Analysis
-
max time kernel
93s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:47
Static task
static1
Behavioral task
behavioral1
Sample
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe
Resource
win10v2004-20241007-en
General
-
Target
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe
-
Size
401KB
-
MD5
cc0aaa82e40a81d4ca68aae1bab9871a
-
SHA1
8ffcedf92efeefe155eba2de8013f48d61126e05
-
SHA256
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835
-
SHA512
a0fd95f11b03cd77040144f2acd317edd37111c76ed5b8c67c2af4bd34336de85e4595dee137a9dca5548baf27fd63acc9a20064c9ae0dac8bc514ab03a2f971
-
SSDEEP
6144:/rBU9cyvndpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836PGyA7:FUemndpV6yYP4rbpV6yYPg058KrY
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Imkbnf32.exeKakmna32.exeKbbhqn32.exeNknobkje.exeAleckinj.exePkcadhgm.exeBcfahbpo.exeLjdkll32.exeNlmdbh32.exeGnepna32.exeDoojec32.exeDndgfpbo.exeHeegad32.exeMjpbam32.exeMifljdjo.exeFmikeaap.exeMhoahh32.exeKgnbdh32.exeMgphpe32.exeKlggli32.exeMeefofek.exeNaaqofgj.exeDbjkkl32.exeAmjillkj.exePmkofa32.exeDkkaiphj.exeEbhglj32.exeIjcjmmil.exePmaffnce.exeFplpll32.exeBomkcm32.exeCkmonl32.exeIciaqc32.exeCfnjpfcl.exeJohnamkm.exeKiphjo32.exeJnhpoamf.exeEplgeokq.exePbjddh32.exeCcdnjp32.exeDpbdopck.exeOcdnln32.exeJdnoplhh.exeKjmmepfj.exeCcmgiaig.exeIlafiihp.exeChlflabp.exeKlndfj32.exeOjqcnhkl.exeLlhikacp.exeDjqblj32.exeGphphj32.exeCimmggfl.exeNbbeml32.exeCpacqg32.exeKilpmh32.exeMaodigil.exeAcfhad32.exeJklinohd.exeBheplb32.exeOcgkan32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkbnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nknobkje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aleckinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkcadhgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcfahbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljdkll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doojec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heegad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mifljdjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgnbdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgphpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klggli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meefofek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naaqofgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbjkkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjillkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmkofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebhglj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcjmmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fplpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bomkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckmonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnhpoamf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfahbpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbjddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpbdopck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdnln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnoplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccmgiaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilafiihp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlflabp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klndfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqcnhkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djqblj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphphj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cimmggfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbeml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpacqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kilpmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maodigil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jklinohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocgkan32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Hnhghcki.exeIafonaao.exeIahlcaol.exeIdghpmnp.exeIjcahd32.exeInainbcn.exeIdkbkl32.exeJdnoplhh.exeJgogbgei.exeJnhpoamf.exeJqglkmlj.exeJhpqaiji.exeJjamia32.exeJibmgi32.exeJgenbfoa.exeJkaicd32.exeJjdjoane.exeJnpfop32.exeKqnbkl32.exeKdinljnk.exeKghjhemo.exeKkcfid32.exeKjffdalb.exeKnbbep32.exeKbmoen32.exeKelkaj32.exeKiggbhda.exeKgjgne32.exeKkfcndce.exeKndojobi.exeKbpkkn32.exeKenggi32.exeKijchhbo.exeKgmcce32.exeKjkpoq32.exeKnflpoqf.exeKbbhqn32.exeKeqdmihc.exeKilpmh32.exeKkjlic32.exeKjmmepfj.exeKbddfmgl.exeKageaj32.exeKinmcg32.exeKgamnded.exeKjpijpdg.exeKnkekn32.exeLajagj32.exeLeenhhdn.exeLgcjdd32.exeLkofdbkj.exeLnnbqnjn.exeLbinam32.exeLegjmh32.exeLicfngjd.exeLkabjbih.exeLnpofnhk.exeLbkkgl32.exeLejgch32.exeLieccf32.exeLldopb32.exeLjgpkonp.exeLbngllob.exeLaqhhi32.exepid process 4384 Hnhghcki.exe 1476 Iafonaao.exe 4588 Iahlcaol.exe 1988 Idghpmnp.exe 1152 Ijcahd32.exe 1632 Inainbcn.exe 4072 Idkbkl32.exe 4932 Jdnoplhh.exe 4832 Jgogbgei.exe 4800 Jnhpoamf.exe 3320 Jqglkmlj.exe 760 Jhpqaiji.exe 1388 Jjamia32.exe 1280 Jibmgi32.exe 3640 Jgenbfoa.exe 3144 Jkaicd32.exe 2264 Jjdjoane.exe 2152 Jnpfop32.exe 3476 Kqnbkl32.exe 2736 Kdinljnk.exe 1012 Kghjhemo.exe 3432 Kkcfid32.exe 2540 Kjffdalb.exe 3272 Knbbep32.exe 4960 Kbmoen32.exe 4024 Kelkaj32.exe 4716 Kiggbhda.exe 3864 Kgjgne32.exe 3896 Kkfcndce.exe 2812 Kndojobi.exe 4208 Kbpkkn32.exe 2180 Kenggi32.exe 4568 Kijchhbo.exe 4112 Kgmcce32.exe 3052 Kjkpoq32.exe 3600 Knflpoqf.exe 4936 Kbbhqn32.exe 3140 Keqdmihc.exe 232 Kilpmh32.exe 928 Kkjlic32.exe 4456 Kjmmepfj.exe 2388 Kbddfmgl.exe 4312 Kageaj32.exe 1064 Kinmcg32.exe 4712 Kgamnded.exe 2064 Kjpijpdg.exe 4532 Knkekn32.exe 3080 Lajagj32.exe 1164 Leenhhdn.exe 4196 Lgcjdd32.exe 4940 Lkofdbkj.exe 4664 Lnnbqnjn.exe 4392 Lbinam32.exe 3136 Legjmh32.exe 3316 Licfngjd.exe 1860 Lkabjbih.exe 1000 Lnpofnhk.exe 4440 Lbkkgl32.exe 2976 Lejgch32.exe 4108 Lieccf32.exe 5140 Lldopb32.exe 5172 Ljgpkonp.exe 5216 Lbngllob.exe 5252 Laqhhi32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pmbegqjk.exeAkcjkfij.exeJnhidk32.exeBadanigc.exeFmhdkknd.exeHekgfj32.exeJoekag32.exeMeefofek.exePolppg32.exeLgkpdcmi.exeCkmonl32.exeKdbjhbbd.exeNmlddqem.exeNajmjokc.exeKqnbkl32.exeEppqqn32.exeCponen32.exeLkalplel.exeMlkepaam.exeCioilg32.exeKngkqbgl.exeJbccge32.exePmkofa32.exeHnhghcki.exeKjffdalb.exeHeegad32.exeNciopppp.exeJklinohd.exeAdfnofpd.exePahilmoc.exeModgdicm.exeBlhpqhlh.exeGdjibj32.exeOblmdhdo.exeKgkfnh32.exeEdionhpn.exeNbphglbe.exeAaiqcnhg.exeBfolacnc.exeLieccf32.exeLeopnglc.exeOifeab32.exeGlipgf32.exeJdnoplhh.exeKdinljnk.exeBpkdjofm.exeQpbnhl32.exeCcppmc32.exeOkedcjcm.exeOobfob32.exeNjljch32.exePcbkml32.exeCcdnjp32.exeFmikeaap.exeIjcjmmil.exeCbpajgmf.exeKageaj32.exeFmfnpa32.exeLjdkll32.exePjoppf32.exeNafjjf32.exeNiakfbpa.exeQohpkf32.exedescription ioc process File created C:\Windows\SysWOW64\Qfjjpf32.exe Pmbegqjk.exe File created C:\Windows\SysWOW64\Ddfbhfmf.dll Akcjkfij.exe File created C:\Windows\SysWOW64\Jklinohd.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Jkdgfllg.dll Badanigc.exe File created C:\Windows\SysWOW64\Ibingd32.dll Fmhdkknd.exe File created C:\Windows\SysWOW64\Hoclopne.exe Hekgfj32.exe File opened for modification C:\Windows\SysWOW64\Jikoopij.exe Joekag32.exe File opened for modification C:\Windows\SysWOW64\Mhdckaeo.exe Meefofek.exe File created C:\Windows\SysWOW64\Pakllc32.exe Polppg32.exe File created C:\Windows\SysWOW64\Ljilqnlm.exe Lgkpdcmi.exe File created C:\Windows\SysWOW64\Abklmb32.dll Ckmonl32.exe File opened for modification C:\Windows\SysWOW64\Lklbdm32.exe Kdbjhbbd.exe File created C:\Windows\SysWOW64\Fpkefnho.dll Nmlddqem.exe File created C:\Windows\SysWOW64\Cdbijb32.dll Najmjokc.exe File created C:\Windows\SysWOW64\Kdinljnk.exe Kqnbkl32.exe File opened for modification C:\Windows\SysWOW64\Ebommi32.exe Eppqqn32.exe File created C:\Windows\SysWOW64\Mmlmhc32.dll Cponen32.exe File created C:\Windows\SysWOW64\Lqndhcdc.exe Lkalplel.exe File opened for modification C:\Windows\SysWOW64\Ndflak32.exe Nmlddqem.exe File opened for modification C:\Windows\SysWOW64\Mjneln32.exe Mlkepaam.exe File opened for modification C:\Windows\SysWOW64\Ckmehb32.exe Cioilg32.exe File created C:\Windows\SysWOW64\Dmokdgeg.dll Kngkqbgl.exe File created C:\Windows\SysWOW64\Jeapcq32.exe Jbccge32.exe File created C:\Windows\SysWOW64\Cohddjgl.dll Pmkofa32.exe File opened for modification C:\Windows\SysWOW64\Iafonaao.exe Hnhghcki.exe File opened for modification C:\Windows\SysWOW64\Knbbep32.exe Kjffdalb.exe File created C:\Windows\SysWOW64\Hpkknmgd.exe Heegad32.exe File created C:\Windows\SysWOW64\Nhegig32.exe Nciopppp.exe File created C:\Windows\SysWOW64\Jlmfeg32.exe Jklinohd.exe File created C:\Windows\SysWOW64\Akqfkp32.exe Adfnofpd.exe File created C:\Windows\SysWOW64\Igpoaebh.dll Pahilmoc.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Modgdicm.exe File opened for modification C:\Windows\SysWOW64\Bkkple32.exe Blhpqhlh.exe File created C:\Windows\SysWOW64\Ghqomgid.dll Gdjibj32.exe File created C:\Windows\SysWOW64\Oaompd32.exe Oblmdhdo.exe File opened for modification C:\Windows\SysWOW64\Knenkbio.exe Kgkfnh32.exe File opened for modification C:\Windows\SysWOW64\Eghkjdoa.exe Edionhpn.exe File opened for modification C:\Windows\SysWOW64\Nijqcf32.exe Nbphglbe.exe File created C:\Windows\SysWOW64\Bfajnjho.dll Aaiqcnhg.exe File created C:\Windows\SysWOW64\Binhnomg.exe Bfolacnc.exe File created C:\Windows\SysWOW64\Ecbfdd32.dll Lieccf32.exe File opened for modification C:\Windows\SysWOW64\Lhmmjbkf.exe Leopnglc.exe File created C:\Windows\SysWOW64\Ohiemobf.exe Oifeab32.exe File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Glipgf32.exe File opened for modification C:\Windows\SysWOW64\Jgogbgei.exe Jdnoplhh.exe File created C:\Windows\SysWOW64\Kghjhemo.exe Kdinljnk.exe File created C:\Windows\SysWOW64\Kolfbd32.dll Bpkdjofm.exe File created C:\Windows\SysWOW64\Inmalg32.dll Qpbnhl32.exe File created C:\Windows\SysWOW64\Mbddol32.dll Ccppmc32.exe File created C:\Windows\SysWOW64\Oblmdhdo.exe Okedcjcm.exe File opened for modification C:\Windows\SysWOW64\Oeokal32.exe Oobfob32.exe File created C:\Windows\SysWOW64\Niojoeel.exe Njljch32.exe File created C:\Windows\SysWOW64\Iheocj32.dll Pcbkml32.exe File opened for modification C:\Windows\SysWOW64\Cfcjfk32.exe Ccdnjp32.exe File created C:\Windows\SysWOW64\Fllkqn32.exe Fmikeaap.exe File created C:\Windows\SysWOW64\Ilafiihp.exe Ijcjmmil.exe File created C:\Windows\SysWOW64\Effkpc32.dll Cbpajgmf.exe File created C:\Windows\SysWOW64\Blhdmebn.dll Kageaj32.exe File opened for modification C:\Windows\SysWOW64\Fbcfhibj.exe Fmfnpa32.exe File opened for modification C:\Windows\SysWOW64\Loacdc32.exe Ljdkll32.exe File created C:\Windows\SysWOW64\Blcnqjjo.dll Pjoppf32.exe File created C:\Windows\SysWOW64\Hiikaj32.dll Nafjjf32.exe File created C:\Windows\SysWOW64\Hnhmla32.dll Niakfbpa.exe File opened for modification C:\Windows\SysWOW64\Qaflgago.exe Qohpkf32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5724 6624 WerFault.exe Diqnjl32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ccpdoqgd.exeQemhbj32.exePlpqil32.exeAhgjejhd.exeChiblk32.exeEdionhpn.exeMpapnfhg.exe97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exePiphgq32.exeQjiipk32.exeJlgoek32.exeMablfnne.exeNimmifgo.exeOondnini.exeKjccdkki.exeKncaec32.exeDpgnjo32.exeEbjcajjd.exePmoiqneg.exeGfjkjo32.exeMokmdh32.exeLbkkgl32.exeOihagaji.exeEmbddb32.exeDcigeooj.exeGdjibj32.exeFkofga32.exeMfkkqmiq.exeCajjjk32.exeLeenhhdn.exeCimmggfl.exeCfcjfk32.exeOehlkc32.exeAckbmcjl.exeLebijnak.exeKdinljnk.exeKjkpoq32.exeLhmmjbkf.exeNjmhhefi.exeOkkdic32.exeMgphpe32.exeKhlklj32.exeOkjnnj32.exePllgnl32.exeFipkjb32.exeCofecami.exeCkmehb32.exeCfipef32.exeApjkcadp.exeGiecfejd.exeMeamcg32.exeNihipdhl.exeCobkhb32.exeIhdldn32.exeNiojoeel.exePbjddh32.exeDndgfpbo.exeDglkoeio.exeGaebef32.exeMcdeeq32.exeAffikdfn.exeMajjng32.exeGbfldf32.exePonfka32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpqil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgjejhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edionhpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpapnfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piphgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjiipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mablfnne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimmifgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oondnini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjccdkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgnjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjcajjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoiqneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihagaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkofga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkkqmiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajjjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leenhhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimmggfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcjfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackbmcjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebijnak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdinljnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmmjbkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgphpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlklj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofecami.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfipef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjkcadp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giecfejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meamcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihipdhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdldn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niojoeel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjddh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndgfpbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglkoeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaebef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcdeeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affikdfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe -
Modifies registry class 64 IoCs
Processes:
Lnnbqnjn.exeQhmqdemc.exeGicgpelg.exePjoppf32.exeCkpamabg.exeNjmhhefi.exeEokqkh32.exeLkofdbkj.exeMiofjepg.exeCnahdi32.exeJoekag32.exeCmgqpkip.exeOhiemobf.exeCoknoaic.exeEehicoel.exeGojiiafp.exeQjiipk32.exeMpapnfhg.exePiphgq32.exeCfpffeaj.exeIpkdek32.exeCkmehb32.exeJdmgfedl.exeNafjjf32.exeNdflak32.exeGlipgf32.exeIiopca32.exeAodogdmn.exeGfheof32.exePldcjeia.exeDdnfmqng.exeIbcaknbi.exeObnehj32.exeMajjng32.exeNajceeoo.exePedlgbkh.exeAchegd32.exeNaaqofgj.exeQljcoj32.exeLldopb32.exeMlpokp32.exeMblcnj32.exeOiknlagg.exeMjpbam32.exePnplfj32.exeKjmmepfj.exeHbihjifh.exeLoacdc32.exeCcpdoqgd.exeEpndknin.exeIpflihfq.exeBfolacnc.exePhedhmhi.exeCjecpkcg.exeAlelqb32.exeBdojjo32.exeNoblkqca.exeLegjmh32.exeModgdicm.exeMomcpa32.exeNeoieenp.exeQaflgago.exeDcigeooj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaeaha32.dll" Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahceqce.dll" Gicgpelg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckpamabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnhm32.dll" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicdfa32.dll" Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headjohq.dll" Miofjepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnahdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll" Cmgqpkip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jecampmk.dll" Coknoaic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobpkihi.dll" Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qjiipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpapnfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khfclo32.dll" Cfpffeaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipkdek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckmehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaqdae32.dll" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nafjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnfdoa.dll" Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiqkhgo.dll" Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibcaknbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obnehj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmfqg32.dll" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhebpni.dll" Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmfkjol.dll" Achegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Naaqofgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lldopb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlpokp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mblcnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiknlagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjpbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnplfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaejbl32.dll" Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll" Loacdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epndknin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipecicga.dll" Bfolacnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjecpkcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alelqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noblkqca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll" Modgdicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqobhgmh.dll" Momcpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neoieenp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcigeooj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exeHnhghcki.exeIafonaao.exeIahlcaol.exeIdghpmnp.exeIjcahd32.exeInainbcn.exeIdkbkl32.exeJdnoplhh.exeJgogbgei.exeJnhpoamf.exeJqglkmlj.exeJhpqaiji.exeJjamia32.exeJibmgi32.exeJgenbfoa.exeJkaicd32.exeJjdjoane.exeJnpfop32.exeKqnbkl32.exeKdinljnk.exeKghjhemo.exedescription pid process target process PID 4428 wrote to memory of 4384 4428 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe Hnhghcki.exe PID 4428 wrote to memory of 4384 4428 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe Hnhghcki.exe PID 4428 wrote to memory of 4384 4428 97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe Hnhghcki.exe PID 4384 wrote to memory of 1476 4384 Hnhghcki.exe Iafonaao.exe PID 4384 wrote to memory of 1476 4384 Hnhghcki.exe Iafonaao.exe PID 4384 wrote to memory of 1476 4384 Hnhghcki.exe Iafonaao.exe PID 1476 wrote to memory of 4588 1476 Iafonaao.exe Iahlcaol.exe PID 1476 wrote to memory of 4588 1476 Iafonaao.exe Iahlcaol.exe PID 1476 wrote to memory of 4588 1476 Iafonaao.exe Iahlcaol.exe PID 4588 wrote to memory of 1988 4588 Iahlcaol.exe Idghpmnp.exe PID 4588 wrote to memory of 1988 4588 Iahlcaol.exe Idghpmnp.exe PID 4588 wrote to memory of 1988 4588 Iahlcaol.exe Idghpmnp.exe PID 1988 wrote to memory of 1152 1988 Idghpmnp.exe Ijcahd32.exe PID 1988 wrote to memory of 1152 1988 Idghpmnp.exe Ijcahd32.exe PID 1988 wrote to memory of 1152 1988 Idghpmnp.exe Ijcahd32.exe PID 1152 wrote to memory of 1632 1152 Ijcahd32.exe Inainbcn.exe PID 1152 wrote to memory of 1632 1152 Ijcahd32.exe Inainbcn.exe PID 1152 wrote to memory of 1632 1152 Ijcahd32.exe Inainbcn.exe PID 1632 wrote to memory of 4072 1632 Inainbcn.exe Idkbkl32.exe PID 1632 wrote to memory of 4072 1632 Inainbcn.exe Idkbkl32.exe PID 1632 wrote to memory of 4072 1632 Inainbcn.exe Idkbkl32.exe PID 4072 wrote to memory of 4932 4072 Idkbkl32.exe Jdnoplhh.exe PID 4072 wrote to memory of 4932 4072 Idkbkl32.exe Jdnoplhh.exe PID 4072 wrote to memory of 4932 4072 Idkbkl32.exe Jdnoplhh.exe PID 4932 wrote to memory of 4832 4932 Jdnoplhh.exe Jgogbgei.exe PID 4932 wrote to memory of 4832 4932 Jdnoplhh.exe Jgogbgei.exe PID 4932 wrote to memory of 4832 4932 Jdnoplhh.exe Jgogbgei.exe PID 4832 wrote to memory of 4800 4832 Jgogbgei.exe Jnhpoamf.exe PID 4832 wrote to memory of 4800 4832 Jgogbgei.exe Jnhpoamf.exe PID 4832 wrote to memory of 4800 4832 Jgogbgei.exe Jnhpoamf.exe PID 4800 wrote to memory of 3320 4800 Jnhpoamf.exe Jqglkmlj.exe PID 4800 wrote to memory of 3320 4800 Jnhpoamf.exe Jqglkmlj.exe PID 4800 wrote to memory of 3320 4800 Jnhpoamf.exe Jqglkmlj.exe PID 3320 wrote to memory of 760 3320 Jqglkmlj.exe Jhpqaiji.exe PID 3320 wrote to memory of 760 3320 Jqglkmlj.exe Jhpqaiji.exe PID 3320 wrote to memory of 760 3320 Jqglkmlj.exe Jhpqaiji.exe PID 760 wrote to memory of 1388 760 Jhpqaiji.exe Jjamia32.exe PID 760 wrote to memory of 1388 760 Jhpqaiji.exe Jjamia32.exe PID 760 wrote to memory of 1388 760 Jhpqaiji.exe Jjamia32.exe PID 1388 wrote to memory of 1280 1388 Jjamia32.exe Jibmgi32.exe PID 1388 wrote to memory of 1280 1388 Jjamia32.exe Jibmgi32.exe PID 1388 wrote to memory of 1280 1388 Jjamia32.exe Jibmgi32.exe PID 1280 wrote to memory of 3640 1280 Jibmgi32.exe Jgenbfoa.exe PID 1280 wrote to memory of 3640 1280 Jibmgi32.exe Jgenbfoa.exe PID 1280 wrote to memory of 3640 1280 Jibmgi32.exe Jgenbfoa.exe PID 3640 wrote to memory of 3144 3640 Jgenbfoa.exe Jkaicd32.exe PID 3640 wrote to memory of 3144 3640 Jgenbfoa.exe Jkaicd32.exe PID 3640 wrote to memory of 3144 3640 Jgenbfoa.exe Jkaicd32.exe PID 3144 wrote to memory of 2264 3144 Jkaicd32.exe Jjdjoane.exe PID 3144 wrote to memory of 2264 3144 Jkaicd32.exe Jjdjoane.exe PID 3144 wrote to memory of 2264 3144 Jkaicd32.exe Jjdjoane.exe PID 2264 wrote to memory of 2152 2264 Jjdjoane.exe Jnpfop32.exe PID 2264 wrote to memory of 2152 2264 Jjdjoane.exe Jnpfop32.exe PID 2264 wrote to memory of 2152 2264 Jjdjoane.exe Jnpfop32.exe PID 2152 wrote to memory of 3476 2152 Jnpfop32.exe Kqnbkl32.exe PID 2152 wrote to memory of 3476 2152 Jnpfop32.exe Kqnbkl32.exe PID 2152 wrote to memory of 3476 2152 Jnpfop32.exe Kqnbkl32.exe PID 3476 wrote to memory of 2736 3476 Kqnbkl32.exe Kdinljnk.exe PID 3476 wrote to memory of 2736 3476 Kqnbkl32.exe Kdinljnk.exe PID 3476 wrote to memory of 2736 3476 Kqnbkl32.exe Kdinljnk.exe PID 2736 wrote to memory of 1012 2736 Kdinljnk.exe Kghjhemo.exe PID 2736 wrote to memory of 1012 2736 Kdinljnk.exe Kghjhemo.exe PID 2736 wrote to memory of 1012 2736 Kdinljnk.exe Kghjhemo.exe PID 1012 wrote to memory of 3432 1012 Kghjhemo.exe Kkcfid32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe"C:\Users\Admin\AppData\Local\Temp\97be0b1cf52ef29c1eceb4c129b81a9fbb2f6db8b3863de92d2235d65eaa7835.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe23⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe25⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe26⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe27⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe28⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe29⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe30⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe31⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe32⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe33⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe34⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe35⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe37⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe39⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe41⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe43⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4312 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe45⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe46⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe47⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe48⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe49⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe51⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4664 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe54⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe56⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe57⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe58⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe60⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:5140 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe63⤵
- Executes dropped EXE
PID:5172 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe64⤵
- Executes dropped EXE
PID:5216 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe65⤵
- Executes dropped EXE
PID:5252 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe66⤵PID:5292
-
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe67⤵
- Drops file in System32 directory
PID:5336 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe68⤵PID:5372
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe69⤵PID:5416
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe70⤵PID:5452
-
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe71⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe72⤵
- System Location Discovery: System Language Discovery
PID:5532 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe74⤵PID:5612
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe75⤵PID:5652
-
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe76⤵
- System Location Discovery: System Language Discovery
PID:5692 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe77⤵PID:5736
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe78⤵
- Drops file in System32 directory
PID:5772 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe79⤵PID:5820
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe80⤵PID:5852
-
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe81⤵PID:5896
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe82⤵
- Modifies registry class
PID:5940 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe83⤵PID:5972
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe85⤵PID:6060
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe88⤵PID:4876
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe89⤵
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe90⤵PID:3036
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe91⤵PID:1300
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe92⤵PID:3620
-
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe93⤵PID:32
-
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe94⤵PID:3236
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe95⤵PID:1664
-
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe96⤵
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe99⤵PID:5280
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe100⤵PID:5360
-
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe101⤵PID:5448
-
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe103⤵
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe104⤵PID:5648
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe105⤵PID:5728
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe106⤵PID:5800
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe107⤵PID:5848
-
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe108⤵
- Modifies registry class
PID:6148 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe109⤵PID:6184
-
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe110⤵PID:6224
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe111⤵PID:6264
-
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe112⤵PID:6304
-
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:6352 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe114⤵PID:6384
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe115⤵PID:6424
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6464 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe117⤵PID:6504
-
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe118⤵PID:6544
-
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe119⤵PID:6592
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe120⤵PID:6624
-
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe121⤵PID:6664
-
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe122⤵PID:6704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-