Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:54
Static task
static1
Behavioral task
behavioral1
Sample
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe
Resource
win10v2004-20241007-en
General
-
Target
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe
-
Size
98KB
-
MD5
ef7299fde3e41422c6fe5470efd39a20
-
SHA1
29b2719c89fa58cc0c8a17550a3e5224ddec6942
-
SHA256
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53
-
SHA512
67f81e25432f08543bf656458c23daa3ed6f12f47b3c92f838362a4f033020e3382b180c395e7f7512eaad21448037dd9b967f48cbe7a32058ae3dd71e32a3d2
-
SSDEEP
3072:LxZVWGxikyLXa3jyfOeRJESeFKPD375lHzpa1P:1WGVyLK3GGGJESeYr75lHzpaF
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bmnnkl32.exeJolghndm.exePofkha32.exeBceibfgj.exeMjaddn32.exeNidmfh32.exeCbblda32.exeCagienkb.exeKnfndjdp.exeLkgngb32.exeQgjccb32.exeAomnhd32.exeCbppnbhm.exeOlpilg32.exePhnpagdp.exeKcgphp32.exeAllefimb.exeAkcomepg.exeLqipkhbj.exeMcjhmcok.exePnbojmmp.exeKadfkhkf.exeOdedge32.exe33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exeOmioekbo.exeCkjamgmk.exePdgmlhha.exeLjddjj32.exeCnkjnb32.exePojecajj.exeMjfnomde.exeMcqombic.exeNgealejo.exeLkjjma32.exeKdklfe32.exeNfahomfd.exeNmfbpk32.exeQndkpmkm.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olpilg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcgphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allefimb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqipkhbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbojmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadfkhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omioekbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjamgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpilg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Allefimb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomnhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcqombic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngealejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdklfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgmlhha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qndkpmkm.exe -
Berbew family
-
Executes dropped EXE 42 IoCs
Processes:
Jolghndm.exeKdklfe32.exeKnfndjdp.exeKadfkhkf.exeKcgphp32.exeLjddjj32.exeLkgngb32.exeLkjjma32.exeLqipkhbj.exeMjaddn32.exeMcjhmcok.exeMjfnomde.exeMcqombic.exeNfahomfd.exeNgealejo.exeNidmfh32.exeNjfjnpgp.exeNmfbpk32.exeOmioekbo.exeOdedge32.exeOlpilg32.exeOoabmbbe.exePofkha32.exePhnpagdp.exePojecajj.exePdgmlhha.exePnbojmmp.exeQgjccb32.exeQndkpmkm.exeAccqnc32.exeAllefimb.exeAomnhd32.exeAkcomepg.exeBceibfgj.exeBmnnkl32.exeBkegah32.exeCbppnbhm.exeCbblda32.exeCkjamgmk.exeCagienkb.exeCnkjnb32.exeDpapaj32.exepid process 2604 Jolghndm.exe 2104 Kdklfe32.exe 2964 Knfndjdp.exe 2872 Kadfkhkf.exe 2952 Kcgphp32.exe 2816 Ljddjj32.exe 2688 Lkgngb32.exe 2044 Lkjjma32.exe 2664 Lqipkhbj.exe 1964 Mjaddn32.exe 1208 Mcjhmcok.exe 1996 Mjfnomde.exe 1764 Mcqombic.exe 2636 Nfahomfd.exe 2100 Ngealejo.exe 560 Nidmfh32.exe 3032 Njfjnpgp.exe 1516 Nmfbpk32.exe 2328 Omioekbo.exe 2036 Odedge32.exe 1424 Olpilg32.exe 1820 Ooabmbbe.exe 1768 Pofkha32.exe 2468 Phnpagdp.exe 896 Pojecajj.exe 2456 Pdgmlhha.exe 2584 Pnbojmmp.exe 1600 Qgjccb32.exe 2360 Qndkpmkm.exe 2820 Accqnc32.exe 2832 Allefimb.exe 2764 Aomnhd32.exe 2852 Akcomepg.exe 2752 Bceibfgj.exe 2284 Bmnnkl32.exe 2340 Bkegah32.exe 1888 Cbppnbhm.exe 2064 Cbblda32.exe 1992 Ckjamgmk.exe 2268 Cagienkb.exe 1908 Cnkjnb32.exe 880 Dpapaj32.exe -
Loads dropped DLL 64 IoCs
Processes:
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exeJolghndm.exeKdklfe32.exeKnfndjdp.exeKadfkhkf.exeKcgphp32.exeLjddjj32.exeLkgngb32.exeLkjjma32.exeLqipkhbj.exeMjaddn32.exeMcjhmcok.exeMjfnomde.exeMcqombic.exeNfahomfd.exeNgealejo.exeNidmfh32.exeNjfjnpgp.exeNmfbpk32.exeOmioekbo.exeOdedge32.exeOlpilg32.exeOoabmbbe.exePofkha32.exePhnpagdp.exePojecajj.exePdgmlhha.exePnbojmmp.exeQgjccb32.exeQndkpmkm.exeAccqnc32.exeAllefimb.exepid process 2188 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe 2188 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe 2604 Jolghndm.exe 2604 Jolghndm.exe 2104 Kdklfe32.exe 2104 Kdklfe32.exe 2964 Knfndjdp.exe 2964 Knfndjdp.exe 2872 Kadfkhkf.exe 2872 Kadfkhkf.exe 2952 Kcgphp32.exe 2952 Kcgphp32.exe 2816 Ljddjj32.exe 2816 Ljddjj32.exe 2688 Lkgngb32.exe 2688 Lkgngb32.exe 2044 Lkjjma32.exe 2044 Lkjjma32.exe 2664 Lqipkhbj.exe 2664 Lqipkhbj.exe 1964 Mjaddn32.exe 1964 Mjaddn32.exe 1208 Mcjhmcok.exe 1208 Mcjhmcok.exe 1996 Mjfnomde.exe 1996 Mjfnomde.exe 1764 Mcqombic.exe 1764 Mcqombic.exe 2636 Nfahomfd.exe 2636 Nfahomfd.exe 2100 Ngealejo.exe 2100 Ngealejo.exe 560 Nidmfh32.exe 560 Nidmfh32.exe 3032 Njfjnpgp.exe 3032 Njfjnpgp.exe 1516 Nmfbpk32.exe 1516 Nmfbpk32.exe 2328 Omioekbo.exe 2328 Omioekbo.exe 2036 Odedge32.exe 2036 Odedge32.exe 1424 Olpilg32.exe 1424 Olpilg32.exe 1820 Ooabmbbe.exe 1820 Ooabmbbe.exe 1768 Pofkha32.exe 1768 Pofkha32.exe 2468 Phnpagdp.exe 2468 Phnpagdp.exe 896 Pojecajj.exe 896 Pojecajj.exe 2456 Pdgmlhha.exe 2456 Pdgmlhha.exe 2584 Pnbojmmp.exe 2584 Pnbojmmp.exe 1600 Qgjccb32.exe 1600 Qgjccb32.exe 2360 Qndkpmkm.exe 2360 Qndkpmkm.exe 2820 Accqnc32.exe 2820 Accqnc32.exe 2832 Allefimb.exe 2832 Allefimb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mcqombic.exeOdedge32.exeOoabmbbe.exeQgjccb32.exeLqipkhbj.exeQndkpmkm.exeBkegah32.exeDpapaj32.exeKdklfe32.exePdgmlhha.exeCkjamgmk.exeMcjhmcok.exePofkha32.exeCagienkb.exeLkjjma32.exeCbblda32.exeCnkjnb32.exeKnfndjdp.exeNfahomfd.exeAccqnc32.exeCbppnbhm.exeKcgphp32.exeNmfbpk32.exePnbojmmp.exeAkcomepg.exeLkgngb32.exeKadfkhkf.exeNgealejo.exeLjddjj32.exeOmioekbo.exePojecajj.exeBmnnkl32.exeAllefimb.exeMjaddn32.exe33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Nfahomfd.exe Mcqombic.exe File created C:\Windows\SysWOW64\Pghaaidm.dll Odedge32.exe File created C:\Windows\SysWOW64\Oqlecd32.dll Ooabmbbe.exe File created C:\Windows\SysWOW64\Qndkpmkm.exe Qgjccb32.exe File opened for modification C:\Windows\SysWOW64\Mjaddn32.exe Lqipkhbj.exe File created C:\Windows\SysWOW64\Accqnc32.exe Qndkpmkm.exe File created C:\Windows\SysWOW64\Hmdeje32.dll Bkegah32.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File opened for modification C:\Windows\SysWOW64\Knfndjdp.exe Kdklfe32.exe File created C:\Windows\SysWOW64\Pnbojmmp.exe Pdgmlhha.exe File opened for modification C:\Windows\SysWOW64\Qndkpmkm.exe Qgjccb32.exe File created C:\Windows\SysWOW64\Cagienkb.exe Ckjamgmk.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Ckjamgmk.exe File opened for modification C:\Windows\SysWOW64\Mjfnomde.exe Mcjhmcok.exe File created C:\Windows\SysWOW64\Olpilg32.exe Odedge32.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Pofkha32.exe File created C:\Windows\SysWOW64\Liempneg.dll Cagienkb.exe File created C:\Windows\SysWOW64\Lqipkhbj.exe Lkjjma32.exe File created C:\Windows\SysWOW64\Ckjamgmk.exe Cbblda32.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Cnkjnb32.exe File opened for modification C:\Windows\SysWOW64\Kadfkhkf.exe Knfndjdp.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe Nfahomfd.exe File created C:\Windows\SysWOW64\Kmhflfhh.dll Knfndjdp.exe File created C:\Windows\SysWOW64\Nfahomfd.exe Mcqombic.exe File created C:\Windows\SysWOW64\Bdoaqh32.dll Accqnc32.exe File created C:\Windows\SysWOW64\Cbblda32.exe Cbppnbhm.exe File created C:\Windows\SysWOW64\Knfndjdp.exe Kdklfe32.exe File created C:\Windows\SysWOW64\Lnjeilhc.dll Kcgphp32.exe File opened for modification C:\Windows\SysWOW64\Omioekbo.exe Nmfbpk32.exe File created C:\Windows\SysWOW64\Qgjccb32.exe Pnbojmmp.exe File opened for modification C:\Windows\SysWOW64\Bceibfgj.exe Akcomepg.exe File created C:\Windows\SysWOW64\Ljlmgnqj.dll Lkgngb32.exe File created C:\Windows\SysWOW64\Kcgphp32.exe Kadfkhkf.exe File created C:\Windows\SysWOW64\Nidmfh32.exe Ngealejo.exe File created C:\Windows\SysWOW64\Pplncj32.dll Kdklfe32.exe File created C:\Windows\SysWOW64\Dofhhgce.dll Lkjjma32.exe File created C:\Windows\SysWOW64\Dpdidmdg.dll Ngealejo.exe File created C:\Windows\SysWOW64\Allefimb.exe Accqnc32.exe File opened for modification C:\Windows\SysWOW64\Lkgngb32.exe Ljddjj32.exe File opened for modification C:\Windows\SysWOW64\Odedge32.exe Omioekbo.exe File created C:\Windows\SysWOW64\Mdhpmg32.dll Pojecajj.exe File created C:\Windows\SysWOW64\Bnjdhe32.dll Bmnnkl32.exe File opened for modification C:\Windows\SysWOW64\Nidmfh32.exe Ngealejo.exe File created C:\Windows\SysWOW64\Kbfcnc32.dll Pdgmlhha.exe File opened for modification C:\Windows\SysWOW64\Accqnc32.exe Qndkpmkm.exe File created C:\Windows\SysWOW64\Pmmgmc32.dll Allefimb.exe File created C:\Windows\SysWOW64\Lkjjma32.exe Lkgngb32.exe File created C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File created C:\Windows\SysWOW64\Cnkjnb32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Mjfnomde.exe Mcjhmcok.exe File opened for modification C:\Windows\SysWOW64\Bkegah32.exe Bmnnkl32.exe File opened for modification C:\Windows\SysWOW64\Ljddjj32.exe Kcgphp32.exe File created C:\Windows\SysWOW64\Ljddjj32.exe Kcgphp32.exe File created C:\Windows\SysWOW64\Mjaddn32.exe Lqipkhbj.exe File created C:\Windows\SysWOW64\Mcjhmcok.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Pofkha32.exe Ooabmbbe.exe File created C:\Windows\SysWOW64\Bceibfgj.exe Akcomepg.exe File created C:\Windows\SysWOW64\Fbnbckhg.dll Cbblda32.exe File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Jolghndm.exe 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe File created C:\Windows\SysWOW64\Qpceaipi.dll Ljddjj32.exe File created C:\Windows\SysWOW64\Bpdokkbh.dll Mcjhmcok.exe File created C:\Windows\SysWOW64\Omioekbo.exe Nmfbpk32.exe File created C:\Windows\SysWOW64\Bnljlm32.dll 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 432 880 WerFault.exe Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Knfndjdp.exeKcgphp32.exeLqipkhbj.exeOdedge32.exeCbblda32.exeMjfnomde.exeMcqombic.exeOoabmbbe.exeBkegah32.exeCkjamgmk.exeNfahomfd.exePhnpagdp.exePojecajj.exePnbojmmp.exeAccqnc32.exeCbppnbhm.exeCagienkb.exeCnkjnb32.exeJolghndm.exeKdklfe32.exeMjaddn32.exeNjfjnpgp.exeOmioekbo.exeNgealejo.exeOlpilg32.exePofkha32.exeAkcomepg.exe33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exeLkgngb32.exeMcjhmcok.exeNmfbpk32.exeQndkpmkm.exeLjddjj32.exeQgjccb32.exeAomnhd32.exeBmnnkl32.exeDpapaj32.exeBceibfgj.exeKadfkhkf.exeLkjjma32.exeNidmfh32.exePdgmlhha.exeAllefimb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcgphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfnomde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqombic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabmbbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjamgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnpagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojecajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accqnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfjnpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omioekbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcomepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjhmcok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomnhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnnkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjjma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgmlhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe -
Modifies registry class 64 IoCs
Processes:
Kcgphp32.exeMjfnomde.exePojecajj.exeNjfjnpgp.exePofkha32.exeKdklfe32.exeLjddjj32.exeNgealejo.exeLkgngb32.exeMcjhmcok.exeMcqombic.exeNfahomfd.exeBceibfgj.exeCbblda32.exeAccqnc32.exeCagienkb.exeLqipkhbj.exePdgmlhha.exeOdedge32.exePhnpagdp.exeAllefimb.exeLkjjma32.exeQgjccb32.exeQndkpmkm.exeBkegah32.exeKnfndjdp.exeAkcomepg.exeKadfkhkf.exeNidmfh32.exeOlpilg32.exeCbppnbhm.exeJolghndm.exe33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exeBmnnkl32.exeMjaddn32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjeilhc.dll" Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjfnomde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njfjnpgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplncj32.dll" Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpceaipi.dll" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpdidmdg.dll" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkgngb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifhgh32.dll" Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdklfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljddjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll" Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll" Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cagienkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbglcb32.dll" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll" Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofhhgce.dll" Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdokkbh.dll" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qndkpmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkegah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knfndjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbblda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhflfhh.dll" Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bceibfgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaaidm.dll" Odedge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjoahnho.dll" Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kadfkhkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngealejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnljlm32.dll" 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" Bkegah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjfnomde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdgmlhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgghnmp.dll" Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knfndjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcakjoj.dll" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjaddn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exeJolghndm.exeKdklfe32.exeKnfndjdp.exeKadfkhkf.exeKcgphp32.exeLjddjj32.exeLkgngb32.exeLkjjma32.exeLqipkhbj.exeMjaddn32.exeMcjhmcok.exeMjfnomde.exeMcqombic.exeNfahomfd.exeNgealejo.exedescription pid process target process PID 2188 wrote to memory of 2604 2188 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Jolghndm.exe PID 2188 wrote to memory of 2604 2188 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Jolghndm.exe PID 2188 wrote to memory of 2604 2188 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Jolghndm.exe PID 2188 wrote to memory of 2604 2188 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Jolghndm.exe PID 2604 wrote to memory of 2104 2604 Jolghndm.exe Kdklfe32.exe PID 2604 wrote to memory of 2104 2604 Jolghndm.exe Kdklfe32.exe PID 2604 wrote to memory of 2104 2604 Jolghndm.exe Kdklfe32.exe PID 2604 wrote to memory of 2104 2604 Jolghndm.exe Kdklfe32.exe PID 2104 wrote to memory of 2964 2104 Kdklfe32.exe Knfndjdp.exe PID 2104 wrote to memory of 2964 2104 Kdklfe32.exe Knfndjdp.exe PID 2104 wrote to memory of 2964 2104 Kdklfe32.exe Knfndjdp.exe PID 2104 wrote to memory of 2964 2104 Kdklfe32.exe Knfndjdp.exe PID 2964 wrote to memory of 2872 2964 Knfndjdp.exe Kadfkhkf.exe PID 2964 wrote to memory of 2872 2964 Knfndjdp.exe Kadfkhkf.exe PID 2964 wrote to memory of 2872 2964 Knfndjdp.exe Kadfkhkf.exe PID 2964 wrote to memory of 2872 2964 Knfndjdp.exe Kadfkhkf.exe PID 2872 wrote to memory of 2952 2872 Kadfkhkf.exe Kcgphp32.exe PID 2872 wrote to memory of 2952 2872 Kadfkhkf.exe Kcgphp32.exe PID 2872 wrote to memory of 2952 2872 Kadfkhkf.exe Kcgphp32.exe PID 2872 wrote to memory of 2952 2872 Kadfkhkf.exe Kcgphp32.exe PID 2952 wrote to memory of 2816 2952 Kcgphp32.exe Ljddjj32.exe PID 2952 wrote to memory of 2816 2952 Kcgphp32.exe Ljddjj32.exe PID 2952 wrote to memory of 2816 2952 Kcgphp32.exe Ljddjj32.exe PID 2952 wrote to memory of 2816 2952 Kcgphp32.exe Ljddjj32.exe PID 2816 wrote to memory of 2688 2816 Ljddjj32.exe Lkgngb32.exe PID 2816 wrote to memory of 2688 2816 Ljddjj32.exe Lkgngb32.exe PID 2816 wrote to memory of 2688 2816 Ljddjj32.exe Lkgngb32.exe PID 2816 wrote to memory of 2688 2816 Ljddjj32.exe Lkgngb32.exe PID 2688 wrote to memory of 2044 2688 Lkgngb32.exe Lkjjma32.exe PID 2688 wrote to memory of 2044 2688 Lkgngb32.exe Lkjjma32.exe PID 2688 wrote to memory of 2044 2688 Lkgngb32.exe Lkjjma32.exe PID 2688 wrote to memory of 2044 2688 Lkgngb32.exe Lkjjma32.exe PID 2044 wrote to memory of 2664 2044 Lkjjma32.exe Lqipkhbj.exe PID 2044 wrote to memory of 2664 2044 Lkjjma32.exe Lqipkhbj.exe PID 2044 wrote to memory of 2664 2044 Lkjjma32.exe Lqipkhbj.exe PID 2044 wrote to memory of 2664 2044 Lkjjma32.exe Lqipkhbj.exe PID 2664 wrote to memory of 1964 2664 Lqipkhbj.exe Mjaddn32.exe PID 2664 wrote to memory of 1964 2664 Lqipkhbj.exe Mjaddn32.exe PID 2664 wrote to memory of 1964 2664 Lqipkhbj.exe Mjaddn32.exe PID 2664 wrote to memory of 1964 2664 Lqipkhbj.exe Mjaddn32.exe PID 1964 wrote to memory of 1208 1964 Mjaddn32.exe Mcjhmcok.exe PID 1964 wrote to memory of 1208 1964 Mjaddn32.exe Mcjhmcok.exe PID 1964 wrote to memory of 1208 1964 Mjaddn32.exe Mcjhmcok.exe PID 1964 wrote to memory of 1208 1964 Mjaddn32.exe Mcjhmcok.exe PID 1208 wrote to memory of 1996 1208 Mcjhmcok.exe Mjfnomde.exe PID 1208 wrote to memory of 1996 1208 Mcjhmcok.exe Mjfnomde.exe PID 1208 wrote to memory of 1996 1208 Mcjhmcok.exe Mjfnomde.exe PID 1208 wrote to memory of 1996 1208 Mcjhmcok.exe Mjfnomde.exe PID 1996 wrote to memory of 1764 1996 Mjfnomde.exe Mcqombic.exe PID 1996 wrote to memory of 1764 1996 Mjfnomde.exe Mcqombic.exe PID 1996 wrote to memory of 1764 1996 Mjfnomde.exe Mcqombic.exe PID 1996 wrote to memory of 1764 1996 Mjfnomde.exe Mcqombic.exe PID 1764 wrote to memory of 2636 1764 Mcqombic.exe Nfahomfd.exe PID 1764 wrote to memory of 2636 1764 Mcqombic.exe Nfahomfd.exe PID 1764 wrote to memory of 2636 1764 Mcqombic.exe Nfahomfd.exe PID 1764 wrote to memory of 2636 1764 Mcqombic.exe Nfahomfd.exe PID 2636 wrote to memory of 2100 2636 Nfahomfd.exe Ngealejo.exe PID 2636 wrote to memory of 2100 2636 Nfahomfd.exe Ngealejo.exe PID 2636 wrote to memory of 2100 2636 Nfahomfd.exe Ngealejo.exe PID 2636 wrote to memory of 2100 2636 Nfahomfd.exe Ngealejo.exe PID 2100 wrote to memory of 560 2100 Ngealejo.exe Nidmfh32.exe PID 2100 wrote to memory of 560 2100 Ngealejo.exe Nidmfh32.exe PID 2100 wrote to memory of 560 2100 Ngealejo.exe Nidmfh32.exe PID 2100 wrote to memory of 560 2100 Ngealejo.exe Nidmfh32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe"C:\Users\Admin\AppData\Local\Temp\33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 14444⤵
- Program crash
PID:432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD59036e0c2dd67abf74709275d32e5f680
SHA1ebb931db726236af8e6c21feaba6159b756014aa
SHA256adaa5ded758d77faa8bf5b8fb01bc0a99ee585e358a78404c40c72380c41007e
SHA5120e9873be781721f61d084270b2a943a207de6d178058cab36f0eb341837ca893354a8b6d1e53356f8967f6d1ca8866aab9b79a57a6d3302805168612f8109aed
-
Filesize
98KB
MD5e72217fda49710cb385707bb74422fea
SHA1b82e6fe0bec8951a2351a0dc932133e176c73c72
SHA256552557cf293afe1fbccc76c35cbcd1653b7557d237f7814cc1fe3312e1eb09b9
SHA512d4b8e1985f43565744db3b6665a72c0f9bee16841b3403e0538f011af7a7162ae4a43e6bcbe709898c708dfde4e04dd676414693e6d7cc4ca3bfd2c4ba56db89
-
Filesize
98KB
MD590d83acdb7358480ea2cecbaa789cea7
SHA176a4f5c29f77737c74f22648b2f812ef7b9e7575
SHA2560049ede6dd3baeb7e33a57aa2bede39692d6b8bab222810a878c2ea894c28fbf
SHA51208080f40e025867d87798b9de89ed93cf0032868f5a3b3add2923fdb615a6df37dc91c292c9553e12dd36d3ffa0480928286a2c6889bd4c142d25fe52743fcf4
-
Filesize
98KB
MD55fda260f949690afc378918c300d2104
SHA1160ee19049a1491f652f20fef0b9328c5ec15bf8
SHA2563fbe602d1502b6617dd0d84420fe1ae6a10a720b0ed217b9537a7afc9d81e4bc
SHA5121bdee4e739f3890052ce270140aa71dc37e224cafa1b52a0a7c13042517cec349946c6ca95e925efb2a86c78e28a07b010ba3c8d317288e0fc52c088f97b5eb8
-
Filesize
98KB
MD59c7189a93d52ea49f1ae06e1c58876ab
SHA13c560d77f1c32b40ec02cc87453a86819d18be3f
SHA256c6f817647b2753d15d94d9efe597ffec418d71885e6fccac676d50bda29fd96a
SHA512de6979e8a9653d72ee0df86aca8953e7ba5b215cd80296656f3de5a7ce140bd93350c0582d86eca5eb232d5057b44e7e3d59e1582c69d211d1140b185e3cd412
-
Filesize
98KB
MD54d5bc1d7bd11a6680ba44a890fb39ea0
SHA1a8253e02ad0efd34ef31adc641408c4f20ce053d
SHA25694ebd36184aaed803008bdf7c93a1fd8d04089f14a0eee9bbcfe497afc13b585
SHA512077cdccbbaa3e1810a038f361650e15dde3f24c5cffabab5ec4c621cc368325d5248df9d0839c44ad9c3ad360854907d52c6e7df54121fb7e70c9e506f7f4a1e
-
Filesize
98KB
MD5dc359bedce06699bc584f9e25fe3a70b
SHA10ee54ceb0d3586a4e9375deec8a64fa80ddcf558
SHA2563adee34d9ec947b50c7b14cd417842f64668e49ff4eafe71b277604220ced0c3
SHA512e6a383e4ebbdfac822346979d3dd30db2fefbc58b8646e55029b8227461492d6ee02288b15217dc00dd0e79c97aab055f9d905cf36e2339b264396a1bb99da43
-
Filesize
98KB
MD5c3f03ae26f16531d7d96d955cce3a922
SHA1955620d5689ba3ef4b1fcfa27b0263574131b990
SHA256d3b9b022a1c7a8eab31eabad4698178f8466be026d9e255840c244a977c118d5
SHA512ce97fad739b61d8baedf6d23469cefac02bbf4a48f8374818dd637d95465cf63db58587276552846af63e61e5d28a3a850ab8e44ee8a2e4d5841bc5c37276b7f
-
Filesize
98KB
MD5d4e5d53c7c7bbde9f6f0b05e92225b33
SHA1fc97cc1da4145efcb732f0c17c6517d6111b0008
SHA2565c46d3a5a34db1a34e792bc57402618532afeef26c2a59be986d97eebb71bb30
SHA5126020f03ec16d30a6a42f6b5674a640e4abf864be8c753027ff4a53f8e43ab74f26f92de15393e9bb0bedcc1c55f20ca6b962c8bdfd34252bb998559fde3ba520
-
Filesize
98KB
MD594f7965b4d3898e72b2eff517c786e7b
SHA19fc2c02633c2df45226aecb1f6b945eceab4c1fb
SHA256c180d030635005fbfb42cf3389f61db473cfd60725748f56b096c540e2729f12
SHA512ca3ee348585c3afaae76583f85ffc50b04bbe60adfb52da389c099d82b20e5d3c49c75368632f1b4e84daaf62994c3ef710a85dff42199faef9c6aca6d0d72de
-
Filesize
98KB
MD52ed4ed23f8211cabc40823ce9261617c
SHA1ed8dc30e69caad55db908973480ce8a3e1d65326
SHA25690da565336df6bdf0f5a32b661f2d510bea1cc1f85a88846ee439f9fd0664f40
SHA51279f139dc1f489982c8675630bbc60bc063174547080ee4160980b53ec90f74483768886de4d4a5ff3a13619ba03cdbf39eaef1654c61dc2bc820d2869d05c8c7
-
Filesize
98KB
MD513ebef63d627edbcd5f0201570634525
SHA189b36dcc5b59d9245428c159b4a35c9d3b7b5c4f
SHA256bdd11a574be9b987d6581e05c3b41462bdc851cfbd4342610cfb667f1c4a4968
SHA512834990ddcf2cc32beef36bc3c4541ea68b69904c83148e354f2f210012b9aa21f075d8cf5ffd1326bcc8de3f0270cd8cff3eb5225f695b6925a922ea36fa3923
-
Filesize
98KB
MD53e2562fc022533bb2bae411ab94e9f39
SHA117ffac99953e3fe1cc49214843cd2d6484748702
SHA256719d54d7995c5aba0b5ea6b0c76a15a290159b040b3c18462dcc8b8d34ce8fda
SHA512a98317ff5efad68b7147fe31447422dc4e64387eb9182f4d7254f6c02ca0ec4ae98a386b68e35f3fd4469002340f342f4c7871ffc3665d4c413c10015960d591
-
Filesize
7KB
MD59309185e63cdac20385c1ff7e3789a02
SHA1403190eac28f6887ce37a28bc425f473e198e854
SHA256648ee0eeb11fe10d8ab5f2895cf3fd3b87a5023997c2cbe8bb919e8287eeafba
SHA512020929eec3c2ac88fe13719c6d068febe50c005e9362bd311001a317155ede3d881cac71ecb076dca8b2c591b59f129e4b323e0ab4ad1fcffb5e1e8cf34762a7
-
Filesize
98KB
MD5372f37f93fde7dea383c8a611838809f
SHA1636f3c7a03a6e909c407375f9aeaefa300d4dd15
SHA256cfe4c63b66b31027f3ba80e979cc85b8b862a84c823b37ca45ec24ab27e2077b
SHA51299a761dd5c79726e3f95c6b6d6c5d1622aaa8ff725c437327275e45348178686c3d849d935bb2bc38928f81bd6e9f46325c32e2b9cb3fba41d46d0e1a12f9d49
-
Filesize
98KB
MD54bc5b4b1e44ca6fe26d8d8b5097fd7b5
SHA11f867c7d3125b3fb8525aff08217a8c648639888
SHA256f86a8d31e3a416b5094dd04bc216c32240478af397bea4e8844ecbfef24b196f
SHA512eab92cac3a970bfc46bd3b25c5c37e2ca012ee8a68b44b443ac4496cdab76041a30456f35228c4c0585a3d94cbc6ac133398bf4e165d63d402db2eba4d5a0e1b
-
Filesize
98KB
MD589f9c1b2efdec6759edf3d9cc0c71093
SHA1275fba7e03658383cf635521872a413cc9a300b8
SHA2566aff081ddf8f689590564091d59018807c405a2275f43e5f37ac1f7770ab3e6a
SHA5123c51f06194cd5c821ff1ab139529e76faa7cec777edddfffb98eefaabe74296ee255b806be5034b934f4b78e56fcb1644e81f7468dd54855fd89235b96741870
-
Filesize
98KB
MD54a6cadc25772fed2473c7dc18f04d3c6
SHA14e6faabfdcfadb119e66f2cd3876e3689429b809
SHA256fdd1fe43fcec2cbaf56dc345cd5b3e381b28c9a62554fca4297193e4b7df8ddf
SHA5123bdaae77645f66d1f2d0824937d906b7e6d92843a4b2b12524fcf9d9e5ef4631c4e85e86371f4798746e2c1da06b5215069f01c39466eb1d7f31d7054d87fc98
-
Filesize
98KB
MD51e9b97d8fb3040c7c86689d58542effd
SHA1086f4cedacf8e0451e0a841a0920a80d3988380a
SHA2564b0a8826674051cbf001feafe54996adfeae8a274ba62280b9c30fec843ff76d
SHA512d5810aaeeb8f8b2c535f8a4a229d467d8d7fbeb199bcff1114bce902c6a014fdbdacf0883e8e0e92f2d0c07678a1cb603ee56d2f342b24ea4dc9ebbb17a00f06
-
Filesize
98KB
MD52b58ea1d00837ec210beba7aefb790c2
SHA18000d5682053d42a4a4965c45a1cf59e5433f13c
SHA256cbec87fd5b25ef6fbdffd11206e765d71f0f870ce684be532aaa9118abe2b754
SHA5123d26199e84079030e3f2eb311550cfefd0568db6abeda57eff3bd039cfb75ef5d33317ec941c1b6356f837bb87cf5a50f48ae08b5af9ccf932592d2c536bbf27
-
Filesize
98KB
MD58c1d4fbb250ba415b43ebe7ac919b12d
SHA1b6a7f7453a8b168eca9ef0854efcbbfc13980b5a
SHA256a284cf424e335fa267f10eb7418e129de4982ad2e9d726841dfe3f6bf5f9b5a9
SHA512085689dff474a87a06fe02ca86e8cebf48b37048ae5bcbcbe5ed22d08f74683dcf776338811a37817d9b237f6800d71e368244dab96349cec2c8a412180787af
-
Filesize
98KB
MD52d6726fd92ffe9e9324ce31936a7e9f3
SHA1353a5f6729c6fde0dc9ac6fbbdd9a465e8c05684
SHA256b12740a98b538417f963e461fcec4ff72f54483403a2c9fcf2cef8d9eca6b3ed
SHA512fe4126263dc37aeb36e4813c4902db8f986489150970d4b2f6fa94a910fd454d5fdb7f534136903e724b5c94996db354cc9ed730dd831d214fc3d2563870f5d4
-
Filesize
98KB
MD5b07a854fd6c87bfe456c0dbf213f80da
SHA11693313c5a086c39656681930b4f869f25ca3127
SHA256c6a15c23618ea047fedac2be32f5d2a92882642d90b17c4361b05832b317a738
SHA512fec89148cb88bd597dfc2811ebfd630610af99c40eb37ba7e39fcbb268c7f85dfa4a696ffe4a206404cb74185a2f30f647ff22ea95bd3d19959763d7437b2798
-
Filesize
98KB
MD5cbcc863cfb978ffdaf3b808b92c7165c
SHA12c4375028c2f41e4b12e03519afcb8d1c851e586
SHA25678c7ad0719ae7d2f578dc73c2de1e2dcc4e948d18e166ff606e827cdbc6b4e01
SHA5123d8520f472bffe57b66b9243b8ec50084ca52c52fc974a26ee8be70f7616d0445d7d54e14fe22540548c0f9a29d664bb54a5e64fe3e8673b658fad284917cd8b
-
Filesize
98KB
MD54f141bad71fddb1f994b13ab4950675f
SHA1db3b9b2f16c4abe65cb5e223dfdac0901118f0cf
SHA25680bbcf6913f32ac3faa20c7f6216f139835f06d3daaaac7745e59de8cdcdddb5
SHA512e2a88f1d393335114bc959b1b834ab7056653f979511268459a13b2fb224f75f360e2da3a1ab8964b78a4060f1dd5b3ca468913ba3d64ce387f91b638ff6ef28
-
Filesize
98KB
MD52dc21bfc29c2ae63b21d9b6dc5f01732
SHA1a15198776e8c827d30a591ea3c8824fa2f87e453
SHA2560ed58aa7e371344e2448563daa27f74b849f2650473ead37094b08cecb31db79
SHA512f07ea660f95d70149998da8eeceda4458b893f8c0751a8dea91d641e4912ecb037ccf9cc37f99527e32f200e9b1160e085857351f81b09216d5e5464e8ad9101
-
Filesize
98KB
MD53c7527047be86eaca895d1bca46ed464
SHA1940e0089a505bd283c7a1d9f062d65fe5840aef5
SHA25689f6ea83aa46b0ef26da0d38242cb9cd484eb6cb179ec30fa00bc7b378f79163
SHA512e7ee9d0188bebb71c8d834eee6fc7e8f66dfdd40541b10963cff1a78169f79552f98d7c31c546d7b7d5e9b3b6a9233f80428c3d3c1f419ac0d89217879a9aae2
-
Filesize
98KB
MD56cdb1eb8f14cb24b619c8be033f17f53
SHA1ca8d3edc2162ec9b75fc8d9e45e0e0c490a20fbe
SHA2568eabcc5d8fb049fc59d13a32190769b23c080ef59103d38ebbf43c273659cccf
SHA5127fb722107041b3284460edf639153d735ef3c54e3957983944739c9bfa4475761040f2f9e85b1dd796b0b3435e0cac5270612b7ddae21227d764000e3d7ed8a7
-
Filesize
98KB
MD5efc1eb5445181e34c5b3cfbe90067627
SHA10087ffc3a1f3f304f8e8d3868240fd77b2db7077
SHA256b36343bb5ae3e703c2fb4ffcf9aa227a8436e110b8ec9a7b2f03424b7d2b1f2e
SHA5121594c6b691b2ed14aa2356f04e74d05569942df721e4520befc2d931518be5db56edceadc10ff6b759c20be33fd9c0b7deede9e6ac84478e54cdaaf97c784c9b
-
Filesize
98KB
MD5441d035f045b514ec5129276adca4051
SHA1530966cf67ecac5be4e166e38a92e1638cccc7e2
SHA256b8259d57333848df4abe5970837e3111c5535edf1dcab12e1c60fd1ec798bd4c
SHA512aa9db2f8dc8972b25ed9cd48e71bf40e1fd178e1738d5157290082ea65caf63522d1cdd3254d212b38891358927cf40a482359f64c61eec3766b574fe0b443a2
-
Filesize
98KB
MD5fb468c495a5814aa5877e0618541b474
SHA15875ad255fa4d63e64577d7d8176671deb3cdc2f
SHA256fff2abf7336fee4509b8a61b9388a2570fcb271b7a283cbd6a68eeb42b5e1577
SHA51254144ffb877895b50043b121a0d8db53f8e01a71aeaf1c9484a7ef4705aa38f3e9932c653f7d6fc9c6cfb7f4358df8d03ed232792eef3644884f13ac38edcb22
-
Filesize
98KB
MD57b4d259a41c284cdccd70fe2e321eeba
SHA1d1dff587e886f6450a3fa1cad70ad3ee8b6b137b
SHA256390a77828ca5fc209f841b13e58c5ec4fa3942f2d201d7226635a85798ff2322
SHA5120451e8c5510e1ad20e319f5c503f3d22eadf7d5ce6ba4df464536d6f6ae23da968e84547214c6a46ae6d539e03b58b8088bc736ecb25ccf7dd21f1e4a0f7a41e
-
Filesize
98KB
MD5878eb1215226b682b15b223cc78abb3a
SHA10b7d3ce4d01588b13ee8ce158bbc27259c0e6cdb
SHA2566d5945d949f623629aa6e2bfce816a7fda370fa525fe8c92ef7988d1c1c14583
SHA512c327fbf6444d936c3059b93aaa6fa7b7767529a70c5613a1ddf5125d57649901f628efd48eecad0b60516fb135d951f5bc1c7656a67e37dca955ea55e5aba7e0
-
Filesize
98KB
MD50507ae8274e86bc03bf9653ff72cd2be
SHA16d954c5513643792e53ed20745ad856b269c7f31
SHA256d80ca71d15808187197ba4e694920e495b42434d636c8693b7bd9a2cff0fc163
SHA5123bbf29738a30de5066e72658f6a066652206218ef2bb2f6947009f39e8e63f0b91e7b23075cadd392ccb7414be3bd8a35a20df9171d32d294fb5aaf6efb2229e
-
Filesize
98KB
MD5e7f6f3c2c747a778a5df9c5555cfb3b3
SHA1732e51909d9ecdc2d2f717b389dad36dbb28cd3f
SHA256589d7190b2799885deb5d0de1e2aca088596df5b07472d327a766feca24f9eba
SHA5129fb82dc382c63e3fda46206e93b58d2b4ee218c73708601bd2a2abac1d137381734ad1e826661ea86c2e130f7cb0bcb3ea082e01e37101864b42ad7d79715ba3
-
Filesize
98KB
MD5b1df84a34d07154021727078fb1de66d
SHA18731a55677c69f94326a28b00cd26f30ad0cdbca
SHA25647bcf8758d12ca85410aa04f895560f162c36e7d9c614b675533d0bcb78d1ab5
SHA512d2aa1597d3e1b99d475e411bec8a0d7764ba88358a667ceb55ecf69a5b5a239dc054a9c91716c469286e0d602053c8a5aa4c59c2fe5e022af3b4ea31ef6eadbc
-
Filesize
98KB
MD59a0f2010eaa18c6db8899cfe89127080
SHA1e3753987b97f1e9c142cdaa1c3fa3a32f7babbfb
SHA256d1e7be9ea6108826d057e45adb5417b9f13526713c06406838a5b161b85a5546
SHA512004c02fb9003fed6dae219944a57c9a12276fdad18252f9bfeb643231f7f6a3bddea3363245d3f5664fc31cd149c79c3afa2e039ebdda88f8b50b37c914ee899
-
Filesize
98KB
MD5e94e26c30f4567984ef05860592d3c4d
SHA14c0bf97717689746993cb76813b66ae935d0c120
SHA256fa0ecdb8e1fa7a9469eaa0e523d2f70a5defb1fb86bb0eeafb192019ffe9c320
SHA5122cdf5601c9f307d9cf62c6adae3bfe4409feeb43c94da70b4b144da5aede6371085bf626916ac5c9258a22430eafb1b437d7472eca124783ee4f8081ffd13118
-
Filesize
98KB
MD5be9c10318df5495af857552057467b10
SHA1687944ce144c7c56c3795d593c43e9ef6f17b050
SHA256e9091866e6741a615c9460fbbdefb265c66ba58d3e936c1e0e27cc09fb8c75b5
SHA512f01c6cb16d0805bc7d9e79a97696d37ba5f5cd9d4d6f9165860771b763d46991434bfe949be01c25044350f59ffd6b91ee6cfeef037ccc0f94ce69fbc78255ed
-
Filesize
98KB
MD5f9ba6e1d067e04edd7a75a2a8060a85d
SHA134447379966f5bfeb4bf58a82a37c7b6f7f0a446
SHA25613d7b292d7af023ea197e0fa86ad46153436eb08c86e2141d848009cd80d676d
SHA51202542d17add0e05477d0c8817ce0f0f49dc905d7f0a3c018114bdc4008f5f4cafe95f1f2a0706339a58257fe17aac9acbf851e3c431084045ae3550d1e20921d
-
Filesize
98KB
MD509c3f5215520b94ccbde219bb8e7c914
SHA143429429577d2ceebe30af03e8d0b1301aa3d24e
SHA2567ab50511cf22fd0cb78a85bf62bcfe8955031b79571e986491f91b8da0beb2ec
SHA5123d816ed7ad71ed2e7a905d0eedb999ec8c4ae3bf2ba214df6daa4963300e5fe6e3ce70fadd829c25febdc0e503f5b5469b0d40c7f0126e29b0e3c0037e08968d
-
Filesize
98KB
MD52a579630b7fb84fb27f1fd0f182782a4
SHA1bcf52291f5acf617a39f4bc6c2572f6d421bdf6d
SHA256bfde7696ed328a560251ebb6aa2cb1ed62957e2434330d52c57714c8c2d013f2
SHA512c2abe1a9381debc059512159e936f44a89335d8fc6e62833544dcf64449704feb805815140d0cdcf43624b80c9ef9258ebbce736529443341a4b775afa91138b
-
Filesize
98KB
MD5a167487901a575fc14f2a2bb9d3da688
SHA10adc17a00b176d994f3cc53471a5bae9ab92104f
SHA2562f7ef5900df09e5105e7b5a17afb923b7fddaab4e7278e3da86e588d18a45e52
SHA5122a5a121ea2f0fe3379da6e4b62aa94f4eb1fd85c5b971d1ef6ee76c1926fd7b9a065ef61671e25fe3564ffe4f00035e238283ea364a77eb00dbf7214adb1bb7a