Analysis
-
max time kernel
26s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:47
Static task
static1
Behavioral task
behavioral1
Sample
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe
Resource
win10v2004-20241007-en
General
-
Target
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe
-
Size
401KB
-
MD5
cc0aaa82e40a81d4ca68aae1bab9871a
-
SHA1
8ffcedf92efeefe155eba2de8013f48d61126e05
-
SHA256
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835
-
SHA512
a0fd95f11b03cd77040144f2acd317edd37111c76ed5b8c67c2af4bd34336de85e4595dee137a9dca5548baf27fd63acc9a20064c9ae0dac8bc514ab03a2f971
-
SSDEEP
6144:/rBU9cyvndpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836PGyA7:FUemndpV6yYP4rbpV6yYPg058KrY
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bpmkbl32.exeOlgpff32.exePncljmko.exeQfhddn32.exeAjcldpkd.exeOcdnloph.exeOnapdmma.exePqgbah32.exeEgeecf32.exeEbabicfn.exeLeqeed32.exeMhckloge.exeOapcfo32.exeLaackgka.exePdkhag32.exeBbcjca32.exeKgoebmip.exeMljnaocd.exeNpechhgd.exeFcfohlmg.exeGdflgo32.exeMioeeifi.exeDakpiajj.exeKjhopjqi.exeNddeae32.exeDcjmcd32.exeGfogneop.exePnkiebib.exeCdcjgnbc.exeEqcjaa32.exeOogiha32.exeBneancnc.exeFgjkmijh.exeIebmpcjc.exeBbfnchfb.exeOqmokioh.exeClhecl32.exeIgngim32.exeAgqfme32.exeDkjkcfjc.exeNaionh32.exeOpebpdad.exeLnlaomae.exeMcbmmbhb.exeAjjinaco.exeIhcfan32.exeMecbjd32.exeMalpee32.exeLlhocfnb.exeHaleefoe.exeIhijhpdo.exeLaogfg32.exeAankkqfl.exeBacefpbg.exeChabmm32.exeLiblfl32.exeKihbfg32.exeDgfpni32.exeFblljhbo.exeHbpbck32.exeOecnkk32.exeEdjlgq32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olgpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pncljmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfhddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcldpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocdnloph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onapdmma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqgbah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egeecf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebabicfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leqeed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhckloge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oapcfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laackgka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdkhag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbcjca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgoebmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mljnaocd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npechhgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfohlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdflgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mioeeifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dakpiajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjhopjqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nddeae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcjmcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfogneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnkiebib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcjgnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqcjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oogiha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bneancnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgjkmijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iebmpcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbfnchfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqmokioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clhecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igngim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agqfme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjkcfjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naionh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opebpdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clhecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcbmmbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjinaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mecbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Malpee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhocfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Haleefoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihijhpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laogfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aankkqfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacefpbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chabmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liblfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kihbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgfpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fblljhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbpbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oecnkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edjlgq32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Kepgmh32.exeKnikfnih.exeLiblfl32.exeLlcehg32.exeLbmnea32.exeLlhocfnb.exeLadgkmlj.exeMllhne32.exeMomapqgn.exeManjaldo.exeMiiofn32.exeNpechhgd.exeNlldmimi.exeNaimepkp.exeNdjfgkha.exeNeibanod.exeOapcfo32.exeOgmkne32.exeOabplobe.exeOcclcg32.exeOkkddd32.exeOqgmmk32.exeOgaeieoj.exeOmnmal32.exeOgdaod32.exeOmqjgl32.exeOckbdebl.exePmcgmkil.exePoacighp.exePmecbkgj.exePodpoffm.exePeqhgmdd.exePkjqcg32.exePecelm32.exePgaahh32.exePnkiebib.exePajeanhf.exePkojoghl.exePjbjjc32.exePegnglnm.exeQgfkchmp.exeQnpcpa32.exeQmcclolh.exeQghgigkn.exeQfkgdd32.exeApclnj32.exeAbbhje32.exeAjipkb32.exeAmglgn32.exeAcadchoo.exeAebakp32.exeAinmlomf.exeAphehidc.exeAbgaeddg.exeAeenapck.exeAhcjmkbo.exeAnmbje32.exeAalofa32.exeAicfgn32.exeAnpooe32.exeAankkqfl.exeBldpiifb.exeBobleeef.exeBhjpnj32.exepid process 2848 Kepgmh32.exe 2668 Knikfnih.exe 2756 Liblfl32.exe 2548 Llcehg32.exe 2444 Lbmnea32.exe 864 Llhocfnb.exe 1424 Ladgkmlj.exe 1668 Mllhne32.exe 1680 Momapqgn.exe 108 Manjaldo.exe 2916 Miiofn32.exe 1900 Npechhgd.exe 2256 Nlldmimi.exe 2180 Naimepkp.exe 940 Ndjfgkha.exe 2296 Neibanod.exe 2996 Oapcfo32.exe 1872 Ogmkne32.exe 1612 Oabplobe.exe 2252 Occlcg32.exe 824 Okkddd32.exe 2636 Oqgmmk32.exe 2148 Ogaeieoj.exe 1356 Omnmal32.exe 1584 Ogdaod32.exe 812 Omqjgl32.exe 2592 Ockbdebl.exe 2808 Pmcgmkil.exe 1328 Poacighp.exe 2468 Pmecbkgj.exe 2488 Podpoffm.exe 1600 Peqhgmdd.exe 2264 Pkjqcg32.exe 1756 Pecelm32.exe 2836 Pgaahh32.exe 1092 Pnkiebib.exe 3044 Pajeanhf.exe 1908 Pkojoghl.exe 2384 Pjbjjc32.exe 1868 Pegnglnm.exe 2144 Qgfkchmp.exe 2880 Qnpcpa32.exe 900 Qmcclolh.exe 1820 Qghgigkn.exe 880 Qfkgdd32.exe 1884 Apclnj32.exe 632 Abbhje32.exe 2344 Ajipkb32.exe 1548 Amglgn32.exe 3032 Acadchoo.exe 2656 Aebakp32.exe 2572 Ainmlomf.exe 2644 Aphehidc.exe 2620 Abgaeddg.exe 2472 Aeenapck.exe 2940 Ahcjmkbo.exe 1692 Anmbje32.exe 1720 Aalofa32.exe 2024 Aicfgn32.exe 2116 Anpooe32.exe 2936 Aankkqfl.exe 2380 Bldpiifb.exe 1984 Bobleeef.exe 2096 Bhjpnj32.exe -
Loads dropped DLL 64 IoCs
Processes:
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exeKepgmh32.exeKnikfnih.exeLiblfl32.exeLlcehg32.exeLbmnea32.exeLlhocfnb.exeLadgkmlj.exeMllhne32.exeMomapqgn.exeManjaldo.exeMiiofn32.exeNpechhgd.exeNlldmimi.exeNaimepkp.exeNdjfgkha.exeNeibanod.exeOapcfo32.exeOgmkne32.exeOabplobe.exeOcclcg32.exeOkkddd32.exeOqgmmk32.exeOgaeieoj.exeOmnmal32.exeOgdaod32.exeOmqjgl32.exeOckbdebl.exePmcgmkil.exePoacighp.exePmecbkgj.exePodpoffm.exepid process 1040 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe 1040 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe 2848 Kepgmh32.exe 2848 Kepgmh32.exe 2668 Knikfnih.exe 2668 Knikfnih.exe 2756 Liblfl32.exe 2756 Liblfl32.exe 2548 Llcehg32.exe 2548 Llcehg32.exe 2444 Lbmnea32.exe 2444 Lbmnea32.exe 864 Llhocfnb.exe 864 Llhocfnb.exe 1424 Ladgkmlj.exe 1424 Ladgkmlj.exe 1668 Mllhne32.exe 1668 Mllhne32.exe 1680 Momapqgn.exe 1680 Momapqgn.exe 108 Manjaldo.exe 108 Manjaldo.exe 2916 Miiofn32.exe 2916 Miiofn32.exe 1900 Npechhgd.exe 1900 Npechhgd.exe 2256 Nlldmimi.exe 2256 Nlldmimi.exe 2180 Naimepkp.exe 2180 Naimepkp.exe 940 Ndjfgkha.exe 940 Ndjfgkha.exe 2296 Neibanod.exe 2296 Neibanod.exe 2996 Oapcfo32.exe 2996 Oapcfo32.exe 1872 Ogmkne32.exe 1872 Ogmkne32.exe 1612 Oabplobe.exe 1612 Oabplobe.exe 2252 Occlcg32.exe 2252 Occlcg32.exe 824 Okkddd32.exe 824 Okkddd32.exe 2636 Oqgmmk32.exe 2636 Oqgmmk32.exe 2148 Ogaeieoj.exe 2148 Ogaeieoj.exe 1356 Omnmal32.exe 1356 Omnmal32.exe 1584 Ogdaod32.exe 1584 Ogdaod32.exe 812 Omqjgl32.exe 812 Omqjgl32.exe 2592 Ockbdebl.exe 2592 Ockbdebl.exe 2808 Pmcgmkil.exe 2808 Pmcgmkil.exe 1328 Poacighp.exe 1328 Poacighp.exe 2468 Pmecbkgj.exe 2468 Pmecbkgj.exe 2488 Podpoffm.exe 2488 Podpoffm.exe -
Drops file in System32 directory 64 IoCs
Processes:
Neibanod.exeOgaeieoj.exeIecdji32.exeKgdiho32.exeMaocekoo.exeBlgeahoo.exeJpcdqpqj.exeMjmnmk32.exeOheppe32.exeLlhocfnb.exeOgdaod32.exeQgfkchmp.exeDgkiih32.exeOlgpff32.exeFqkieogp.exeNdgbgefh.exePjjmonac.exeElbmkm32.exeGindjqnc.exeHeijidbn.exeJnpoie32.exeJndhddaf.exeGjemoi32.exeNoepdo32.exePolobd32.exeBomhnb32.exeIokahhac.exeCpbnaj32.exeEgchmfnd.exeNfmahkhh.exeJcaqmkpn.exeLgabgl32.exePmfmej32.exeBneancnc.exeEjdaoa32.exeEjfnda32.exeEdpoeoea.exeFcjeakfd.exeMjpkbk32.exeLiblfl32.exeAcadchoo.exeLjjhdm32.exeQmpplh32.exeAcbnggjo.exeAgqfme32.exeJhniebne.exeBhmmcjjd.exeCiglaa32.exeEbicee32.exeIijfoh32.exeLefikg32.exeOqmokioh.exePncljmko.exeEnbapf32.exeAglmbfdk.exeHndoifdp.exeHengep32.exeAankkqfl.exeInjlkf32.exePmiikipg.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Oapcfo32.exe Neibanod.exe File opened for modification C:\Windows\SysWOW64\Omnmal32.exe Ogaeieoj.exe File created C:\Windows\SysWOW64\Kpclfokl.dll Iecdji32.exe File created C:\Windows\SysWOW64\Kjcedj32.exe Kgdiho32.exe File opened for modification C:\Windows\SysWOW64\Mejoei32.exe Maocekoo.exe File created C:\Windows\SysWOW64\Knaaiakh.dll Blgeahoo.exe File opened for modification C:\Windows\SysWOW64\Jcaqmkpn.exe Jpcdqpqj.exe File created C:\Windows\SysWOW64\Aafdca32.dll Mjmnmk32.exe File created C:\Windows\SysWOW64\Khhaomjd.dll Oheppe32.exe File opened for modification C:\Windows\SysWOW64\Ladgkmlj.exe Llhocfnb.exe File opened for modification C:\Windows\SysWOW64\Omqjgl32.exe Ogdaod32.exe File created C:\Windows\SysWOW64\Qnpcpa32.exe Qgfkchmp.exe File created C:\Windows\SysWOW64\Dfniee32.exe Dgkiih32.exe File created C:\Windows\SysWOW64\Omhnhcnn.dll Olgpff32.exe File opened for modification C:\Windows\SysWOW64\Fcjeakfd.exe Fqkieogp.exe File opened for modification C:\Windows\SysWOW64\Nkqjdo32.exe Ndgbgefh.exe File created C:\Windows\SysWOW64\Ekpcei32.dll Pjjmonac.exe File created C:\Windows\SysWOW64\Cbfajl32.dll Elbmkm32.exe File created C:\Windows\SysWOW64\Gcchgini.exe Gindjqnc.exe File created C:\Windows\SysWOW64\Hmpbja32.exe Heijidbn.exe File created C:\Windows\SysWOW64\Nlcbociq.dll Jnpoie32.exe File created C:\Windows\SysWOW64\Jpcdqpqj.exe Jndhddaf.exe File opened for modification C:\Windows\SysWOW64\Gihnkejd.exe Gjemoi32.exe File created C:\Windows\SysWOW64\Nhclfogi.dll Noepdo32.exe File created C:\Windows\SysWOW64\Ikgbof32.dll Polobd32.exe File created C:\Windows\SysWOW64\Befpkmph.exe Bomhnb32.exe File created C:\Windows\SysWOW64\Nkifkh32.dll Iokahhac.exe File created C:\Windows\SysWOW64\Fdnpephg.dll Cpbnaj32.exe File opened for modification C:\Windows\SysWOW64\Ejadibmh.exe Egchmfnd.exe File created C:\Windows\SysWOW64\Nmgjee32.exe Nfmahkhh.exe File created C:\Windows\SysWOW64\Kihjmonk.dll Jcaqmkpn.exe File created C:\Windows\SysWOW64\Ljpnch32.exe Lgabgl32.exe File created C:\Windows\SysWOW64\Fmehidpd.dll Pmfmej32.exe File created C:\Windows\SysWOW64\Ogmmfl32.dll Bneancnc.exe File created C:\Windows\SysWOW64\Libiii32.dll Ejdaoa32.exe File created C:\Windows\SysWOW64\Ekhjlioa.exe Ejfnda32.exe File opened for modification C:\Windows\SysWOW64\Ehlkfn32.exe Edpoeoea.exe File created C:\Windows\SysWOW64\Bepjjn32.exe Bneancnc.exe File opened for modification C:\Windows\SysWOW64\Fkambhgf.exe Fcjeakfd.exe File created C:\Windows\SysWOW64\Mmngof32.exe Mjpkbk32.exe File opened for modification C:\Windows\SysWOW64\Mmngof32.exe Mjpkbk32.exe File opened for modification C:\Windows\SysWOW64\Llcehg32.exe Liblfl32.exe File opened for modification C:\Windows\SysWOW64\Aebakp32.exe Acadchoo.exe File created C:\Windows\SysWOW64\Phjflgea.dll Acadchoo.exe File created C:\Windows\SysWOW64\Limhpihl.exe Ljjhdm32.exe File created C:\Windows\SysWOW64\Cfmjiqbg.dll Qmpplh32.exe File created C:\Windows\SysWOW64\Akjfhdka.exe Acbnggjo.exe File created C:\Windows\SysWOW64\Ammoel32.exe Agqfme32.exe File created C:\Windows\SysWOW64\Jcdmbk32.exe Jhniebne.exe File created C:\Windows\SysWOW64\Kpfdhgca.dll Bhmmcjjd.exe File opened for modification C:\Windows\SysWOW64\Clfhml32.exe Ciglaa32.exe File opened for modification C:\Windows\SysWOW64\Efeoedjo.exe Ebicee32.exe File created C:\Windows\SysWOW64\Iaaoqf32.exe Iijfoh32.exe File created C:\Windows\SysWOW64\Ahqfladk.dll Lefikg32.exe File opened for modification C:\Windows\SysWOW64\Ohdglfoj.exe Oqmokioh.exe File created C:\Windows\SysWOW64\Pmfmej32.exe Pncljmko.exe File created C:\Windows\SysWOW64\Aebakp32.exe Acadchoo.exe File created C:\Windows\SysWOW64\Fmhljo32.dll Enbapf32.exe File created C:\Windows\SysWOW64\Ajjinaco.exe Aglmbfdk.exe File created C:\Windows\SysWOW64\Knmmkb32.dll Hndoifdp.exe File created C:\Windows\SysWOW64\Dokpie32.dll Hengep32.exe File opened for modification C:\Windows\SysWOW64\Bldpiifb.exe Aankkqfl.exe File created C:\Windows\SysWOW64\Fammqaeq.dll Injlkf32.exe File created C:\Windows\SysWOW64\Mjneoljh.dll Pmiikipg.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5684 5556 WerFault.exe Ockdmn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Poacighp.exeEhlkfn32.exeKepgmh32.exeAnpooe32.exeGdkebolm.exeKopnma32.exeKgoebmip.exeMffkgl32.exeNkbcgnie.exeAnmbje32.exeDleelp32.exeGamifcmi.exeJgnchplb.exeAadakl32.exeEdpoeoea.exeMalpee32.exeOapcfo32.exeGahpkd32.exeBleilh32.exeJpcdqpqj.exeKjihci32.exeKninog32.exeBomhnb32.exeElbmkm32.exeLbmnea32.exeMomapqgn.exeQnpcpa32.exeHlkcbp32.exeLefikg32.exeAebjaj32.exeJcaqmkpn.exeLqgjkbop.exeNaimepkp.exeHdhdlbpk.exeIkicikap.exeOemhjlha.exeFeiaknmg.exeGabofn32.exeNoepdo32.exeHdhnal32.exeNdjhpcoe.exeOaqeogll.exeAmglgn32.exeGlkgcmbg.exeIjampgde.exeKjcedj32.exeEjdaoa32.exeJghcbjll.exeCabaec32.exeEmjjfb32.exeFmlglb32.exeKjhopjqi.exeMlpngd32.exeOddbqhkf.exe97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exeAmplklmj.exeBepjjn32.exeLbbiii32.exeLndqbk32.exeOheppe32.exeGplebjbk.exeOpebpdad.exeMfihml32.exeDgfpni32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poacighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlkfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkebolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopnma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgoebmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbcgnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmbje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dleelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamifcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnchplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadakl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpoeoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malpee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oapcfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gahpkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bleilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcdqpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjihci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kninog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomhnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbmkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momapqgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkcbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lefikg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebjaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaqmkpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqgjkbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naimepkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhdlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikicikap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemhjlha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiaknmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gabofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noepdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhnal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjhpcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqeogll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amglgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkgcmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijampgde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcedj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghcbjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhopjqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpngd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddbqhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amplklmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndqbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheppe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplebjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opebpdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfihml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfpni32.exe -
Modifies registry class 64 IoCs
Processes:
Dpcnbn32.exeLimhpihl.exeHengep32.exeJpcdqpqj.exeMjmnmk32.exeOheppe32.exeBacefpbg.exeDleelp32.exeDkjkcfjc.exeNlldmimi.exeHdkaabnh.exeKbcddlnd.exeMaocekoo.exeNdbile32.exePgjdmc32.exeApnhggln.exeOphoecoa.exeNdjfgkha.exeDkmncl32.exeEqnillbb.exeBhjpnj32.exeIijfoh32.exePqgbah32.exeBhnffi32.exeBefpkmph.exeQfkgdd32.exeMcbmmbhb.exeBomhnb32.exeDcjmcd32.exeDlbaljhn.exeFkldgi32.exeGapoob32.exeJdlclo32.exeIecdji32.exeNpppaejj.exeGhddnnfi.exeColdmfkf.exeFnkpcd32.exeLomglo32.exeLckpbm32.exeAphehidc.exeBiccfalm.exeMbpibm32.exeMoccnoni.exeOqmokioh.exePfcjiodd.exeFqkieogp.exeLiekddkh.exeDnnkec32.exeGpmllpef.exeHdhdlbpk.exeGcchgini.exeHeijidbn.exeKkaolm32.exeMfihml32.exePkojoghl.exeDncdqcbl.exeMbjfcnkg.exeHndoifdp.exeJoekimld.exeKggfnoch.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpcnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Limhpihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokpie32.dll" Hengep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfkkmab.dll" Jpcdqpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafdca32.dll" Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhaomjd.dll" Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohiimmp.dll" Bacefpbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dleelp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkjkcfjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlldmimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndcjglje.dll" Hdkaabnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keokbali.dll" Kbcddlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Maocekoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndbile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgjdmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apnhggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgjoqd32.dll" Ophoecoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peiejhfb.dll" Ndjfgkha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkmncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqnillbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhjpnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdbbjll.dll" Iijfoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pqgbah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojkgjkh.dll" Bhnffi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Befpkmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll" Qfkgdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcbmmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdhaj32.dll" Bomhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedeohin.dll" Dcjmcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifakkod.dll" Dlbaljhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkldgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhjcncb.dll" Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcflp32.dll" Jdlclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iecdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npppaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghddnnfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Coldmfkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnkpcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpcdqpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpkphm32.dll" Lomglo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lckpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aphehidc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biccfalm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbpibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbbmj32.dll" Moccnoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmocoj32.dll" Oqmokioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinfgd32.dll" Pqgbah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbohh32.dll" Pfcjiodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnbagpd.dll" Fqkieogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Liekddkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnnkec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpmllpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnaohff.dll" Hdhdlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcchgini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heijidbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkaolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfihml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkojoghl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dncdqcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbjfcnkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hndoifdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neccdc32.dll" Joekimld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnlppbbp.dll" Kggfnoch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exeKepgmh32.exeKnikfnih.exeLiblfl32.exeLlcehg32.exeLbmnea32.exeLlhocfnb.exeLadgkmlj.exeMllhne32.exeMomapqgn.exeManjaldo.exeMiiofn32.exeNpechhgd.exeNlldmimi.exeNaimepkp.exeNdjfgkha.exedescription pid process target process PID 1040 wrote to memory of 2848 1040 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe Kepgmh32.exe PID 1040 wrote to memory of 2848 1040 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe Kepgmh32.exe PID 1040 wrote to memory of 2848 1040 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe Kepgmh32.exe PID 1040 wrote to memory of 2848 1040 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe Kepgmh32.exe PID 2848 wrote to memory of 2668 2848 Kepgmh32.exe Knikfnih.exe PID 2848 wrote to memory of 2668 2848 Kepgmh32.exe Knikfnih.exe PID 2848 wrote to memory of 2668 2848 Kepgmh32.exe Knikfnih.exe PID 2848 wrote to memory of 2668 2848 Kepgmh32.exe Knikfnih.exe PID 2668 wrote to memory of 2756 2668 Knikfnih.exe Liblfl32.exe PID 2668 wrote to memory of 2756 2668 Knikfnih.exe Liblfl32.exe PID 2668 wrote to memory of 2756 2668 Knikfnih.exe Liblfl32.exe PID 2668 wrote to memory of 2756 2668 Knikfnih.exe Liblfl32.exe PID 2756 wrote to memory of 2548 2756 Liblfl32.exe Llcehg32.exe PID 2756 wrote to memory of 2548 2756 Liblfl32.exe Llcehg32.exe PID 2756 wrote to memory of 2548 2756 Liblfl32.exe Llcehg32.exe PID 2756 wrote to memory of 2548 2756 Liblfl32.exe Llcehg32.exe PID 2548 wrote to memory of 2444 2548 Llcehg32.exe Lbmnea32.exe PID 2548 wrote to memory of 2444 2548 Llcehg32.exe Lbmnea32.exe PID 2548 wrote to memory of 2444 2548 Llcehg32.exe Lbmnea32.exe PID 2548 wrote to memory of 2444 2548 Llcehg32.exe Lbmnea32.exe PID 2444 wrote to memory of 864 2444 Lbmnea32.exe Llhocfnb.exe PID 2444 wrote to memory of 864 2444 Lbmnea32.exe Llhocfnb.exe PID 2444 wrote to memory of 864 2444 Lbmnea32.exe Llhocfnb.exe PID 2444 wrote to memory of 864 2444 Lbmnea32.exe Llhocfnb.exe PID 864 wrote to memory of 1424 864 Llhocfnb.exe Ladgkmlj.exe PID 864 wrote to memory of 1424 864 Llhocfnb.exe Ladgkmlj.exe PID 864 wrote to memory of 1424 864 Llhocfnb.exe Ladgkmlj.exe PID 864 wrote to memory of 1424 864 Llhocfnb.exe Ladgkmlj.exe PID 1424 wrote to memory of 1668 1424 Ladgkmlj.exe Mllhne32.exe PID 1424 wrote to memory of 1668 1424 Ladgkmlj.exe Mllhne32.exe PID 1424 wrote to memory of 1668 1424 Ladgkmlj.exe Mllhne32.exe PID 1424 wrote to memory of 1668 1424 Ladgkmlj.exe Mllhne32.exe PID 1668 wrote to memory of 1680 1668 Mllhne32.exe Momapqgn.exe PID 1668 wrote to memory of 1680 1668 Mllhne32.exe Momapqgn.exe PID 1668 wrote to memory of 1680 1668 Mllhne32.exe Momapqgn.exe PID 1668 wrote to memory of 1680 1668 Mllhne32.exe Momapqgn.exe PID 1680 wrote to memory of 108 1680 Momapqgn.exe Manjaldo.exe PID 1680 wrote to memory of 108 1680 Momapqgn.exe Manjaldo.exe PID 1680 wrote to memory of 108 1680 Momapqgn.exe Manjaldo.exe PID 1680 wrote to memory of 108 1680 Momapqgn.exe Manjaldo.exe PID 108 wrote to memory of 2916 108 Manjaldo.exe Miiofn32.exe PID 108 wrote to memory of 2916 108 Manjaldo.exe Miiofn32.exe PID 108 wrote to memory of 2916 108 Manjaldo.exe Miiofn32.exe PID 108 wrote to memory of 2916 108 Manjaldo.exe Miiofn32.exe PID 2916 wrote to memory of 1900 2916 Miiofn32.exe Npechhgd.exe PID 2916 wrote to memory of 1900 2916 Miiofn32.exe Npechhgd.exe PID 2916 wrote to memory of 1900 2916 Miiofn32.exe Npechhgd.exe PID 2916 wrote to memory of 1900 2916 Miiofn32.exe Npechhgd.exe PID 1900 wrote to memory of 2256 1900 Npechhgd.exe Nlldmimi.exe PID 1900 wrote to memory of 2256 1900 Npechhgd.exe Nlldmimi.exe PID 1900 wrote to memory of 2256 1900 Npechhgd.exe Nlldmimi.exe PID 1900 wrote to memory of 2256 1900 Npechhgd.exe Nlldmimi.exe PID 2256 wrote to memory of 2180 2256 Nlldmimi.exe Naimepkp.exe PID 2256 wrote to memory of 2180 2256 Nlldmimi.exe Naimepkp.exe PID 2256 wrote to memory of 2180 2256 Nlldmimi.exe Naimepkp.exe PID 2256 wrote to memory of 2180 2256 Nlldmimi.exe Naimepkp.exe PID 2180 wrote to memory of 940 2180 Naimepkp.exe Ndjfgkha.exe PID 2180 wrote to memory of 940 2180 Naimepkp.exe Ndjfgkha.exe PID 2180 wrote to memory of 940 2180 Naimepkp.exe Ndjfgkha.exe PID 2180 wrote to memory of 940 2180 Naimepkp.exe Ndjfgkha.exe PID 940 wrote to memory of 2296 940 Ndjfgkha.exe Neibanod.exe PID 940 wrote to memory of 2296 940 Ndjfgkha.exe Neibanod.exe PID 940 wrote to memory of 2296 940 Ndjfgkha.exe Neibanod.exe PID 940 wrote to memory of 2296 940 Ndjfgkha.exe Neibanod.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe"C:\Users\Admin\AppData\Local\Temp\97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Mllhne32.exeC:\Windows\system32\Mllhne32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Momapqgn.exeC:\Windows\system32\Momapqgn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Nlldmimi.exeC:\Windows\system32\Nlldmimi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ndjfgkha.exeC:\Windows\system32\Ndjfgkha.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Neibanod.exeC:\Windows\system32\Neibanod.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Oapcfo32.exeC:\Windows\system32\Oapcfo32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Okkddd32.exeC:\Windows\system32\Okkddd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Oqgmmk32.exeC:\Windows\system32\Oqgmmk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Ogaeieoj.exeC:\Windows\system32\Ogaeieoj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Pmcgmkil.exeC:\Windows\system32\Pmcgmkil.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Poacighp.exeC:\Windows\system32\Poacighp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Podpoffm.exeC:\Windows\system32\Podpoffm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Peqhgmdd.exeC:\Windows\system32\Peqhgmdd.exe33⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Pkjqcg32.exeC:\Windows\system32\Pkjqcg32.exe34⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Pecelm32.exeC:\Windows\system32\Pecelm32.exe35⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Pgaahh32.exeC:\Windows\system32\Pgaahh32.exe36⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pnkiebib.exeC:\Windows\system32\Pnkiebib.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe38⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Pjbjjc32.exeC:\Windows\system32\Pjbjjc32.exe40⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Pegnglnm.exeC:\Windows\system32\Pegnglnm.exe41⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Qgfkchmp.exeC:\Windows\system32\Qgfkchmp.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Qnpcpa32.exeC:\Windows\system32\Qnpcpa32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe44⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Qghgigkn.exeC:\Windows\system32\Qghgigkn.exe45⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Apclnj32.exeC:\Windows\system32\Apclnj32.exe47⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe48⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe49⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Amglgn32.exeC:\Windows\system32\Amglgn32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Acadchoo.exeC:\Windows\system32\Acadchoo.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Aebakp32.exeC:\Windows\system32\Aebakp32.exe52⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe53⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Aphehidc.exeC:\Windows\system32\Aphehidc.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe55⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Aeenapck.exeC:\Windows\system32\Aeenapck.exe56⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Ahcjmkbo.exeC:\Windows\system32\Ahcjmkbo.exe57⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Aalofa32.exeC:\Windows\system32\Aalofa32.exe59⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Aicfgn32.exeC:\Windows\system32\Aicfgn32.exe60⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Anpooe32.exeC:\Windows\system32\Anpooe32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Aankkqfl.exeC:\Windows\system32\Aankkqfl.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Bldpiifb.exeC:\Windows\system32\Bldpiifb.exe63⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Bobleeef.exeC:\Windows\system32\Bobleeef.exe64⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Bhjpnj32.exeC:\Windows\system32\Bhjpnj32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe66⤵PID:1672
-
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Bhmmcjjd.exeC:\Windows\system32\Bhmmcjjd.exe68⤵
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Binikb32.exeC:\Windows\system32\Binikb32.exe69⤵PID:784
-
C:\Windows\SysWOW64\Baealp32.exeC:\Windows\system32\Baealp32.exe70⤵PID:1620
-
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe72⤵PID:1640
-
C:\Windows\SysWOW64\Blobmm32.exeC:\Windows\system32\Blobmm32.exe73⤵PID:1688
-
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe74⤵PID:2660
-
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe75⤵PID:2604
-
C:\Windows\SysWOW64\Biccfalm.exeC:\Windows\system32\Biccfalm.exe76⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe78⤵PID:2956
-
C:\Windows\SysWOW64\Chhpgn32.exeC:\Windows\system32\Chhpgn32.exe79⤵PID:1228
-
C:\Windows\SysWOW64\Cpohhk32.exeC:\Windows\system32\Cpohhk32.exe80⤵PID:2300
-
C:\Windows\SysWOW64\Ciglaa32.exeC:\Windows\system32\Ciglaa32.exe81⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe82⤵PID:2000
-
C:\Windows\SysWOW64\Cabaec32.exeC:\Windows\system32\Cabaec32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe84⤵PID:776
-
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1196 -
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe86⤵PID:1648
-
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:336 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe88⤵PID:540
-
C:\Windows\SysWOW64\Cpjklo32.exeC:\Windows\system32\Cpjklo32.exe89⤵PID:2624
-
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Dnnkec32.exeC:\Windows\system32\Dnnkec32.exe91⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe92⤵PID:2864
-
C:\Windows\SysWOW64\Dgfpni32.exeC:\Windows\system32\Dgfpni32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Dkblohek.exeC:\Windows\system32\Dkblohek.exe94⤵PID:2520
-
C:\Windows\SysWOW64\Ddjphm32.exeC:\Windows\system32\Ddjphm32.exe95⤵PID:1100
-
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe96⤵PID:448
-
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe97⤵
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Dgkiih32.exeC:\Windows\system32\Dgkiih32.exe99⤵
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe100⤵PID:668
-
C:\Windows\SysWOW64\Dpcnbn32.exeC:\Windows\system32\Dpcnbn32.exe101⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe102⤵PID:872
-
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe103⤵PID:1460
-
C:\Windows\SysWOW64\Dkmncl32.exeC:\Windows\system32\Dkmncl32.exe104⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe105⤵PID:1160
-
C:\Windows\SysWOW64\Edeclabl.exeC:\Windows\system32\Edeclabl.exe106⤵PID:2124
-
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe107⤵PID:1588
-
C:\Windows\SysWOW64\Ebicee32.exeC:\Windows\system32\Ebicee32.exe108⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe109⤵PID:2544
-
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe110⤵PID:1792
-
C:\Windows\SysWOW64\Eblpke32.exeC:\Windows\system32\Eblpke32.exe111⤵PID:1892
-
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1336 -
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe113⤵PID:1000
-
C:\Windows\SysWOW64\Enbapf32.exeC:\Windows\system32\Enbapf32.exe114⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe115⤵PID:1700
-
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe116⤵PID:1536
-
C:\Windows\SysWOW64\Eqcjaa32.exeC:\Windows\system32\Eqcjaa32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Egmbnkie.exeC:\Windows\system32\Egmbnkie.exe118⤵PID:2208
-
C:\Windows\SysWOW64\Emjjfb32.exeC:\Windows\system32\Emjjfb32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Fphgbn32.exeC:\Windows\system32\Fphgbn32.exe120⤵PID:2596
-
C:\Windows\SysWOW64\Fgpock32.exeC:\Windows\system32\Fgpock32.exe121⤵PID:2584
-
C:\Windows\SysWOW64\Fiakkcma.exeC:\Windows\system32\Fiakkcma.exe122⤵PID:2560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-