4b5584d6ee08c689bc3f4a5f5b01672b
-
Filesize
768KB
MD5f252b824646ad0bdd62e0b6543b5db21
SHA17843ea5a1468b2630afdba10110e12d89875d589
SHA256cc575a85cc7a4f0f5e5a2ff7c994c91de16ae3a660472eccbc760b9f296b15a6
SHA512ed00f34f5d7e7f0179dd93a6024cb3806c9ce593fa790818d7451d1282e3d95c5751447d592a735ea0f5ac1d78610b2cb4e4c391bec7a4a15f14bcaf8910cb80
-
Filesize
768KB
MD542c915b1dc1ba5411848765d0dcc5994
SHA18fb5196a237675a6b0979979e59bb61ab4049839
SHA25610655f16f08cdad455ec884c861c1d6415fdd30f91b2713479d901f3808210f0
SHA512a9cfb68c39531800100ca4d01c4273baf694827ad4dbd65b88341a54016b73c0967c6deeebd226620955cedf281a49307e8bb905e43c597a234019d9e238f375
-
Filesize
768KB
MD5aeba101a48e9bd851ece95c6a5ad5cac
SHA10f888b4c0553327d8d6be86a9527172c9c47b3bf
SHA2564f222c7ea24d74bc0ca2d00dc2f66ca99d11b128b1cb743a24bf54bf90dd1253
SHA512a256be53da068de27f5dc2acf682d0d00efed8f9006ee94ea2a990a5ab06faf65d411d9431395e3b4828d55bc142e31dbef07edec1deff5174638964f06e2e8a
-
Filesize
768KB
MD5d63a2b0db64b202df0cee211fed3ad03
SHA14885317d384cbcde5d4fa4bad75b78382b6977d4
SHA256884221634173640682ac58ff0caffe59e07896a97a1a828e9a2640de9ca949bc
SHA5120e9eaadd658a1b6cf8eb29a197fca813e7c0dd19438eb118f8fd0aa676934ee421a2785dc4f0d378f823f99b7a992bf16be62e99be7bd013ce645a6cc2ba9562
-
Filesize
768KB
MD5684547473f82574c53e335a9a3f0cb33
SHA137e7484cacf45b7a1e7987beb27d5fdccff5c1bd
SHA25648257ccfc7abfb6a9739ca904acf2f935b3d240a2cd74731b829cf3839174d0f
SHA512124a5698144caa9ab709d73dd4da21bbd96585a2dd93351051712749fbe8889d60ca5569c769fd170391a4885bf061628f747dbca5f4c9b6e5e0792ebecae1a9
-
Filesize
768KB
MD5f9ef871c43dfde22ab3ea03abf7c28f9
SHA1bde58f9dcd70878f08ee2d02c76b4c2af5d9c68d
SHA25681a25da239b81ee0990c6989605becf2705701c2d1663854859ed77858b2d425
SHA51214a76103159bc721928032cc273ef8a32e192f3caaf737c933555c39dd470ae10c8937732a0efa424c83482a94d3b0594686f1c134c8771f4e71e0d1a38e0679
-
Filesize
768KB
MD5394f3567ef45693f86e1e80a0218906f
SHA182d8731a17e71b9f6579e4333f96124a843ae44b
SHA2565a445659f486bbe7e9b95218e4cfc4c5651ab27679857a3ff2f0860f49b50e95
SHA51248d4410447f85f44bdd7709ef388dcabceda9186824e545c1174f776d806e9afe8705c0bb33d461ac2feb2317f19e11dd3a9755be2e4f1c2fbb73c9738438a91
-
Filesize
768KB
MD5906ee72e81725d60e30839d308031ed9
SHA14a60542cdaf67aee47a2b1455f7c2e8577a12a02
SHA25611a5339b87ce904401c19960f202a3748ca79fa396f9d25b6b4c236230fa30e2
SHA5121ad1d0bfdbdf24acdf09de6f8fb12e115482f27a9f038daa19efc1a9d6027fc47b187e7a32561c796cdfe65e437784e3e16c04bae511caee02e5b207a1fcfda7
-
Filesize
7KB
MD58e8855859aa804a91ace2f51edf1e6e1
SHA1e45955a19e25b249a9e3f92dbf3bf3f25ad4ff5e
SHA256382bff50cf24603b1e43c00dd502f14f643739225758448d2c5cba75b2554571
SHA512a13bdd9199919f1353eb36255a045609094b85d7514c61e715d20cce2d5f6140cef21ddd677c02066e24347ab7c9a4ddca5f013bbfb0dfa9feeeeaa9e69b215d
-
Filesize
768KB
MD500dd76973ae80772ac9cdccfb2dd8962
SHA1f809ce92d23195f9703b190a42cde5a582c5845f
SHA25697e973947898e140549a24f3993fbc498cccb679da11abe10b0ebe301591cffd
SHA512f4b2365c2b81e7516085a8b59a5324dad1c8c6cf1b03ae6280e3e0133a773783d6d6cb193158d1d388eb1b2e0a94484bc593a356ae8e6d01bfb6b71ac37386a5
-
Filesize
768KB
MD5fd39674ae4a45595608f0744fd990221
SHA1c8230906101d9bcc601034499a0547bd3deb8a5e
SHA256451bf4630b4c7010a9d6b26ec3b08af8d60806dc16e25d422b8b6eabe167d749
SHA51270c75ed5e004afcc02a0a56dafdf331a3b70e7ad9c3c0f592787dd250d6cca4bf92973c3855098b1520cf392f9635d570cd1ea36f3316006210292ec6124b7cd
-
Filesize
768KB
MD5bfac207f8470cd1796478927eacac477
SHA1434d993c65d4fff8459b16da1b6662f46bf5b29b
SHA256b83643d72887076039f5d85e982780a0cce28efb675b734ce7b5b4af3e773360
SHA5123d4f4c9067c87cbce56fdd208ed49af9502d7bb7bfcd02274d504c2a990f90ec610a6e111c414ce86758182f8b969c90f0ec00cfb4fddb5064739175e017b742
-
Filesize
768KB
MD51203ec78a8499bacd41e77c9fad5ec09
SHA1a67c7f133e602a7960b5c53413ecc6598c4b8aea
SHA2562970bc6449add2bc082514f2c14821c7c8362c93184d69395051717b0c032321
SHA512f23b5defe03396c5b9690c0d28b828965de1caddb083d81156b512b61ba8a6fcc8de0dbd3195ac82d343a78e7521a2eb706ca15ead0859d4662ab13c0004991d
-
Filesize
768KB
MD5b5a4e2dbf80d6fd6e319d3c7b6737a6d
SHA16206c0975ec22f029ecdd33c29a0aba1c5d783fe
SHA256f049607672553295f2bf32e5d65f4de0755ae854987f132976599647c18fea99
SHA5120af84452117a36f8f05a7373164cf2a57d8377f14c2016c7a5720bd8435980b3fc1022ff78fa711701ed00b02c870945c3b0481684e0614069ce717b56ca6ec9
-
Filesize
768KB
MD51230c43dc2dc474850de6e84bd7ee576
SHA1cef13155a97b18c9f46c86da654322a1f03305c1
SHA2563bb6be8f773a6c814e3f4be41ceb34e7f73f4a4132b3b76d34520f158adf5224
SHA5124ce88d8fd8a9a579c289c071e8123027fc6dfe3d0af2326bc3871be93597ebfca243663aef8217065943199cdee227700c3389b1964e39d2df2b8a264c3eaea8
-
Filesize
768KB
MD587f78d854a2ea869546dcfedcabca15a
SHA1e3895fde49f965848a5ef3711c8030e48811e09d
SHA25676b2e740c8c1deb2f600c0b42dac86127f224ecbeaf926f538330e818adfc8ce
SHA51243092b991493d7b014feeaa9851e7a5db7b7d416fe15b11b1d66b015652d04df81aabb86ecaba17f720b9e7367efa4e97b171567e4e02118836e2362bbfafadc
-
Filesize
768KB
MD593c90c57693127a9d138552d7f962876
SHA1dbd730854fe111f566806c6c419215063a68f7cd
SHA2564b383d9a77214a77e3df7f544bd7c05736767b822ccb2a17dc230d3e80db04dd
SHA5129a6aa25224587ef05edcd156389db8b1d9a91a7d79ec59a3403f104971c7755f9791ce1c22f1b907c0b9267235db85611eeb1533d6e165328336c191c131afda
-
Filesize
768KB
MD52b0bc438eb1a0f3b96770ecbbb716423
SHA1f5d3aaf233500390f7fd164631b4a44a4c75922c
SHA25626996b1226131e757c1faa3dac5a4f5fdd440215a6a125f6252547fca29a0c0c
SHA512047690e619c4cfea54b1aa7fbf75d2708f33a85026fb90225f38db33ee81311d48802bb9569f55f45e9aee4fde4320e5e25141c03c1c82d2f83253d735db7724
-
Filesize
768KB
MD53ad3e5869a9a0a0c99fd83b88db73980
SHA19eb51c975854765c028cdbf55422379b8c812902
SHA25671336c8d2598ba82229736769d9e6978fa4f8bf9fa211b26d45bb06062fbe92d
SHA512bb7f335b310e1681d51fb1c9a07dbbaf56e93625f8c4bf5ce4269cd6286bfb5ab71fe39ef769b0cb1da782fb65f60090daacb6c0c5fe3553e13e51eb66c7130d
-
Filesize
768KB
MD5bbe14ec246c429715644e6e0c14fa634
SHA11289e4d68c957abc3758db4a4fc62dc4db909b37
SHA2565efb78504aae8c3baffe79b94d8202c18ab4221d69cc7a387b9182cccab9bcde
SHA5125c4d4c993a3e5d13b9a0fd8a57484354f0d862951036d662e83163d9b71aceca0da6de3adb51d42b654593464e03155c679b52c695616ff764771eb1bef65d4d
-
Filesize
768KB
MD5d9469ce833e07c20902a4f4a5b9bcc7c
SHA147feedab61550cff23499f127d2939c142cb5618
SHA256110d1e3cb558e98fb213a61b2b5f7642365934ab82f708812993435872733e9e
SHA512f282c2f1985f9ffa1af88f21e2be11f2d4503e3abd181cb4e395776c4215afb1d9e058723c00a559cfaf04b40b6565c48b1319e148b1016125a2c92e2c31c755
-
Filesize
768KB
MD57a1b0c070aa205f69a056b2db719e083
SHA1a36d0782a684aa205f25731421d68e95ed5017d3
SHA2565eb56f22535df2782dea07dcc52f0669092242734dab3dbd989c48ed532eebf6
SHA512081ee8709343305768fff01736ae73a4a41659ce420b8c5446db8f18e8953e4b3a0d23ffd7aa844615ef460dc2b4770c830743f2a9ba8f4af17f535ccb62bde9
-
Filesize
768KB
MD50666cad29ca0440d23fd9f0bf6013f86
SHA12d5a71ddf9301c694b716e57c6c7c6de468edd07
SHA2563f9487d31804ffad3efca9fa860b7dc240aa3314876c2594e2113be1f1c2e61c
SHA512dc84a21e24bbc3882ad66ad3e6d5cfe9e852025f186deeae9280ecfd7a1e098c156c913c4e159d01f02d40ac6e3fd58ac33880a4223a36fb169576ab39a6dd66
-
Filesize
768KB
MD5d0c3c3e24058a43e5ff89b0233998a19
SHA174b1870798085c18847faf5fabfb374063090c88
SHA2569d909ff4c9d0714c4b1d6f06b0be206bfa1117e8d9547c12687f40111f9dae58
SHA5129deb0d530833ab3f848ce758c1523c80499b6b99c8241440786212ca63341741a2135d0ee0651de738bbe1eda6ad86b83d091583de0e3346a329caa66deeb8ef