Analysis
-
max time kernel
93s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 04:07
Static task
static1
Behavioral task
behavioral1
Sample
e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe
Resource
win10v2004-20241007-en
General
-
Target
e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe
-
Size
90KB
-
MD5
0f9eebf861111b8ef7cc0a03befc561b
-
SHA1
9a9c5f93ef3f90cf9949625238005154181507ee
-
SHA256
e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa
-
SHA512
ad10f84f6f49899dc00bffc4e61587a5a0da11a6d4cac7384a473b4d6b028608c61ab4001138e43594ef541c3ba8fec93a136f83c3b1996882e5ca4caea31fa9
-
SSDEEP
1536:j/0kkZnWGM4R/6oHUZmwKthSSNEgBx0sl9XL7XnYGlu/Ub0VkVNK:jnk1eop0gBx0SBYGlu/Ub0+NK
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdfjifjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqbdjfln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnhahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Belebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfjcgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcncpbmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afjlnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accfbokl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pncgmkmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpmpdbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeklkchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnnlaehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddjejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnhahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beglgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjjhbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmhck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmefhako.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonekbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnonbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdkch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qceiaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afmhck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Banllbdn.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4040 Olkhmi32.exe 3656 Ogpmjb32.exe 2024 Onjegled.exe 1968 Oqhacgdh.exe 2152 Ocgmpccl.exe 3944 Ofeilobp.exe 4748 Pdfjifjo.exe 5052 Pfhfan32.exe 2492 Pnonbk32.exe 1004 Pqmjog32.exe 212 Pclgkb32.exe 1988 Pfjcgn32.exe 208 Pmdkch32.exe 3444 Pcncpbmd.exe 4564 Pncgmkmj.exe 3260 Pqbdjfln.exe 4144 Pcppfaka.exe 4336 Pjjhbl32.exe 4528 Pdpmpdbd.exe 3676 Pfaigm32.exe 2720 Qnhahj32.exe 644 Qqfmde32.exe 3964 Qceiaa32.exe 4448 Ambgef32.exe 5084 Aclpap32.exe 4716 Afjlnk32.exe 4856 Aeklkchg.exe 1556 Afmhck32.exe 1408 Aabmqd32.exe 4252 Acqimo32.exe 2144 Anfmjhmd.exe 4412 Accfbokl.exe 2784 Bjmnoi32.exe 3872 Bagflcje.exe 2828 Bcebhoii.exe 4100 Bnkgeg32.exe 912 Beeoaapl.exe 1912 Bmpcfdmg.exe 1680 Beglgani.exe 4900 Bfhhoi32.exe 4740 Banllbdn.exe 4760 Bfkedibe.exe 440 Bjfaeh32.exe 3140 Belebq32.exe 1940 Cfmajipb.exe 4512 Cndikf32.exe 2052 Cenahpha.exe 3156 Cfpnph32.exe 2008 Cmiflbel.exe 2780 Ceqnmpfo.exe 3712 Chokikeb.exe 4904 Cmlcbbcj.exe 3652 Cdfkolkf.exe 3144 Chagok32.exe 2812 Cnkplejl.exe 1040 Cajlhqjp.exe 1652 Ceehho32.exe 4356 Cnnlaehj.exe 3496 Ddjejl32.exe 2124 Dfiafg32.exe 2532 Dopigd32.exe 3036 Danecp32.exe 2384 Dfknkg32.exe 4124 Dmefhako.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hmphmhjc.dll Pfaigm32.exe File created C:\Windows\SysWOW64\Kdqjac32.dll Cmiflbel.exe File created C:\Windows\SysWOW64\Pfhfan32.exe Pdfjifjo.exe File created C:\Windows\SysWOW64\Jffggf32.dll Cmlcbbcj.exe File created C:\Windows\SysWOW64\Qceiaa32.exe Qqfmde32.exe File created C:\Windows\SysWOW64\Bjfaeh32.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Gidbim32.dll Dfknkg32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Jfpbkoql.dll Oqhacgdh.exe File opened for modification C:\Windows\SysWOW64\Ofeilobp.exe Ocgmpccl.exe File created C:\Windows\SysWOW64\Bcebhoii.exe Bagflcje.exe File opened for modification C:\Windows\SysWOW64\Cndikf32.exe Cfmajipb.exe File created C:\Windows\SysWOW64\Kkmjgool.dll Ddjejl32.exe File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe Dmefhako.exe File created C:\Windows\SysWOW64\Bagflcje.exe Bjmnoi32.exe File created C:\Windows\SysWOW64\Cndikf32.exe Cfmajipb.exe File created C:\Windows\SysWOW64\Eiojlkkj.dll Ambgef32.exe File created C:\Windows\SysWOW64\Acqimo32.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Dopigd32.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Hppdbdbc.dll Ogpmjb32.exe File opened for modification C:\Windows\SysWOW64\Pdfjifjo.exe Ofeilobp.exe File opened for modification C:\Windows\SysWOW64\Bagflcje.exe Bjmnoi32.exe File created C:\Windows\SysWOW64\Pjjhbl32.exe Pcppfaka.exe File opened for modification C:\Windows\SysWOW64\Pjjhbl32.exe Pcppfaka.exe File opened for modification C:\Windows\SysWOW64\Danecp32.exe Dopigd32.exe File created C:\Windows\SysWOW64\Bdjinlko.dll Ofeilobp.exe File created C:\Windows\SysWOW64\Odaoecld.dll Pcppfaka.exe File created C:\Windows\SysWOW64\Bmpcfdmg.exe Beeoaapl.exe File created C:\Windows\SysWOW64\Imbajm32.dll Belebq32.exe File opened for modification C:\Windows\SysWOW64\Pfjcgn32.exe Pclgkb32.exe File opened for modification C:\Windows\SysWOW64\Cajlhqjp.exe Cnkplejl.exe File created C:\Windows\SysWOW64\Jekpanpa.dll Cajlhqjp.exe File opened for modification C:\Windows\SysWOW64\Ocgmpccl.exe Oqhacgdh.exe File opened for modification C:\Windows\SysWOW64\Pcncpbmd.exe Pmdkch32.exe File created C:\Windows\SysWOW64\Pncgmkmj.exe Pcncpbmd.exe File created C:\Windows\SysWOW64\Deeiam32.dll Pcncpbmd.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Ambgef32.exe Qceiaa32.exe File created C:\Windows\SysWOW64\Bbloam32.dll Cfpnph32.exe File created C:\Windows\SysWOW64\Dnieoofh.dll Ceqnmpfo.exe File created C:\Windows\SysWOW64\Cdfkolkf.exe Cmlcbbcj.exe File created C:\Windows\SysWOW64\Chokikeb.exe Ceqnmpfo.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Dmjocp32.exe File opened for modification C:\Windows\SysWOW64\Bjmnoi32.exe Accfbokl.exe File opened for modification C:\Windows\SysWOW64\Pnonbk32.exe Pfhfan32.exe File created C:\Windows\SysWOW64\Aclpap32.exe Ambgef32.exe File created C:\Windows\SysWOW64\Clghpklj.dll Cnkplejl.exe File created C:\Windows\SysWOW64\Cnnlaehj.exe Ceehho32.exe File opened for modification C:\Windows\SysWOW64\Aclpap32.exe Ambgef32.exe File created C:\Windows\SysWOW64\Afjlnk32.exe Aclpap32.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Dfiafg32.exe File created C:\Windows\SysWOW64\Ddonekbl.exe Dmefhako.exe File created C:\Windows\SysWOW64\Belebq32.exe Bjfaeh32.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Dogogcpo.exe File created C:\Windows\SysWOW64\Pfaigm32.exe Pdpmpdbd.exe File created C:\Windows\SysWOW64\Abkobg32.dll Bjmnoi32.exe File created C:\Windows\SysWOW64\Ceqnmpfo.exe Cmiflbel.exe File opened for modification C:\Windows\SysWOW64\Pmdkch32.exe Pfjcgn32.exe File opened for modification C:\Windows\SysWOW64\Qnhahj32.exe Pfaigm32.exe File created C:\Windows\SysWOW64\Bfkedibe.exe Banllbdn.exe File created C:\Windows\SysWOW64\Fqjamcpe.dll Cfmajipb.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Onjegled.exe Ogpmjb32.exe File created C:\Windows\SysWOW64\Qqfmde32.exe Qnhahj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2376 4736 WerFault.exe 155 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabmqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcebhoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjhbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpcfdmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkedibe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqmjog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqimo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pclgkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qceiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfkolkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkplejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmefhako.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjegled.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofeilobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcppfaka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeklkchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnonbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmhck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfjifjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Banllbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmajipb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajlhqjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgmpccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfaeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmlcbbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhacgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagflcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chagok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beglgani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonekbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkhmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdkch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfmjhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjcgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcncpbmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpmpdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chokikeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbdjfln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjlnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danecp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pclgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll" Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceqnmpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmjocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Bfhhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcebhoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" Cmlcbbcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chokikeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" Dmjocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll" Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" Banllbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cajlhqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qqfmde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddjejl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll" Anfmjhmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdfkolkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll" Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll" Cnnlaehj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" Cfmajipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onjegled.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 4040 2000 e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe 83 PID 2000 wrote to memory of 4040 2000 e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe 83 PID 2000 wrote to memory of 4040 2000 e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe 83 PID 4040 wrote to memory of 3656 4040 Olkhmi32.exe 84 PID 4040 wrote to memory of 3656 4040 Olkhmi32.exe 84 PID 4040 wrote to memory of 3656 4040 Olkhmi32.exe 84 PID 3656 wrote to memory of 2024 3656 Ogpmjb32.exe 85 PID 3656 wrote to memory of 2024 3656 Ogpmjb32.exe 85 PID 3656 wrote to memory of 2024 3656 Ogpmjb32.exe 85 PID 2024 wrote to memory of 1968 2024 Onjegled.exe 86 PID 2024 wrote to memory of 1968 2024 Onjegled.exe 86 PID 2024 wrote to memory of 1968 2024 Onjegled.exe 86 PID 1968 wrote to memory of 2152 1968 Oqhacgdh.exe 87 PID 1968 wrote to memory of 2152 1968 Oqhacgdh.exe 87 PID 1968 wrote to memory of 2152 1968 Oqhacgdh.exe 87 PID 2152 wrote to memory of 3944 2152 Ocgmpccl.exe 88 PID 2152 wrote to memory of 3944 2152 Ocgmpccl.exe 88 PID 2152 wrote to memory of 3944 2152 Ocgmpccl.exe 88 PID 3944 wrote to memory of 4748 3944 Ofeilobp.exe 89 PID 3944 wrote to memory of 4748 3944 Ofeilobp.exe 89 PID 3944 wrote to memory of 4748 3944 Ofeilobp.exe 89 PID 4748 wrote to memory of 5052 4748 Pdfjifjo.exe 90 PID 4748 wrote to memory of 5052 4748 Pdfjifjo.exe 90 PID 4748 wrote to memory of 5052 4748 Pdfjifjo.exe 90 PID 5052 wrote to memory of 2492 5052 Pfhfan32.exe 91 PID 5052 wrote to memory of 2492 5052 Pfhfan32.exe 91 PID 5052 wrote to memory of 2492 5052 Pfhfan32.exe 91 PID 2492 wrote to memory of 1004 2492 Pnonbk32.exe 92 PID 2492 wrote to memory of 1004 2492 Pnonbk32.exe 92 PID 2492 wrote to memory of 1004 2492 Pnonbk32.exe 92 PID 1004 wrote to memory of 212 1004 Pqmjog32.exe 93 PID 1004 wrote to memory of 212 1004 Pqmjog32.exe 93 PID 1004 wrote to memory of 212 1004 Pqmjog32.exe 93 PID 212 wrote to memory of 1988 212 Pclgkb32.exe 94 PID 212 wrote to memory of 1988 212 Pclgkb32.exe 94 PID 212 wrote to memory of 1988 212 Pclgkb32.exe 94 PID 1988 wrote to memory of 208 1988 Pfjcgn32.exe 95 PID 1988 wrote to memory of 208 1988 Pfjcgn32.exe 95 PID 1988 wrote to memory of 208 1988 Pfjcgn32.exe 95 PID 208 wrote to memory of 3444 208 Pmdkch32.exe 96 PID 208 wrote to memory of 3444 208 Pmdkch32.exe 96 PID 208 wrote to memory of 3444 208 Pmdkch32.exe 96 PID 3444 wrote to memory of 4564 3444 Pcncpbmd.exe 97 PID 3444 wrote to memory of 4564 3444 Pcncpbmd.exe 97 PID 3444 wrote to memory of 4564 3444 Pcncpbmd.exe 97 PID 4564 wrote to memory of 3260 4564 Pncgmkmj.exe 98 PID 4564 wrote to memory of 3260 4564 Pncgmkmj.exe 98 PID 4564 wrote to memory of 3260 4564 Pncgmkmj.exe 98 PID 3260 wrote to memory of 4144 3260 Pqbdjfln.exe 99 PID 3260 wrote to memory of 4144 3260 Pqbdjfln.exe 99 PID 3260 wrote to memory of 4144 3260 Pqbdjfln.exe 99 PID 4144 wrote to memory of 4336 4144 Pcppfaka.exe 100 PID 4144 wrote to memory of 4336 4144 Pcppfaka.exe 100 PID 4144 wrote to memory of 4336 4144 Pcppfaka.exe 100 PID 4336 wrote to memory of 4528 4336 Pjjhbl32.exe 101 PID 4336 wrote to memory of 4528 4336 Pjjhbl32.exe 101 PID 4336 wrote to memory of 4528 4336 Pjjhbl32.exe 101 PID 4528 wrote to memory of 3676 4528 Pdpmpdbd.exe 102 PID 4528 wrote to memory of 3676 4528 Pdpmpdbd.exe 102 PID 4528 wrote to memory of 3676 4528 Pdpmpdbd.exe 102 PID 3676 wrote to memory of 2720 3676 Pfaigm32.exe 103 PID 3676 wrote to memory of 2720 3676 Pfaigm32.exe 103 PID 3676 wrote to memory of 2720 3676 Pfaigm32.exe 103 PID 2720 wrote to memory of 644 2720 Qnhahj32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe"C:\Users\Admin\AppData\Local\Temp\e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3964 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4448 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4252 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3872 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4740 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4760 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:440 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4124 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe67⤵
- System Location Discovery: System Language Discovery
PID:4480 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:716 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3464 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe74⤵
- System Location Discovery: System Language Discovery
PID:4736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 40875⤵
- Program crash
PID:2376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4736 -ip 47361⤵PID:4340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5cc548f0b617abbd8f7b08ba6babecc3b
SHA10da55986434190080e2cef647043664d74d59679
SHA2562cdf96618a7608a7ed15727fbcd0627ea86288db6487e02e1da3cb43325edb9f
SHA512d30812dfc41c0dafb0319715a414ffed178c7605fec9973bc14e075070f5c817b7ae1864168f7c10c079f6eb961655d78ce85466a120ed87bfa034936aa7cd3d
-
Filesize
90KB
MD5ad33f1c63af4ee3f4cf21ce248d84dd1
SHA10f02c9e930222e9f694ffbc6c0981d92c14bef2b
SHA256cfb2fddf280a127c9ab545e225e1f38f1d6123a97e33a4390db764441a942585
SHA512dec1c1c278b24d9c7f2d1db5dee705bc22506ae867bfdb2d86762023532eb7411133838e23ad1d730827b31f7d8fcb8d5b7fe62abe02521a8b02ae904764cd1c
-
Filesize
90KB
MD553674b7df80d8201994fc825c389e0a8
SHA19153eaf54aeea3865f57a0fa77a304f5f2c72808
SHA2563ce6e0ca4adccfef349be052fe1051787552f6716f41e3f0d45b2cd9fa967e53
SHA51224a37170241e4eb91ee1e133c5ac4e30484a1faef939ae2a4ea599aadb230b2da551168a041f008dca2f83063f27cccb03ffdc544ab3504cb21e609f1f70da7f
-
Filesize
90KB
MD5252f2a7a35791f29a940bc30dd98f662
SHA1bde301ccf1db4469b4c2df142ba4b612156117cd
SHA25619c5fe8237a51ccb5b92c1d12ec3e6d24b9dc077baf9ea63f5b4d01653aa842e
SHA512f01a77ea1769afd9f658671bd869f0c00a4bdb66fd3c5552ae95ccb566b2f24ab12f11a477bbfb19ad44fafcd024d8cf2bb0808d7187b8ff1081614cb788a58a
-
Filesize
90KB
MD56f2430d952ef0d6b54f4f4debfd51d83
SHA1a668d06db0f883984d66aecee41f8f81430f31d0
SHA25651e11b5c6a24441744777b1363e2b431ff55c8b2d4706997140aaf03c702b57b
SHA512cdb81049874c70fe4b4ff808aefa47a719aabb70afdf64af66eeb1aabb2b72517ba1bac836d42a3948356bf06bfb4689ee1693275512db5e5b25ce224b1f9199
-
Filesize
90KB
MD50fda709e91af155fcabaf54f7fc2db0d
SHA1d56bc171105dfaebf2b5f0bb77c409ad26455a5e
SHA2561b11d15e5ae2f56ec2708d579ed0816d0d553de7623567d1d8e8d4c43d34f448
SHA51242c12ad4e6e970a2bb02e73c0b77086c365c8f042d282e5a497f05cd88109ad67a8f70a8efd8dfa4949ce4e9d13d4f2a535a50936c9ee4b2c178b41b7c6dcc91
-
Filesize
90KB
MD5b40320f2e8d8ed99e6586b09f203286e
SHA17fa72c6bd66ddfbb17a32c30958c7639e1beea35
SHA2561e7da1d31fcf9a0aed124f0c44e2df4dec8fa1159bf3416c6ae98fc9ed4448fb
SHA512b78673d876ab6131d1eee327b8b90b255a8986d9dc580150c50f12ecdc073a1e968e3b5574864b2c9b9fdacbc6ad0f70098dca9cc418fc8ce6acbb7f929d555b
-
Filesize
90KB
MD545afd99bee27d466dea9c5a17b9a0f59
SHA13bf59dda626cb4bfd6eb165891067b1710efe0d9
SHA2567b42470ab28fa61ddc68ab639badf1235261aa04ad6452d2fe3bfab4b2b14b21
SHA512297bd0ff8af6656c8abda0337ee0034120b1c80cbdd4b436b12557a6402bbf290c021c3a6be71f8a2b1ea0203722ae8d07933d3970540ea1ce2821859498437e
-
Filesize
90KB
MD564477a119c17625879b8616be21041af
SHA166d2b188ed5fbb8e243300ca4f0c746b4b3f6da2
SHA256862d0727b78f8eeedf89c7dc36f4d1ae70689b2348a6015921f7d2fa2e35a7b9
SHA512be67ff1d9195761edbdddda6da9264cb77b6ef99b7b37c143cc397a7e6a3731d5ef6060abe011721be26a383eea54faf7f90b1f9b1bd943cf328f4f0a3e99c23
-
Filesize
90KB
MD572a88335c4e9b9e13909b282c778e4fb
SHA129cd56b7237b3830f8ba2a3a0b9e24fd5eff8c65
SHA256b12f93b4da873b04195f015ff6c5d662c22c3bc75b02abb241bff1823b30afd8
SHA512888e906915372a8214acd844a75d50f1fcb9d1be2382a56d78d30d41b5b1c622a4c8e81ceaa956c9babaf168635e09b58e9445a96ec40ba0bf265d8935173a4d
-
Filesize
90KB
MD57a6ecb83849bd80340b948b3a9ce4f33
SHA1935ada14fc696976ab3e7b5f18a7204d832fb878
SHA256c2f677f02673b545a74e781ccdd15cf41a958a7df2c2de1dff1207ceb15416a0
SHA512b38224292a8e9523ac17c32f5a28d3bf27232d9e24f6fb90c48da3c675c709cde861a2fb69648ff78898490cdab0df9897be820529b99ba70cbf3b904ee4779d
-
Filesize
90KB
MD571ec93533a2fd2ce7891b758b8eca459
SHA16abea3bc1601fd67a721b882dc3c0bbd074ab0da
SHA256942bf3fae01022f67c9504a46b3ca3f9de3d8393250554eb6e12dc83929dff33
SHA512dc20651e02ccbed83068eeccdf78357df590adb3c5e84002341260b3243762ba2836be34d0b8cc78bc3ee94e92435a62c1e9172d71c50b8b7d2c3247db0d59d0
-
Filesize
90KB
MD5ac21171ff9fb6f1792033d10cd54773c
SHA16a1283169053c8487f63ff3385e45389e81d7c03
SHA256324eb716cba1f07a3636c3962ef810a9a260e4b894dd43f7be7817b0b42c78e4
SHA512d689bf216f89214981c59f1d47d5727af70f87d071536fdaf73dd12f27da8277ff013786ac332f14d83f4f4c2c9891486b05882801fcb5cfb183d0d9d5f93c27
-
Filesize
90KB
MD5f97d5334f487d9da40284254072de3e6
SHA177fdeda80d1dcd284d81fc7487c001ec7b64a2d3
SHA25663cd9c1c1a9aa67d9d09c615cc7b11115481acecb355180750bddd763781f38f
SHA512c53fad58f6c43999d5f0689db734c92ea27aff44d33d748ac5543d3d842ef2a36fc17da29ad02c906162b8b084aefee798372615e495d80f086d0d2a6df351d1
-
Filesize
90KB
MD5bb9b2b72ea2ad87402b0273cff2a4f43
SHA198655f65c867a9d1b77290ea81ea2c602708b242
SHA25653465415c500979b7a598e9a7887b4e4e7a95948c18cdb096b9c5899ba5382c4
SHA512ef6b3c02f8fa4bed7749822831aaafa49d671efb39abf809d318d4832f34c515e33ceed97d1127faf47488b3b4a5456df292a18b48c24aa07c05e163364ef2f3
-
Filesize
90KB
MD5cbfac3bb69caf74b940235a93e28d93a
SHA17bb1534b0d683cc169380536d047b7e0a672fb0a
SHA25655711595bb5a2614e7bd7210ab028fa335bdb9ed2ff1a15b92158955b98a0373
SHA51238c5c2535373a67527926399386abf805989e87107cb71d161e4f9a3b5f9230b51e7c04560b519d085b355367d07418e15c131beaf3f49af9a4ad779933d7cf0
-
Filesize
90KB
MD5a83cfe854d09492caf8d75f8fb81f6aa
SHA1f4faecc14ce096f4d8552c3985664cfa06375b78
SHA25644e81d7baed14f072550200d611b9ba91df6ae6a61fb8145b38f5477c394171a
SHA51288ace07a7a80c2cb723e7402f424c4453d2a982267e982454b4b3259bee0e85d1234a3d7d82e02d77c453872f0dd64520077b9e416c667fc3a3a7e05402237af
-
Filesize
90KB
MD527ef7ade232d77b9aec48a95c46c75b2
SHA1fe3e39ffe9d013f771397814741d4f4326c44174
SHA2565561b252f0d213f375e82713b5ec54d5684e3ad3921db22d39da3fa539b9f3b3
SHA512a8e0f1d9935ee105b0e796fc96412ab5247b6f23c51da8d1584ca2db363f5c33d00f46bf97d17e2c120e0319c415ec518e837364c4659beabf13b966350b6d22
-
Filesize
90KB
MD50103a8f0e6147ea89230e5af110fad8d
SHA1b65a0685f229a2da1788ab845d00eda2344bbebe
SHA256844de11a40a067128703274cea6da05bef2561ec377cc866916913aac17bd1c9
SHA512c9bf09464ed6803775216bf18ee7ba7909cae5c0dccaf34b0ab8e0b8f0f112c61e9e2f0615f00683784d2234e2a3a619bfe83d0136380df06927cbc9da0d4f08
-
Filesize
90KB
MD5db003acb085e06d5c648cfa8602e41c8
SHA1e562798bb31f793ce5e205ed68a2cc939bdea02f
SHA256f2de9a1e5e10a67181b34129855937fcdaa877a5affed9032d6d955a7cdd78fc
SHA5121f6b1a784536a68f2c79d3a38a1f100dfda0dab1b5105bacb471254c1aaf0e2de3146dc322f55331c0027ad217dcd63781b18b3a304671bd1f14a86653ced62c
-
Filesize
90KB
MD5402c3c874f74bede4457a0b61acf0f93
SHA11fe106e7997b74d38685c7b44880738e928633e6
SHA2564dad05dd36c40a2eafbb0d050956ce6d55c71c632d4eebdadd67b5ed798a4dcb
SHA51253751bc581b6546a52e086e97f23b817fbc3f327c56dbcba0e69a258e57fd748e1846b47dad544f81cf2b7fe1506b5f97267c7d65cb30cad2f11e2b6f09385d6
-
Filesize
90KB
MD567872aabc9c4a74d22fa29513b7d2f85
SHA12703f3c8314f40c1d7d1e3cb333d337e2525e9cd
SHA2561f25d7082e1e4dadefdb4ea8b2afc5bfd44aa594f53b8ebbbe1e6a46f6f88789
SHA5121fd39c06509f60218e841f649513b563bfe0c1c338e246cc96de80ea9d8c48f0cd299b1b4dfb0a70dc7cb02d375680158c5bef345c49c4cf7f3fb1a35c1a2362
-
Filesize
7KB
MD5697259be4b5e7d2c50f4108b9ee45ff2
SHA16cab5af33316409e3188a4d1fdde573784a0aeee
SHA2563e3bc98dd0f4ea64d663de9b1e622f3be6fd05942deeb704b686ebfe4601500a
SHA512f7f9695dc73cb2fd1a67e8f02fa56fea2507aa82da7bf466fe702af5868ab0f3e172a6b134a559d059b1fc5c8e04699227ee6fe88a85274eb26ec0d81d7d2768
-
Filesize
90KB
MD5c163079f67b5322d23d1ce97e351c393
SHA1a218809b107325642ac43ede3fdb4dd10ea41b49
SHA2565c49a3ac84bf9ddd3029eefe65e0d32559d11c013bb9c8b3d831a4a5be5f7fc3
SHA512acd6a994e4808c01ffe4cceba20786d37db9fda81a2af2caa48360345513527af2b5522f4231f36d315ea6c5809ff2a74d660bbdc72b6e7d5207fd6301ef608e
-
Filesize
90KB
MD5af41732381a8a4be6c24ac2eb26e5062
SHA194f6c531f05b34d220315798327de3f0d57570a1
SHA2561f0a31a5b35bf4e5babab38fa84510fa6cfa05076d5efcd30be8db64cd449b30
SHA51241a751c5cdfa8e94534e5aef84f94ffa9fbdad99ad145c07088efa30835edce1aadb82341b080a879c1a1901d613fe8f69f8b1603f68bf0b970cfc557236a079
-
Filesize
90KB
MD5949b50bfb4f3a4bbb4bf1de95217b91d
SHA1ca2aec55aa10f0db905579faeb65dc8122da5cc2
SHA2562323d6731ee8628ec8702cd6c9b558141af52f66b68d56ab3a187309a0820a2d
SHA51209252f03b2961b0df5653400af7e1aa6b22b960e18e0d674a943e50638ffc63c11f4cb85389ccd572dabc528e1ea6406658191927d5f7750dc602165c00026bd
-
Filesize
90KB
MD561df0f256c9fdbc980c4c968a3512536
SHA1f5eeb4e6f5da3fc19eafeb792f61605712c354bb
SHA25693a0cde1aada7b1346613fb3712d8d526711a600b96fa55cb408fee7cb68dc2a
SHA512a03b7bf65c756c3191e294e54cbb237af5570c0a11b9aab10228a0556b44130488102b022f471c8af741b0c2dcc2ec33a38e108063377afc7e64913717191ec1
-
Filesize
90KB
MD5d4283dec154c52faed6736f9d1764b39
SHA1bf906810837a6c4f78e4140307a23ac85a3683f6
SHA25669512d524facf36a73d057042efa889d81e1e66a0b01a77fb86f17bf0c3a2117
SHA512b2293eef08e7c364c8315878ceca16d5751c841f40ad71ca170874c9875f73ce3f0bc3c8f707afd11e592fe06d5f6bb410ad219eb0d985a05bc775a3d0945d1c
-
Filesize
90KB
MD50d87fae205677fe146b08fb14d48d78b
SHA16a4227a8cfc5727755904243310ac5a0093df7ce
SHA25611bed7424bb2676e2d1da1e36b2b9cfa9dfd6ff8356eb7557a4f3f151e8da6eb
SHA512dd3740f426f4a3ceb701616b6a4d44b4c50853fe2512ddc26fd0d430d1ea4ad5f6a640f5c73e36ddcc8e9171c61e5f4508f9ca3fe3a7499db93269aca6e91c38
-
Filesize
90KB
MD5a6754271c0df2ce4fc002ab93c9283d6
SHA1a5c0eddf7dc3ddf1d03debdcc3da4f6f18c06cfe
SHA2569f0d89bc4f15df704c8b95d83b3cb9c603ea968c0c7afa56cb7e0eb1d06dc0ed
SHA512b4165a97a8bbf912a3fe3405ea1aa69df8d22cb95cbc55cd8a4a5c69d053bae1949baf09eb30de2f382fa52c820d4d3956b1ac02ef5382d7817e14be28d4c6a0
-
Filesize
90KB
MD5634bc376c3234ab9d5b02a328564149e
SHA1544c73b55450536a5dee9493a9fdc8011c694ee9
SHA256beae4029b5b07a336259283a93f711d73aa6c35cbf5e7da4d34c3cdfb3c51694
SHA5121bbcf46e2838ec336a804619e7e8fdad91e485ffa0ad6159c35a59c860b1e9f649a54574fc14c2f20d83e9e91a827116d02467f17ee2c1ed368dd4a36df4e2ee
-
Filesize
90KB
MD58f601dd7e055d33bc9613dd2bcdbfe28
SHA12e56bd6b5bb2dce28cb73a4a36b73eb4e7404d4d
SHA256ffa25d63a935e81b5cef12cbdeda1cd61619720b74a55858aaf18f104ef57cfa
SHA51204bc5268ce73a123c3a0da174622f28d20fa135d46eff6452770a80f3c0a526807465acc906d320ca42bd2e3c00b7dd733fd6be43b19ffd1f88d70d13e71ffb4
-
Filesize
90KB
MD5fed2880bd43579132b398413d992c38e
SHA1087e326bfb86f395707b55bca48833afe3e15647
SHA2564e6aca13f2c5fb2363f031838d70fa8431dfefdd40aa024c0a516a7dfdb1c7af
SHA51293c6ab3fccda0d8ed621a9825705a2c1b45334a8a78648e2036ef3999bc95621e57df6850f8ca0e161dab8ba1d271b236e240d52a35b3510a87b85cbbe5778c7
-
Filesize
90KB
MD592f61b912bf375f409bc7e98c383db2b
SHA172bfd48eac529afd960847e05325025434d4391d
SHA256adb71e442c73a65eeaeb9415fbca585b7b4f3a77542db047c4674de4d3463e80
SHA5124849d3adedce6974584d0d5a514fc450f565a3b24f5b8fe6635dcaec0017cc99493dc201f9c8fd468193fdfcb251e0dda6a10aba462aca902604f3ee99ab795f
-
Filesize
90KB
MD533bb0509602b4586611a78edc17b9c3d
SHA1c726cea2c25f1dc8dc995b95f2507bdaeaf6b971
SHA256cb6a64d1627eabc678a4540708499810b7cbb04c6a35a179659e491a3acf28bc
SHA5120245b9866bc9bf2445a949e84689fba7546af05d5e874bcf9b44a9a0d103eb09c6431bf29d66498f4f047093738d651bc5e73fb6669602eef8546088cbc6d9f3
-
Filesize
90KB
MD573c18a5682179d6c18edc140299aa3e0
SHA17a9b8428100ab4df72e94ef6d72ea42f3a25f4a3
SHA256cb946d387843f68bc2ad78ac65781f62bb77b8f2b7f0d3e4ef687582ebb5ad8f
SHA512770f1040d64e6108d46805a4ebea6b3c4a3f10c50c6b2b8c4a77e43e0687115b716df7c1abf88295577059f5ca678e9fa9e9ab6a8813b1bf7f0357f4c92ea97f
-
Filesize
90KB
MD5c3a643cf7e1c3e465580e3afa5058042
SHA151090f16172496873aac4287ac412f17614add5f
SHA25653e5cf5e7853427845825f1e0e6cf36427f2d0ee6e77c13747eaaf6f33c151d7
SHA512e46e6aa5ca7b7c7e86233917788f23579b518755d60208bc2603f5a30de588fb78496d03d14266b432aa4c548074d7171c179d4e01f8ed20475c2ff2eb455da4
-
Filesize
90KB
MD5b45186ea717ee90f03d0ba44649f62be
SHA1876895bd1ec3bdc4df983f7b8dab7dfa001880b5
SHA256ac5aba45ff22bd74c523d57c955e8342b415a1df2cb16bc55e5442306e1aa02a
SHA5123ead52af5970bd7791216bddc973242bbb0db144b776e6c495163d1945abc753d13cda93785becf01af955f9aaa2a5dfd9b01ba6814ede52c31e9cc6e428ebc0
-
Filesize
90KB
MD52fcb3557906ccf5caa458082c60fd942
SHA1917b4a3bfd5058b8135c2d712c8e0de72aeb3fd2
SHA2564ea4c0e717caeaf2862e6691b5beef545985f6fc82ea0587e621a0facc882bca
SHA512aaae019dd9ded9826f97438b57971437715b470af8dea4a0bd40520ffd7329d3a1822e448c7e88437da7bd505c35353ecc6e366f872a3877e3ed08dbe5029a2c
-
Filesize
90KB
MD57e9ccfae5f18297759f151a96d7c4f8b
SHA1d2389f4e13ecd618266b3112289abf5a11c2d66c
SHA2564f336fc52c69fca06a2dc442e0b57b6f4837caadccb60bc1d33a3e73f4318981
SHA5129cc42996b6ae24e1064c81da13c5f63c61ce347f16f131cbd04dc927ea44163272798a0a97788a8909ff36b278a652dc51eec219f3dc7efd79bdae26ab067d4d
-
Filesize
90KB
MD520aa1042dfd47cca3f21c3732fcff341
SHA123e027b1cc2442e2fde6b6ec1ac80aebe043c99f
SHA256b893148004de9ce7afb3c3b361ddf64934875aeaac590ba7950659c61ad29f9d
SHA512dc5239762df48c6b2c3d7ce8319cb5b227c70ed0ffe35a0212dbc26424225de034af6e6fb8a16638c3b2ed3efcb10a06ed849789b7cd7c2cff14cab455d812ac
-
Filesize
90KB
MD5894a26839307f3219293abe1cceb4be9
SHA1967313f02aa1d795a0ecc172e9fe3ebf6e52071d
SHA256d35baaa2872b7aefb47d6a7e4a99929954bb39c1900ad9486a6bc1ee679df3b0
SHA5123f1bcbcba450c0988ad0181c1dd0a4f8e960e2c97957f8edba82b06ae40e4d93528e49de920b47c17ff55fd91280fbfbf0813c425aff5dbd4231460cf34cb19c
-
Filesize
90KB
MD5cc3bcdf7ffb87ace0ca09e1153c3dcec
SHA129c6d0b6908ef667d9739570f1699befd986c208
SHA256084ce93e0fa79b806437e173ee56fab4b0da27611801578b1eb5bb0754cbf379
SHA512e46d0d3ca992ce39431c33d544d40d92187062bcbc7c58ffe97dceed301cf941cc83695727e89c0ed733aa2d90639d68975bab27324ab845c3f0665e73568bce
-
Filesize
90KB
MD51a19721596ac3cace1bfc6599d2d61e6
SHA188f456313a422b2999dbe591576ecad7ea42d392
SHA2564d3815a0dfa50d8c03488fcc2d14cd88719b5e3103879000fdf859c9a8e9f41f
SHA51261c7bdcd135257e138f59de171bbaf3326e3e18f2544d8aa0932b4933c1f7c5ddcfd28668baa0739f134331bc24b62f267083f4c8e0cd3cd3c500739affdc53c
-
Filesize
90KB
MD5e75de4064b01a04527be04b72bc00dec
SHA12e70dfacfc0bb40791674e4e4f6b5de7fb736e87
SHA256043ca813803f67d83232a0f83125d5611c9c80ff7b8bebea856dd83d287c9322
SHA51218a1c8cbdbbaee9842d5e5d3b52dabb1c32779d08567cf57ba351fed6b0509c305f06b1d436f3a54e9fa6499dc0918a29782ba5d48164439354954ecd86f7068
-
Filesize
90KB
MD5e4dfe4293e6582a2d54b051d5633f934
SHA16858e50c62fd6c0dcdbff0d4643ead773f53457a
SHA256c55c93effd522742e2f2b28a845641ee5a789a348ab9fc2c371bb88bea28ef6c
SHA512331e1799b2ef748c926b7bf5cd0af41584bd3d3a202dc670d034fd6740cfaf84d4d3f9de8f549d2ea250c30f02f05cffc19d19be47bcd413419b3948d27f8b90