Analysis
-
max time kernel
66s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe
Resource
win10v2004-20241007-en
General
-
Target
486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe
-
Size
128KB
-
MD5
aa7a954bba55d7cf624e7cc3efbfd140
-
SHA1
025ebcbfcbbe1af511c36e6a80869dc5d97d2b3b
-
SHA256
486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457
-
SHA512
85658ce8f4dffa9a57fee294fab9f0a834b716939e1740b69fffe2109025b6351b393e329b997a9babc86468a9f88eabcdf692f6fbee5072a80538e98ff22a41
-
SSDEEP
3072:eWtfv0t3qeTxKheVdTz3QDKXmmW2wS7IrHrYj:jtXu35TxKhSF3Q22mHwMOHm
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jnpoie32.exeLadgkmlj.exeMhcicf32.exeMcacochk.exePfnhkq32.exeAlaccj32.exeFlfnhnfm.exeMjmnmk32.exeLlhocfnb.exeAbkkpd32.exeDpodgocb.exeIgngim32.exePamlel32.exeFbiijb32.exeOeoeplfn.exeHclhjpjc.exeIbkhak32.exeKkciic32.exeKenjgi32.exeNcfmjc32.exeLaogfg32.exeJcfgoadd.exeEhfhgogp.exeCapmemci.exeIdemkp32.exeJlghpa32.exeGnlpeh32.exeCgobcd32.exeDjafaf32.exeOjpaeq32.exeHeonpf32.exeOcdnloph.exePgaahh32.exeChgimh32.exeFgeabi32.exeOphoecoa.exeEnmnahnm.exeJbfkeo32.exePqdelh32.exeBepjjn32.exeFqhclqnc.exeLpddgd32.exeAjjinaco.exeCfhlbe32.exeIklfia32.exePcmoie32.exeQijdqp32.exeFejifdab.exeBimbql32.exeHhopgkin.exeDmmbge32.exeDkcebg32.exeFgcdlj32.exeIhlpqonl.exeJfbinf32.exeDhiphb32.exeEepmlf32.exeLfkfkopk.exeJkobgm32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnpoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladgkmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcacochk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfnhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alaccj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfnhnfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llhocfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpodgocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igngim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamlel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbiijb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeoeplfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclhjpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibkhak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkciic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenjgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laogfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcfgoadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehfhgogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Capmemci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idemkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlghpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnlpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgobcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djafaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojpaeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heonpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heonpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdnloph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgaahh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chgimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgeabi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ophoecoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmnahnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfkeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bepjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqhclqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpddgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjinaco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhlbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qijdqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fejifdab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimbql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhopgkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bimbql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfhlbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmbge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capmemci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcebg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcdlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihlpqonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfbinf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfkfkopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkobgm32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cfaqfh32.exeCjoilfek.exeDjafaf32.exeDdkgbc32.exeDhiphb32.exeDjmiejji.exeDmmbge32.exeEgcfdn32.exeEnmnahnm.exeEcjgio32.exeEepmlf32.exeFipbhd32.exeFjckelfm.exeFappgflg.exeGjjafkpe.exeGhekhd32.exeGhghnc32.exeGdnibdmf.exeHocmpm32.exeHpgfmeag.exeHchoop32.exeHplphd32.exeHclhjpjc.exeIjimli32.exeIcabeo32.exeIklfia32.exeIbillk32.exeIbkhak32.exeJmdiahco.exeJndflk32.exeJinfli32.exeJbfkeo32.exeJcfgoadd.exeKkciic32.exeKbmafngi.exeKenjgi32.exeKgocid32.exeKaggbihl.exeLidilk32.exeLfkfkopk.exeLlhocfnb.exeLadgkmlj.exeMagdam32.exeMmndfnpl.exeMhcicf32.exeMmpakm32.exeMdjihgef.exeMkdbea32.exeMdlfngcc.exeMiiofn32.exeMcacochk.exeNmggllha.exeNeblqoel.exeNphpng32.exeNcfmjc32.exeNkaane32.exeNegeln32.exeNnbjpqoa.exeNgjoif32.exeOapcfo32.exeOjkhjabc.exeOcclcg32.exeOnipqp32.exeOdcimipf.exepid process 2900 Cfaqfh32.exe 2944 Cjoilfek.exe 2252 Djafaf32.exe 2680 Ddkgbc32.exe 2180 Dhiphb32.exe 1928 Djmiejji.exe 1180 Dmmbge32.exe 2112 Egcfdn32.exe 2980 Enmnahnm.exe 3040 Ecjgio32.exe 2292 Eepmlf32.exe 264 Fipbhd32.exe 2564 Fjckelfm.exe 1956 Fappgflg.exe 1420 Gjjafkpe.exe 1392 Ghekhd32.exe 2272 Ghghnc32.exe 2256 Gdnibdmf.exe 1540 Hocmpm32.exe 860 Hpgfmeag.exe 1204 Hchoop32.exe 2028 Hplphd32.exe 2296 Hclhjpjc.exe 2320 Ijimli32.exe 2740 Icabeo32.exe 2808 Iklfia32.exe 2940 Ibillk32.exe 2144 Ibkhak32.exe 2840 Jmdiahco.exe 1688 Jndflk32.exe 1416 Jinfli32.exe 1932 Jbfkeo32.exe 1448 Jcfgoadd.exe 2720 Kkciic32.exe 1672 Kbmafngi.exe 3008 Kenjgi32.exe 2756 Kgocid32.exe 428 Kaggbihl.exe 1140 Lidilk32.exe 1948 Lfkfkopk.exe 1804 Llhocfnb.exe 1808 Ladgkmlj.exe 984 Magdam32.exe 1964 Mmndfnpl.exe 1376 Mhcicf32.exe 2580 Mmpakm32.exe 2572 Mdjihgef.exe 552 Mkdbea32.exe 848 Mdlfngcc.exe 2632 Miiofn32.exe 1600 Mcacochk.exe 2796 Nmggllha.exe 2708 Neblqoel.exe 1972 Nphpng32.exe 2500 Ncfmjc32.exe 3028 Nkaane32.exe 1412 Negeln32.exe 2984 Nnbjpqoa.exe 2760 Ngjoif32.exe 1020 Oapcfo32.exe 564 Ojkhjabc.exe 1812 Occlcg32.exe 2248 Onipqp32.exe 812 Odcimipf.exe -
Loads dropped DLL 64 IoCs
Processes:
486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exeCfaqfh32.exeCjoilfek.exeDjafaf32.exeDdkgbc32.exeDhiphb32.exeDjmiejji.exeDmmbge32.exeEgcfdn32.exeEnmnahnm.exeEcjgio32.exeEepmlf32.exeFipbhd32.exeFjckelfm.exeFappgflg.exeGjjafkpe.exeGhekhd32.exeGhghnc32.exeGdnibdmf.exeHocmpm32.exeHpgfmeag.exeHchoop32.exeHplphd32.exeHclhjpjc.exeIjimli32.exeIcabeo32.exeIklfia32.exeIbillk32.exeIbkhak32.exeJmdiahco.exeJndflk32.exeJinfli32.exepid process 1680 486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe 1680 486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe 2900 Cfaqfh32.exe 2900 Cfaqfh32.exe 2944 Cjoilfek.exe 2944 Cjoilfek.exe 2252 Djafaf32.exe 2252 Djafaf32.exe 2680 Ddkgbc32.exe 2680 Ddkgbc32.exe 2180 Dhiphb32.exe 2180 Dhiphb32.exe 1928 Djmiejji.exe 1928 Djmiejji.exe 1180 Dmmbge32.exe 1180 Dmmbge32.exe 2112 Egcfdn32.exe 2112 Egcfdn32.exe 2980 Enmnahnm.exe 2980 Enmnahnm.exe 3040 Ecjgio32.exe 3040 Ecjgio32.exe 2292 Eepmlf32.exe 2292 Eepmlf32.exe 264 Fipbhd32.exe 264 Fipbhd32.exe 2564 Fjckelfm.exe 2564 Fjckelfm.exe 1956 Fappgflg.exe 1956 Fappgflg.exe 1420 Gjjafkpe.exe 1420 Gjjafkpe.exe 1392 Ghekhd32.exe 1392 Ghekhd32.exe 2272 Ghghnc32.exe 2272 Ghghnc32.exe 2256 Gdnibdmf.exe 2256 Gdnibdmf.exe 1540 Hocmpm32.exe 1540 Hocmpm32.exe 860 Hpgfmeag.exe 860 Hpgfmeag.exe 1204 Hchoop32.exe 1204 Hchoop32.exe 2028 Hplphd32.exe 2028 Hplphd32.exe 2296 Hclhjpjc.exe 2296 Hclhjpjc.exe 2320 Ijimli32.exe 2320 Ijimli32.exe 2740 Icabeo32.exe 2740 Icabeo32.exe 2808 Iklfia32.exe 2808 Iklfia32.exe 2940 Ibillk32.exe 2940 Ibillk32.exe 2144 Ibkhak32.exe 2144 Ibkhak32.exe 2840 Jmdiahco.exe 2840 Jmdiahco.exe 1688 Jndflk32.exe 1688 Jndflk32.exe 1416 Jinfli32.exe 1416 Jinfli32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pgodcich.exeEhclbpic.exeIdbgbahq.exeAmkbpm32.exeFclbgj32.exeJjgonf32.exeKenjgi32.exeMmpakm32.exeMdjihgef.exeCkiiiine.exeGnlpeh32.exeHahljg32.exeJhkclc32.exeJlghpa32.exeMagdam32.exeHclhjpjc.exeMcacochk.exeCkpoih32.exeAjjinaco.exeHadhjaaa.exeKkckblgq.exeDmmbge32.exeLbmpnjai.exeNegeln32.exeBjfpdf32.exePglacbbo.exeIhlpqonl.exeKhcbpa32.exeKjnanhhc.exeLfkfkopk.exeAemafjeg.exeFjnkpf32.exeHocmpm32.exeCipleo32.exeJfbinf32.exeKcamln32.exeLjpnch32.exeOphoecoa.exeDkmncl32.exeAnmbje32.exeFcilnl32.exeKbqgolpf.exeFbiijb32.exeHchoop32.exeLlhocfnb.exeQijdqp32.exeChgimh32.exeHibidc32.exeNhfdqb32.exeCfaqfh32.exeBknfeege.exeFqhclqnc.exeMhckloge.exePfnhkq32.exeKbmafngi.exeKgocid32.exeLadgkmlj.exeKkciic32.exedescription ioc process File created C:\Windows\SysWOW64\Pgaahh32.exe Pgodcich.exe File created C:\Windows\SysWOW64\Ehfhgogp.exe Ehclbpic.exe File opened for modification C:\Windows\SysWOW64\Jjcieg32.exe Idbgbahq.exe File opened for modification C:\Windows\SysWOW64\Afcghbgp.exe Amkbpm32.exe File opened for modification C:\Windows\SysWOW64\Fpcblkje.exe Fclbgj32.exe File opened for modification C:\Windows\SysWOW64\Jcocgkbp.exe Jjgonf32.exe File created C:\Windows\SysWOW64\Kgocid32.exe Kenjgi32.exe File created C:\Windows\SysWOW64\Dmddik32.dll Mmpakm32.exe File created C:\Windows\SysWOW64\Bfqhifni.dll Mdjihgef.exe File opened for modification C:\Windows\SysWOW64\Ckpoih32.exe Ckiiiine.exe File opened for modification C:\Windows\SysWOW64\Ghddnnfi.exe Gnlpeh32.exe File opened for modification C:\Windows\SysWOW64\Hhdqma32.exe Hahljg32.exe File created C:\Windows\SysWOW64\Jngkdj32.exe Jhkclc32.exe File created C:\Windows\SysWOW64\Pehccb32.dll Jlghpa32.exe File created C:\Windows\SysWOW64\Monmegdp.dll Magdam32.exe File opened for modification C:\Windows\SysWOW64\Ijimli32.exe Hclhjpjc.exe File opened for modification C:\Windows\SysWOW64\Kgocid32.exe Kenjgi32.exe File created C:\Windows\SysWOW64\Nflpan32.dll Mcacochk.exe File created C:\Windows\SysWOW64\Dpodgocb.exe Ckpoih32.exe File created C:\Windows\SysWOW64\Agnjge32.exe Ajjinaco.exe File opened for modification C:\Windows\SysWOW64\Hhopgkin.exe Hadhjaaa.exe File created C:\Windows\SysWOW64\Dfddnb32.dll Kkckblgq.exe File created C:\Windows\SysWOW64\Cpokpklp.dll Dmmbge32.exe File created C:\Windows\SysWOW64\Qmicii32.dll Lbmpnjai.exe File created C:\Windows\SysWOW64\Aimbbpmc.dll Negeln32.exe File created C:\Windows\SysWOW64\Bhjpnj32.exe Bjfpdf32.exe File created C:\Windows\SysWOW64\Pqdelh32.exe Pglacbbo.exe File created C:\Windows\SysWOW64\Palkap32.dll Ihlpqonl.exe File created C:\Windows\SysWOW64\Becbne32.dll Khcbpa32.exe File created C:\Windows\SysWOW64\Fjiegbjj.dll Kjnanhhc.exe File created C:\Windows\SysWOW64\Egqcce32.dll Lfkfkopk.exe File opened for modification C:\Windows\SysWOW64\Ajjinaco.exe Aemafjeg.exe File created C:\Windows\SysWOW64\Mdjihgef.exe Mmpakm32.exe File opened for modification C:\Windows\SysWOW64\Fqhclqnc.exe Fjnkpf32.exe File created C:\Windows\SysWOW64\Hpgfmeag.exe Hocmpm32.exe File opened for modification C:\Windows\SysWOW64\Dchpnd32.exe Cipleo32.exe File created C:\Windows\SysWOW64\Eaqehcbj.dll Jfbinf32.exe File created C:\Windows\SysWOW64\Lbgkic32.dll Kcamln32.exe File opened for modification C:\Windows\SysWOW64\Lbkchj32.exe Ljpnch32.exe File opened for modification C:\Windows\SysWOW64\Oipcnieb.exe Ophoecoa.exe File opened for modification C:\Windows\SysWOW64\Dfbbpd32.exe Dkmncl32.exe File opened for modification C:\Windows\SysWOW64\Alaccj32.exe Anmbje32.exe File created C:\Windows\SysWOW64\Fejifdab.exe Fcilnl32.exe File opened for modification C:\Windows\SysWOW64\Kodghqop.exe Kbqgolpf.exe File created C:\Windows\SysWOW64\Fgeabi32.exe Fbiijb32.exe File opened for modification C:\Windows\SysWOW64\Hplphd32.exe Hchoop32.exe File created C:\Windows\SysWOW64\Ladgkmlj.exe Llhocfnb.exe File created C:\Windows\SysWOW64\Ajipkb32.exe Qijdqp32.exe File opened for modification C:\Windows\SysWOW64\Capmemci.exe Chgimh32.exe File created C:\Windows\SysWOW64\Nalgneml.dll Cipleo32.exe File created C:\Windows\SysWOW64\Hdhnal32.exe Hibidc32.exe File created C:\Windows\SysWOW64\Ibjenkae.dll Nhfdqb32.exe File created C:\Windows\SysWOW64\Ifhfbgmj.dll Cfaqfh32.exe File created C:\Windows\SysWOW64\Bpjnmlel.exe Bknfeege.exe File created C:\Windows\SysWOW64\Nmhmmnpq.dll Fqhclqnc.exe File created C:\Windows\SysWOW64\Mcjlap32.exe Mhckloge.exe File opened for modification C:\Windows\SysWOW64\Pgodcich.exe Pfnhkq32.exe File created C:\Windows\SysWOW64\Kenjgi32.exe Kbmafngi.exe File opened for modification C:\Windows\SysWOW64\Kaggbihl.exe Kgocid32.exe File opened for modification C:\Windows\SysWOW64\Magdam32.exe Ladgkmlj.exe File created C:\Windows\SysWOW64\Hhopgkin.exe Hadhjaaa.exe File opened for modification C:\Windows\SysWOW64\Ieppjclf.exe Ihlpqonl.exe File opened for modification C:\Windows\SysWOW64\Lpapgnpb.exe Lbmpnjai.exe File created C:\Windows\SysWOW64\Ekpbgbme.dll Kkciic32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3152 4080 WerFault.exe Ockdmn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bmjekahk.exeCgobcd32.exeMdjihgef.exeNnbjpqoa.exeLidilk32.exeDcbjni32.exeKodghqop.exeCfaqfh32.exeGhghnc32.exeDfbbpd32.exeMhcicf32.exeMdlfngcc.exeOgekbchg.exeOcdnloph.exeNphpng32.exeOjkhjabc.exeApfici32.exeDjlbkcfn.exeNhfdqb32.exeEcjgio32.exeGdnibdmf.exeMfkebkjk.exeDmmbge32.exeOqlfhjch.exeGfadcemm.exeIdgjqook.exeManljd32.exeMiiofn32.exeOknjmb32.exeKfgcieii.exeKcamln32.exeDjmiejji.exeKgocid32.exeOphoecoa.exeLlpaha32.exeKjnanhhc.exeDdpbfl32.exeJcocgkbp.exeQanolm32.exeEnenef32.exeBlgeahoo.exeJkobgm32.exe486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exeIbillk32.exeHahljg32.exeLbjjekhl.exeMejoei32.exeMmndfnpl.exeNgjoif32.exeFbpfeh32.exeJinfli32.exePgaahh32.exeElmkmo32.exeGpeoakhc.exeOgddhmdl.exeEgcfdn32.exePgodcich.exeJjgonf32.exeLqgjkbop.exeFjnkpf32.exeAgnjge32.exeOeoeplfn.exeBjalndpb.exeChgimh32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjekahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgobcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdjihgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbjpqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidilk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodghqop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfaqfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghghnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbbpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdlfngcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnloph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apfici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlbkcfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfdqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnibdmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkebkjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqlfhjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfadcemm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgjqook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknjmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfgcieii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcamln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmiejji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgocid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophoecoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnanhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpbfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcocgkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qanolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enenef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgeahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkobgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibillk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahljg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjjekhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejoei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmndfnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpfeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpeoakhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogddhmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcfdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgodcich.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqgjkbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agnjge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeoeplfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjalndpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chgimh32.exe -
Modifies registry class 64 IoCs
Processes:
Mdlfngcc.exeKodghqop.exe486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exeEjgeogmn.exeAfcghbgp.exeBbfgiabg.exeFqilppic.exeHadhjaaa.exeBkkioeig.exeNbbegl32.exeDmmbge32.exeNmggllha.exeAfbnec32.exeGddobpbe.exePjhpin32.exeFjnkpf32.exeGiejkp32.exeAnmbje32.exeLqgjkbop.exeBknfeege.exeLjpnch32.exeBhjpnj32.exePamlel32.exeMmpakm32.exeOapcfo32.exeOdcimipf.exeDcbjni32.exeFejifdab.exeJjcieg32.exeNpiiafpa.exeAjjinaco.exeDdbolkac.exeHhjgll32.exeBjalndpb.exeEhfhgogp.exePdnkanfg.exeKkckblgq.exeHplphd32.exeIbkhak32.exeCkpoih32.exeHpdbmooo.exeJngkdj32.exeFjckelfm.exeKhcbpa32.exeDchpnd32.exeIbillk32.exeMcacochk.exeNeblqoel.exeLaogfg32.exeGhghnc32.exeNhfdqb32.exeGlkgcmbg.exeHpjeknfi.exeIekgod32.exeLbjjekhl.exeDkcebg32.exeMhckloge.exeEdofbpja.exeIboghh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdlfngcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kodghqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhljo32.dll" Ejgeogmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afcghbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefjaj32.dll" Bbfgiabg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqilppic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hadhjaaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbbegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmmbge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmggllha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gddobpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmehidpd.dll" Pjhpin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjnkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giejkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjqnkk32.dll" Anmbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqgjkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljpnch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhjpnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pamlel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmddik32.dll" Mmpakm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oapcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnipnnpb.dll" Odcimipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcbjni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fejifdab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjcieg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npiiafpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajjinaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajjinaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamqddlf.dll" Ddbolkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhcadad.dll" Hhjgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjalndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkiakec.dll" Ehfhgogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpnca32.dll" Npiiafpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkckblgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hplphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dheoedma.dll" Ibkhak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodciccp.dll" Ckpoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpdbmooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjeman32.dll" Jngkdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjckelfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khcbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll" Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdlenkfg.dll" Dchpnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibillk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflpan32.dll" Mcacochk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neblqoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laogfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghghnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glkgcmbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpjeknfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggocl32.dll" Iekgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbjjekhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkcebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhckloge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edofbpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edofbpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlnkheo.dll" Iboghh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exeCfaqfh32.exeCjoilfek.exeDjafaf32.exeDdkgbc32.exeDhiphb32.exeDjmiejji.exeDmmbge32.exeEgcfdn32.exeEnmnahnm.exeEcjgio32.exeEepmlf32.exeFipbhd32.exeFjckelfm.exeFappgflg.exeGjjafkpe.exedescription pid process target process PID 1680 wrote to memory of 2900 1680 486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe Cfaqfh32.exe PID 1680 wrote to memory of 2900 1680 486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe Cfaqfh32.exe PID 1680 wrote to memory of 2900 1680 486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe Cfaqfh32.exe PID 1680 wrote to memory of 2900 1680 486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe Cfaqfh32.exe PID 2900 wrote to memory of 2944 2900 Cfaqfh32.exe Cjoilfek.exe PID 2900 wrote to memory of 2944 2900 Cfaqfh32.exe Cjoilfek.exe PID 2900 wrote to memory of 2944 2900 Cfaqfh32.exe Cjoilfek.exe PID 2900 wrote to memory of 2944 2900 Cfaqfh32.exe Cjoilfek.exe PID 2944 wrote to memory of 2252 2944 Cjoilfek.exe Djafaf32.exe PID 2944 wrote to memory of 2252 2944 Cjoilfek.exe Djafaf32.exe PID 2944 wrote to memory of 2252 2944 Cjoilfek.exe Djafaf32.exe PID 2944 wrote to memory of 2252 2944 Cjoilfek.exe Djafaf32.exe PID 2252 wrote to memory of 2680 2252 Djafaf32.exe Ddkgbc32.exe PID 2252 wrote to memory of 2680 2252 Djafaf32.exe Ddkgbc32.exe PID 2252 wrote to memory of 2680 2252 Djafaf32.exe Ddkgbc32.exe PID 2252 wrote to memory of 2680 2252 Djafaf32.exe Ddkgbc32.exe PID 2680 wrote to memory of 2180 2680 Ddkgbc32.exe Dhiphb32.exe PID 2680 wrote to memory of 2180 2680 Ddkgbc32.exe Dhiphb32.exe PID 2680 wrote to memory of 2180 2680 Ddkgbc32.exe Dhiphb32.exe PID 2680 wrote to memory of 2180 2680 Ddkgbc32.exe Dhiphb32.exe PID 2180 wrote to memory of 1928 2180 Dhiphb32.exe Djmiejji.exe PID 2180 wrote to memory of 1928 2180 Dhiphb32.exe Djmiejji.exe PID 2180 wrote to memory of 1928 2180 Dhiphb32.exe Djmiejji.exe PID 2180 wrote to memory of 1928 2180 Dhiphb32.exe Djmiejji.exe PID 1928 wrote to memory of 1180 1928 Djmiejji.exe Dmmbge32.exe PID 1928 wrote to memory of 1180 1928 Djmiejji.exe Dmmbge32.exe PID 1928 wrote to memory of 1180 1928 Djmiejji.exe Dmmbge32.exe PID 1928 wrote to memory of 1180 1928 Djmiejji.exe Dmmbge32.exe PID 1180 wrote to memory of 2112 1180 Dmmbge32.exe Egcfdn32.exe PID 1180 wrote to memory of 2112 1180 Dmmbge32.exe Egcfdn32.exe PID 1180 wrote to memory of 2112 1180 Dmmbge32.exe Egcfdn32.exe PID 1180 wrote to memory of 2112 1180 Dmmbge32.exe Egcfdn32.exe PID 2112 wrote to memory of 2980 2112 Egcfdn32.exe Enmnahnm.exe PID 2112 wrote to memory of 2980 2112 Egcfdn32.exe Enmnahnm.exe PID 2112 wrote to memory of 2980 2112 Egcfdn32.exe Enmnahnm.exe PID 2112 wrote to memory of 2980 2112 Egcfdn32.exe Enmnahnm.exe PID 2980 wrote to memory of 3040 2980 Enmnahnm.exe Ecjgio32.exe PID 2980 wrote to memory of 3040 2980 Enmnahnm.exe Ecjgio32.exe PID 2980 wrote to memory of 3040 2980 Enmnahnm.exe Ecjgio32.exe PID 2980 wrote to memory of 3040 2980 Enmnahnm.exe Ecjgio32.exe PID 3040 wrote to memory of 2292 3040 Ecjgio32.exe Eepmlf32.exe PID 3040 wrote to memory of 2292 3040 Ecjgio32.exe Eepmlf32.exe PID 3040 wrote to memory of 2292 3040 Ecjgio32.exe Eepmlf32.exe PID 3040 wrote to memory of 2292 3040 Ecjgio32.exe Eepmlf32.exe PID 2292 wrote to memory of 264 2292 Eepmlf32.exe Fipbhd32.exe PID 2292 wrote to memory of 264 2292 Eepmlf32.exe Fipbhd32.exe PID 2292 wrote to memory of 264 2292 Eepmlf32.exe Fipbhd32.exe PID 2292 wrote to memory of 264 2292 Eepmlf32.exe Fipbhd32.exe PID 264 wrote to memory of 2564 264 Fipbhd32.exe Fjckelfm.exe PID 264 wrote to memory of 2564 264 Fipbhd32.exe Fjckelfm.exe PID 264 wrote to memory of 2564 264 Fipbhd32.exe Fjckelfm.exe PID 264 wrote to memory of 2564 264 Fipbhd32.exe Fjckelfm.exe PID 2564 wrote to memory of 1956 2564 Fjckelfm.exe Fappgflg.exe PID 2564 wrote to memory of 1956 2564 Fjckelfm.exe Fappgflg.exe PID 2564 wrote to memory of 1956 2564 Fjckelfm.exe Fappgflg.exe PID 2564 wrote to memory of 1956 2564 Fjckelfm.exe Fappgflg.exe PID 1956 wrote to memory of 1420 1956 Fappgflg.exe Gjjafkpe.exe PID 1956 wrote to memory of 1420 1956 Fappgflg.exe Gjjafkpe.exe PID 1956 wrote to memory of 1420 1956 Fappgflg.exe Gjjafkpe.exe PID 1956 wrote to memory of 1420 1956 Fappgflg.exe Gjjafkpe.exe PID 1420 wrote to memory of 1392 1420 Gjjafkpe.exe Ghekhd32.exe PID 1420 wrote to memory of 1392 1420 Gjjafkpe.exe Ghekhd32.exe PID 1420 wrote to memory of 1392 1420 Gjjafkpe.exe Ghekhd32.exe PID 1420 wrote to memory of 1392 1420 Gjjafkpe.exe Ghekhd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe"C:\Users\Admin\AppData\Local\Temp\486f590e1dc40baf9b98a947b002a265df81ec3c2c77a963d24ff6c307d18457N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Kkciic32.exeC:\Windows\system32\Kkciic32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Kbmafngi.exeC:\Windows\system32\Kbmafngi.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe39⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Mmndfnpl.exeC:\Windows\system32\Mmndfnpl.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Mmpakm32.exeC:\Windows\system32\Mmpakm32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Mdjihgef.exeC:\Windows\system32\Mdjihgef.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Mkdbea32.exeC:\Windows\system32\Mkdbea32.exe49⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Mdlfngcc.exeC:\Windows\system32\Mdlfngcc.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Nmggllha.exeC:\Windows\system32\Nmggllha.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe57⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Negeln32.exeC:\Windows\system32\Negeln32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Nnbjpqoa.exeC:\Windows\system32\Nnbjpqoa.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Ngjoif32.exeC:\Windows\system32\Ngjoif32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Oapcfo32.exeC:\Windows\system32\Oapcfo32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Ojkhjabc.exeC:\Windows\system32\Ojkhjabc.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe63⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Onipqp32.exeC:\Windows\system32\Onipqp32.exe64⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Odcimipf.exeC:\Windows\system32\Odcimipf.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Ojpaeq32.exeC:\Windows\system32\Ojpaeq32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe67⤵PID:2268
-
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe68⤵
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe69⤵PID:2100
-
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Pdnkanfg.exeC:\Windows\system32\Pdnkanfg.exe71⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Pgodcich.exeC:\Windows\system32\Pgodcich.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Windows\SysWOW64\Pgaahh32.exeC:\Windows\system32\Pgaahh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:784 -
C:\Windows\SysWOW64\Peeabm32.exeC:\Windows\system32\Peeabm32.exe75⤵PID:2364
-
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe76⤵PID:2964
-
C:\Windows\SysWOW64\Qcjoci32.exeC:\Windows\system32\Qcjoci32.exe77⤵PID:3024
-
C:\Windows\SysWOW64\Qanolm32.exeC:\Windows\system32\Qanolm32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe80⤵PID:1612
-
C:\Windows\SysWOW64\Apfici32.exeC:\Windows\system32\Apfici32.exe81⤵
- System Location Discovery: System Language Discovery
PID:904 -
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe82⤵PID:1348
-
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe83⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Alaccj32.exeC:\Windows\system32\Alaccj32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Abkkpd32.exeC:\Windows\system32\Abkkpd32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe87⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Bhjpnj32.exeC:\Windows\system32\Bhjpnj32.exe88⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe89⤵PID:2280
-
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe90⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe91⤵
- System Location Discovery: System Language Discovery
PID:392 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe93⤵PID:2996
-
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe94⤵PID:588
-
C:\Windows\SysWOW64\Biccfalm.exeC:\Windows\system32\Biccfalm.exe95⤵PID:2056
-
C:\Windows\SysWOW64\Bopknhjd.exeC:\Windows\system32\Bopknhjd.exe96⤵PID:2516
-
C:\Windows\SysWOW64\Celpqbon.exeC:\Windows\system32\Celpqbon.exe97⤵PID:776
-
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe98⤵
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Ckpoih32.exeC:\Windows\system32\Ckpoih32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Dpodgocb.exeC:\Windows\system32\Dpodgocb.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Dflmpebj.exeC:\Windows\system32\Dflmpebj.exe101⤵PID:1776
-
C:\Windows\SysWOW64\Dcbjni32.exeC:\Windows\system32\Dcbjni32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Djlbkcfn.exeC:\Windows\system32\Djlbkcfn.exe103⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Dkmncl32.exeC:\Windows\system32\Dkmncl32.exe104⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe107⤵
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Ejgeogmn.exeC:\Windows\system32\Ejgeogmn.exe109⤵
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe110⤵PID:2224
-
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe112⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Ejlnjg32.exeC:\Windows\system32\Ejlnjg32.exe113⤵PID:2932
-
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Fqhclqnc.exeC:\Windows\system32\Fqhclqnc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe116⤵PID:1988
-
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe117⤵PID:2176
-
C:\Windows\SysWOW64\Fcilnl32.exeC:\Windows\system32\Fcilnl32.exe118⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Fbniohpl.exeC:\Windows\system32\Fbniohpl.exe120⤵PID:2456
-
C:\Windows\SysWOW64\Fihalb32.exeC:\Windows\system32\Fihalb32.exe121⤵PID:936
-
C:\Windows\SysWOW64\Flfnhnfm.exeC:\Windows\system32\Flfnhnfm.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-