Analysis
-
max time kernel
84s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe
Resource
win10v2004-20241007-en
General
-
Target
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe
-
Size
1024KB
-
MD5
f33a5095a7683eac9f5bb024471249e0
-
SHA1
2a040fb74efae0c6bf591159448a4e987b30206c
-
SHA256
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060d
-
SHA512
bf9c3aae0b78bded8dcffc0a7bf2cf55cc10875bb061155c2fc5a89c1b03d87c996fa8465bbf9f864ba8030d03663ba1f15e4d10b1c236650b05a8476677fc44
-
SSDEEP
12288:XybEWxkY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6IfKTLR+6CwUkEoH:XybgsaDZgQjGkwlks/6HnEO
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nlilqbgp.exeKapohbfp.exeKenhopmf.exeLmpcca32.exeModlbmmn.exeDnhbmpkn.exeGonale32.exeHifbdnbi.exeAnjnnk32.exeEldiehbk.exeGoldfelp.exeHieiqo32.exeNjnmbk32.exePonklpcg.exePaocnkph.exeGhbljk32.exeJhjbqo32.exeMobomnoq.exeGghmmilh.exeInhdgdmk.exeJcnoejch.exeLnjldf32.exeOefjdgjk.exeIaimipjl.exeIladfn32.exeKdeaelok.exeAejlnmkm.exeBgdkkc32.exeGoqnae32.exeHnkdnqhm.exeIlcalnii.exeLdmopa32.exeNcfalqpm.exeJlqjkk32.exeLidgcclp.exeJhdegn32.exeKindeddf.exePbemboof.exeCfckcoen.exeJmnqje32.exeLpflkb32.exeDemaoj32.exeEbqngb32.exeFijbco32.exeHdbpekam.exeFckhhgcf.exeNnnbni32.exeAnljck32.exeEjcmmp32.exeElibpg32.exeFahhnn32.exeHonnki32.exeDhbdleol.exeFgjjad32.exeLifcib32.exeIchmgl32.exeFdpgph32.exeIocgfhhc.exeLplbjm32.exeJlkglm32.exeOioipf32.exeCfanmogq.exeInojhc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlilqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kapohbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Modlbmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhbmpkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anjnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eldiehbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goldfelp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hieiqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ponklpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghbljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhjbqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghmmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhdgdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcnoejch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaimipjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iladfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeaelok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejlnmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncfalqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqjkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhdegn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kindeddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbemboof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfckcoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Demaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebqngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijbco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbpekam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hieiqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnnbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anljck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejcmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elibpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ichmgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iocgfhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkglm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfanmogq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inojhc32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Dokfme32.exeEheglk32.exeEopphehb.exeEgmabg32.exeEodicd32.exeFckhhgcf.exeFcmdnfad.exeFkkfgi32.exeGgagmjbq.exeGnphdceh.exeGghmmilh.exeHcajhi32.exeHmjoqo32.exeHomdhjai.exeHieiqo32.exeIaegpaao.exeIjphofem.exeIichjc32.exeIladfn32.exeIchmgl32.exeIlcalnii.exeJelfdc32.exeJhjbqo32.exeJhmofo32.exeJlhkgm32.exeJlkglm32.exeJagpdd32.exeJmnqje32.exeJpmmfp32.exeJhdegn32.exeKpojkp32.exeKpafapbk.exeKdmban32.exeKbbobkol.exeKeqkofno.exeKindeddf.exeKlmqapci.exeKokmmkcm.exeLhcafa32.exeLegaoehg.exeLhfnkqgk.exeLgingm32.exeLdmopa32.exeLjigih32.exeLpcoeb32.exeLngpog32.exeLpflkb32.exeLcdhgn32.exeLgpdglhn.exeLnjldf32.exeMcfemmna.exeMjqmig32.exeMciabmlo.exeMhfjjdjf.exeMcknhm32.exeMfjkdh32.exeMmccqbpm.exeMobomnoq.exeMflgih32.exeModlbmmn.exeMqehjecl.exeMdadjd32.exeNjnmbk32.exeNcfalqpm.exepid process 2808 Dokfme32.exe 2840 Eheglk32.exe 2676 Eopphehb.exe 2552 Egmabg32.exe 3024 Eodicd32.exe 1416 Fckhhgcf.exe 2472 Fcmdnfad.exe 2416 Fkkfgi32.exe 1636 Ggagmjbq.exe 2872 Gnphdceh.exe 1108 Gghmmilh.exe 2516 Hcajhi32.exe 2396 Hmjoqo32.exe 1616 Homdhjai.exe 956 Hieiqo32.exe 1840 Iaegpaao.exe 940 Ijphofem.exe 2432 Iichjc32.exe 2984 Iladfn32.exe 2508 Ichmgl32.exe 2444 Ilcalnii.exe 2912 Jelfdc32.exe 1568 Jhjbqo32.exe 900 Jhmofo32.exe 2752 Jlhkgm32.exe 2616 Jlkglm32.exe 2916 Jagpdd32.exe 2580 Jmnqje32.exe 3012 Jpmmfp32.exe 2588 Jhdegn32.exe 3028 Kpojkp32.exe 2884 Kpafapbk.exe 2392 Kdmban32.exe 2620 Kbbobkol.exe 712 Keqkofno.exe 328 Kindeddf.exe 320 Klmqapci.exe 2128 Kokmmkcm.exe 1892 Lhcafa32.exe 2340 Legaoehg.exe 1328 Lhfnkqgk.exe 268 Lgingm32.exe 2216 Ldmopa32.exe 1964 Ljigih32.exe 2424 Lpcoeb32.exe 108 Lngpog32.exe 1720 Lpflkb32.exe 2036 Lcdhgn32.exe 1524 Lgpdglhn.exe 2652 Lnjldf32.exe 2856 Mcfemmna.exe 2820 Mjqmig32.exe 2608 Mciabmlo.exe 2880 Mhfjjdjf.exe 2384 Mcknhm32.exe 2768 Mfjkdh32.exe 2732 Mmccqbpm.exe 1572 Mobomnoq.exe 1908 Mflgih32.exe 1292 Modlbmmn.exe 688 Mqehjecl.exe 700 Mdadjd32.exe 588 Njnmbk32.exe 2972 Ncfalqpm.exe -
Loads dropped DLL 64 IoCs
Processes:
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exeDokfme32.exeEheglk32.exeEopphehb.exeEgmabg32.exeEodicd32.exeFckhhgcf.exeFcmdnfad.exeFkkfgi32.exeGgagmjbq.exeGnphdceh.exeGghmmilh.exeHcajhi32.exeHmjoqo32.exeHomdhjai.exeHieiqo32.exeIaegpaao.exeIjphofem.exeIichjc32.exeIladfn32.exeIchmgl32.exeIlcalnii.exeJelfdc32.exeJhjbqo32.exeJhmofo32.exeJlhkgm32.exeJlkglm32.exeJagpdd32.exeJmnqje32.exeJpmmfp32.exeJhdegn32.exeKpojkp32.exepid process 2664 1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe 2664 1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe 2808 Dokfme32.exe 2808 Dokfme32.exe 2840 Eheglk32.exe 2840 Eheglk32.exe 2676 Eopphehb.exe 2676 Eopphehb.exe 2552 Egmabg32.exe 2552 Egmabg32.exe 3024 Eodicd32.exe 3024 Eodicd32.exe 1416 Fckhhgcf.exe 1416 Fckhhgcf.exe 2472 Fcmdnfad.exe 2472 Fcmdnfad.exe 2416 Fkkfgi32.exe 2416 Fkkfgi32.exe 1636 Ggagmjbq.exe 1636 Ggagmjbq.exe 2872 Gnphdceh.exe 2872 Gnphdceh.exe 1108 Gghmmilh.exe 1108 Gghmmilh.exe 2516 Hcajhi32.exe 2516 Hcajhi32.exe 2396 Hmjoqo32.exe 2396 Hmjoqo32.exe 1616 Homdhjai.exe 1616 Homdhjai.exe 956 Hieiqo32.exe 956 Hieiqo32.exe 1840 Iaegpaao.exe 1840 Iaegpaao.exe 940 Ijphofem.exe 940 Ijphofem.exe 2432 Iichjc32.exe 2432 Iichjc32.exe 2984 Iladfn32.exe 2984 Iladfn32.exe 2508 Ichmgl32.exe 2508 Ichmgl32.exe 2444 Ilcalnii.exe 2444 Ilcalnii.exe 2912 Jelfdc32.exe 2912 Jelfdc32.exe 1568 Jhjbqo32.exe 1568 Jhjbqo32.exe 900 Jhmofo32.exe 900 Jhmofo32.exe 2752 Jlhkgm32.exe 2752 Jlhkgm32.exe 2616 Jlkglm32.exe 2616 Jlkglm32.exe 2916 Jagpdd32.exe 2916 Jagpdd32.exe 2580 Jmnqje32.exe 2580 Jmnqje32.exe 3012 Jpmmfp32.exe 3012 Jpmmfp32.exe 2588 Jhdegn32.exe 2588 Jhdegn32.exe 3028 Kpojkp32.exe 3028 Kpojkp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lifcib32.exeKokmmkcm.exeMcknhm32.exePiliii32.exeAkpkmo32.exeIocgfhhc.exeKocpbfei.exeKdeaelok.exePaocnkph.exeCmkfji32.exeCehhdkjf.exeIaimipjl.exeJfohgepi.exeIediin32.exeKlmqapci.exeAnljck32.exeAgglbp32.exeBhkeohhn.exeCmppehkh.exeEeagimdf.exeHjcaha32.exeLpcoeb32.exeOmckoi32.exeAgbbgqhh.exeJipaip32.exeEbqngb32.exeDokfme32.exeObgnhkkh.exeAlddjg32.exeDjjjga32.exeDnhbmpkn.exeEihjolae.exeFahhnn32.exeIcifjk32.exeJnmiag32.exeKindeddf.exeBddbjhlp.exeBfcodkcb.exeFcqjfeja.exeJhjbqo32.exeLnjldf32.exeGiaidnkf.exeJnofgg32.exeMflgih32.exeOpfegp32.exeColpld32.exeGhibjjnk.exeGockgdeh.exeLcmklh32.exeEgmabg32.exeNpbklabl.exeEjaphpnp.exeEjcmmp32.exeFgocmc32.exeKhnapkjg.exeGhbljk32.exeKpafapbk.exeOflpgnld.exePacajg32.exedescription ioc process File created C:\Windows\SysWOW64\Annjfl32.dll Lifcib32.exe File created C:\Windows\SysWOW64\Lhcafa32.exe Kokmmkcm.exe File opened for modification C:\Windows\SysWOW64\Mfjkdh32.exe Mcknhm32.exe File created C:\Windows\SysWOW64\Eneegl32.dll Piliii32.exe File created C:\Windows\SysWOW64\Adipfd32.exe Akpkmo32.exe File opened for modification C:\Windows\SysWOW64\Ieponofk.exe Iocgfhhc.exe File created C:\Windows\SysWOW64\Kenhopmf.exe Kocpbfei.exe File created C:\Windows\SysWOW64\Libjncnc.exe Kdeaelok.exe File created C:\Windows\SysWOW64\Oijoclhk.dll Mcknhm32.exe File opened for modification C:\Windows\SysWOW64\Qhilkege.exe Paocnkph.exe File created C:\Windows\SysWOW64\Eadbpdla.dll Cmkfji32.exe File created C:\Windows\SysWOW64\Cmppehkh.exe Cehhdkjf.exe File created C:\Windows\SysWOW64\Iediin32.exe Iaimipjl.exe File created C:\Windows\SysWOW64\Dnhanebc.dll Jfohgepi.exe File opened for modification C:\Windows\SysWOW64\Ijaaae32.exe Iediin32.exe File opened for modification C:\Windows\SysWOW64\Kokmmkcm.exe Klmqapci.exe File created C:\Windows\SysWOW64\Qjqkek32.dll Anljck32.exe File created C:\Windows\SysWOW64\Aejlnmkm.exe Agglbp32.exe File opened for modification C:\Windows\SysWOW64\Bjjaikoa.exe Bhkeohhn.exe File created C:\Windows\SysWOW64\Ckbpqe32.exe Cmppehkh.exe File created C:\Windows\SysWOW64\Ebepdj32.dll Eeagimdf.exe File created C:\Windows\SysWOW64\Ghcmae32.dll Hjcaha32.exe File created C:\Windows\SysWOW64\Lngpog32.exe Lpcoeb32.exe File opened for modification C:\Windows\SysWOW64\Oflpgnld.exe Omckoi32.exe File created C:\Windows\SysWOW64\Anljck32.exe Agbbgqhh.exe File created C:\Windows\SysWOW64\Gkaobghp.dll Iediin32.exe File created C:\Windows\SysWOW64\Jnmiag32.exe Jipaip32.exe File created C:\Windows\SysWOW64\Ajokhp32.dll Ebqngb32.exe File opened for modification C:\Windows\SysWOW64\Eheglk32.exe Dokfme32.exe File created C:\Windows\SysWOW64\Oefjdgjk.exe Obgnhkkh.exe File created C:\Windows\SysWOW64\Abkeba32.dll Alddjg32.exe File created C:\Windows\SysWOW64\Bjjaikoa.exe Bhkeohhn.exe File created C:\Windows\SysWOW64\Fghiml32.dll Djjjga32.exe File opened for modification C:\Windows\SysWOW64\Deakjjbk.exe Dnhbmpkn.exe File created C:\Windows\SysWOW64\Kkifia32.dll Eihjolae.exe File opened for modification C:\Windows\SysWOW64\Fmohco32.exe Fahhnn32.exe File created C:\Windows\SysWOW64\Igebkiof.exe Icifjk32.exe File created C:\Windows\SysWOW64\Jfcabd32.exe Jnmiag32.exe File created C:\Windows\SysWOW64\Jpnghhmn.dll Kocpbfei.exe File created C:\Windows\SysWOW64\Klmqapci.exe Kindeddf.exe File opened for modification C:\Windows\SysWOW64\Blkjkflb.exe Bddbjhlp.exe File created C:\Windows\SysWOW64\Bdfooh32.exe Bfcodkcb.exe File opened for modification C:\Windows\SysWOW64\Fijbco32.exe Fcqjfeja.exe File opened for modification C:\Windows\SysWOW64\Jhmofo32.exe Jhjbqo32.exe File created C:\Windows\SysWOW64\Jofial32.dll Lnjldf32.exe File created C:\Windows\SysWOW64\Gonale32.exe Giaidnkf.exe File created C:\Windows\SysWOW64\Aiomcb32.dll Jnofgg32.exe File opened for modification C:\Windows\SysWOW64\Modlbmmn.exe Mflgih32.exe File opened for modification C:\Windows\SysWOW64\Ofqmcj32.exe Opfegp32.exe File created C:\Windows\SysWOW64\Cbjlhpkb.exe Colpld32.exe File created C:\Windows\SysWOW64\Joqgkdem.dll Ghibjjnk.exe File created C:\Windows\SysWOW64\Eioigi32.dll Gockgdeh.exe File created C:\Windows\SysWOW64\Lekghdad.exe Lcmklh32.exe File opened for modification C:\Windows\SysWOW64\Eodicd32.exe Egmabg32.exe File created C:\Windows\SysWOW64\Nbpghl32.exe Npbklabl.exe File opened for modification C:\Windows\SysWOW64\Eakhdj32.exe Ejaphpnp.exe File created C:\Windows\SysWOW64\Eldiehbk.exe Ejcmmp32.exe File created C:\Windows\SysWOW64\Feachqgb.exe Fgocmc32.exe File created C:\Windows\SysWOW64\Onpeobjf.dll Khnapkjg.exe File created C:\Windows\SysWOW64\Eakhdj32.exe Ejaphpnp.exe File opened for modification C:\Windows\SysWOW64\Goldfelp.exe Ghbljk32.exe File created C:\Windows\SysWOW64\Kdmban32.exe Kpafapbk.exe File created C:\Windows\SysWOW64\Henmilod.dll Oflpgnld.exe File created C:\Windows\SysWOW64\Pdbmfb32.exe Pacajg32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3916 3780 WerFault.exe Lepaccmo.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Goldfelp.exeKjhcag32.exeLdgnklmi.exeEgmabg32.exeMciabmlo.exeNbpghl32.exeAgeompfe.exeKbbobkol.exeMdadjd32.exeAnjnnk32.exeGnphdceh.exeLngpog32.exeAeoijidl.exeFmohco32.exeJmfcop32.exeIlcalnii.exeQkghgpfi.exeBdfooh32.exeIeponofk.exeGcgqgd32.exeGockgdeh.exeJipaip32.exeEodicd32.exeNknimnap.exeLhlqjone.exeLjigih32.exeFeachqgb.exeLcmklh32.exeFahhnn32.exeGiaidnkf.exeHdbpekam.exeHjohmbpd.exeOfqmcj32.exeMobomnoq.exePfbfhm32.exeDhbdleol.exeLcohahpn.exeKfodfh32.exeLdmopa32.exeQhilkege.exeDcghkf32.exeJllqplnp.exeLcdhgn32.exeNdfnecgp.exeAkpkmo32.exeFefqdl32.exeJcnoejch.exeJhmofo32.exeKokmmkcm.exePicojhcm.exeCcpeld32.exeFooembgb.exeHqgddm32.exeIinhdmma.exeOefjdgjk.exeAlddjg32.exeAobpfb32.exeCqaiph32.exeHclfag32.exeGghmmilh.exeMjqmig32.exeCfanmogq.exeDlgjldnm.exeJfjolf32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnklmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbobkol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdadjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnphdceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeoijidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcalnii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkghgpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieponofk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gockgdeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eodicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknimnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlqjone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljigih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feachqgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giaidnkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbpekam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjohmbpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobomnoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbdleol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcohahpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcghkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfnecgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnoejch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhmofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokmmkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picojhcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooembgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqgddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinhdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefjdgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alddjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobpfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqaiph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclfag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghmmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjqmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfanmogq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjldnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjolf32.exe -
Modifies registry class 64 IoCs
Processes:
Fcmdnfad.exePlbkfdba.exeGhbljk32.exeHqgddm32.exeJfohgepi.exeJllqplnp.exeOehgjfhi.exeCcpeld32.exeCqdfehii.exeDhbdleol.exeLcohahpn.exeKidjdpie.exeKhgkpl32.exeLjigih32.exeBqolji32.exeDeakjjbk.exeFcqjfeja.exeIocgfhhc.exeIgebkiof.exeBlkjkflb.exeGockgdeh.exeDokfme32.exeFkkfgi32.exeGnphdceh.exeHmjoqo32.exeJmnqje32.exePdbmfb32.exeJcciqi32.exeNfigck32.exeAejlnmkm.exeAobpfb32.exeBfcodkcb.exeJfcabd32.exeEgmabg32.exeIladfn32.exeNjeccjcd.exeBhmaeg32.exeJmfcop32.exeLmpcca32.exePicojhcm.exeJcnoejch.exeLpflkb32.exeCogfqe32.exeEihjolae.exeJnofgg32.exeBgdkkc32.exeEpeoaffo.exeFmdbnnlj.exeIinhdmma.exeJedehaea.exeJipaip32.exeFckhhgcf.exePpinkcnp.exeAddfkeid.exeEemnnn32.exeFgjjad32.exeHjmlhbbg.exeKkmmlgik.exeLibjncnc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillnojb.dll" Fcmdnfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqgggnne.dll" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghbljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hqgddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll" Jllqplnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccpeld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acblbcob.dll" Dhbdleol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcohahpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kidjdpie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilkekm32.dll" Ljigih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqolji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongcaafk.dll" Deakjjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcqjfeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njboon32.dll" Iocgfhhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll" Lcohahpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blkjkflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gockgdeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dokfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkkfgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnphdceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaacem32.dll" Pdbmfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcciqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfigck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aejlnmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aobpfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfcabd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egmabg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfdjdfc.dll" Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll" Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmpcca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkkfgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Picojhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll" Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammhpd32.dll" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfcodkcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eihjolae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnofgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgikm32.dll" Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkekhpob.dll" Fmdbnnlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jedehaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhdnf32.dll" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfifa32.dll" Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjmlhbbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Libjncnc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exeDokfme32.exeEheglk32.exeEopphehb.exeEgmabg32.exeEodicd32.exeFckhhgcf.exeFcmdnfad.exeFkkfgi32.exeGgagmjbq.exeGnphdceh.exeGghmmilh.exeHcajhi32.exeHmjoqo32.exeHomdhjai.exeHieiqo32.exedescription pid process target process PID 2664 wrote to memory of 2808 2664 1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe Dokfme32.exe PID 2664 wrote to memory of 2808 2664 1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe Dokfme32.exe PID 2664 wrote to memory of 2808 2664 1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe Dokfme32.exe PID 2664 wrote to memory of 2808 2664 1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe Dokfme32.exe PID 2808 wrote to memory of 2840 2808 Dokfme32.exe Eheglk32.exe PID 2808 wrote to memory of 2840 2808 Dokfme32.exe Eheglk32.exe PID 2808 wrote to memory of 2840 2808 Dokfme32.exe Eheglk32.exe PID 2808 wrote to memory of 2840 2808 Dokfme32.exe Eheglk32.exe PID 2840 wrote to memory of 2676 2840 Eheglk32.exe Eopphehb.exe PID 2840 wrote to memory of 2676 2840 Eheglk32.exe Eopphehb.exe PID 2840 wrote to memory of 2676 2840 Eheglk32.exe Eopphehb.exe PID 2840 wrote to memory of 2676 2840 Eheglk32.exe Eopphehb.exe PID 2676 wrote to memory of 2552 2676 Eopphehb.exe Egmabg32.exe PID 2676 wrote to memory of 2552 2676 Eopphehb.exe Egmabg32.exe PID 2676 wrote to memory of 2552 2676 Eopphehb.exe Egmabg32.exe PID 2676 wrote to memory of 2552 2676 Eopphehb.exe Egmabg32.exe PID 2552 wrote to memory of 3024 2552 Egmabg32.exe Eodicd32.exe PID 2552 wrote to memory of 3024 2552 Egmabg32.exe Eodicd32.exe PID 2552 wrote to memory of 3024 2552 Egmabg32.exe Eodicd32.exe PID 2552 wrote to memory of 3024 2552 Egmabg32.exe Eodicd32.exe PID 3024 wrote to memory of 1416 3024 Eodicd32.exe Fckhhgcf.exe PID 3024 wrote to memory of 1416 3024 Eodicd32.exe Fckhhgcf.exe PID 3024 wrote to memory of 1416 3024 Eodicd32.exe Fckhhgcf.exe PID 3024 wrote to memory of 1416 3024 Eodicd32.exe Fckhhgcf.exe PID 1416 wrote to memory of 2472 1416 Fckhhgcf.exe Fcmdnfad.exe PID 1416 wrote to memory of 2472 1416 Fckhhgcf.exe Fcmdnfad.exe PID 1416 wrote to memory of 2472 1416 Fckhhgcf.exe Fcmdnfad.exe PID 1416 wrote to memory of 2472 1416 Fckhhgcf.exe Fcmdnfad.exe PID 2472 wrote to memory of 2416 2472 Fcmdnfad.exe Fkkfgi32.exe PID 2472 wrote to memory of 2416 2472 Fcmdnfad.exe Fkkfgi32.exe PID 2472 wrote to memory of 2416 2472 Fcmdnfad.exe Fkkfgi32.exe PID 2472 wrote to memory of 2416 2472 Fcmdnfad.exe Fkkfgi32.exe PID 2416 wrote to memory of 1636 2416 Fkkfgi32.exe Ggagmjbq.exe PID 2416 wrote to memory of 1636 2416 Fkkfgi32.exe Ggagmjbq.exe PID 2416 wrote to memory of 1636 2416 Fkkfgi32.exe Ggagmjbq.exe PID 2416 wrote to memory of 1636 2416 Fkkfgi32.exe Ggagmjbq.exe PID 1636 wrote to memory of 2872 1636 Ggagmjbq.exe Gnphdceh.exe PID 1636 wrote to memory of 2872 1636 Ggagmjbq.exe Gnphdceh.exe PID 1636 wrote to memory of 2872 1636 Ggagmjbq.exe Gnphdceh.exe PID 1636 wrote to memory of 2872 1636 Ggagmjbq.exe Gnphdceh.exe PID 2872 wrote to memory of 1108 2872 Gnphdceh.exe Gghmmilh.exe PID 2872 wrote to memory of 1108 2872 Gnphdceh.exe Gghmmilh.exe PID 2872 wrote to memory of 1108 2872 Gnphdceh.exe Gghmmilh.exe PID 2872 wrote to memory of 1108 2872 Gnphdceh.exe Gghmmilh.exe PID 1108 wrote to memory of 2516 1108 Gghmmilh.exe Hcajhi32.exe PID 1108 wrote to memory of 2516 1108 Gghmmilh.exe Hcajhi32.exe PID 1108 wrote to memory of 2516 1108 Gghmmilh.exe Hcajhi32.exe PID 1108 wrote to memory of 2516 1108 Gghmmilh.exe Hcajhi32.exe PID 2516 wrote to memory of 2396 2516 Hcajhi32.exe Hmjoqo32.exe PID 2516 wrote to memory of 2396 2516 Hcajhi32.exe Hmjoqo32.exe PID 2516 wrote to memory of 2396 2516 Hcajhi32.exe Hmjoqo32.exe PID 2516 wrote to memory of 2396 2516 Hcajhi32.exe Hmjoqo32.exe PID 2396 wrote to memory of 1616 2396 Hmjoqo32.exe Homdhjai.exe PID 2396 wrote to memory of 1616 2396 Hmjoqo32.exe Homdhjai.exe PID 2396 wrote to memory of 1616 2396 Hmjoqo32.exe Homdhjai.exe PID 2396 wrote to memory of 1616 2396 Hmjoqo32.exe Homdhjai.exe PID 1616 wrote to memory of 956 1616 Homdhjai.exe Hieiqo32.exe PID 1616 wrote to memory of 956 1616 Homdhjai.exe Hieiqo32.exe PID 1616 wrote to memory of 956 1616 Homdhjai.exe Hieiqo32.exe PID 1616 wrote to memory of 956 1616 Homdhjai.exe Hieiqo32.exe PID 956 wrote to memory of 1840 956 Hieiqo32.exe Iaegpaao.exe PID 956 wrote to memory of 1840 956 Hieiqo32.exe Iaegpaao.exe PID 956 wrote to memory of 1840 956 Hieiqo32.exe Iaegpaao.exe PID 956 wrote to memory of 1840 956 Hieiqo32.exe Iaegpaao.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe"C:\Users\Admin\AppData\Local\Temp\1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe34⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe36⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe40⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe41⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Lhfnkqgk.exeC:\Windows\system32\Lhfnkqgk.exe42⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe43⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Lpcoeb32.exeC:\Windows\system32\Lpcoeb32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe50⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe52⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe55⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe57⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe58⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe62⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Ncfalqpm.exeC:\Windows\system32\Ncfalqpm.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe66⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\Ndfnecgp.exeC:\Windows\system32\Ndfnecgp.exe67⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe68⤵PID:1516
-
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe69⤵PID:2692
-
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe71⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe72⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe73⤵PID:1876
-
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe74⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe77⤵PID:2172
-
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe78⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1832 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe81⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe83⤵PID:2020
-
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe84⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe85⤵PID:2756
-
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe86⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe87⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe88⤵PID:2528
-
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe89⤵PID:2988
-
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe90⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe91⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe92⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe94⤵
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe97⤵PID:2056
-
C:\Windows\SysWOW64\Picojhcm.exeC:\Windows\system32\Picojhcm.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe99⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe101⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe102⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe103⤵PID:684
-
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe104⤵PID:2844
-
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe105⤵PID:2940
-
C:\Windows\SysWOW64\Aeoijidl.exeC:\Windows\system32\Aeoijidl.exe106⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Anjnnk32.exeC:\Windows\system32\Anjnnk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe108⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Agbbgqhh.exeC:\Windows\system32\Agbbgqhh.exe109⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe111⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Adipfd32.exeC:\Windows\system32\Adipfd32.exe113⤵PID:2560
-
C:\Windows\SysWOW64\Agglbp32.exeC:\Windows\system32\Agglbp32.exe114⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe116⤵PID:2800
-
C:\Windows\SysWOW64\Alddjg32.exeC:\Windows\system32\Alddjg32.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe119⤵PID:2280
-
C:\Windows\SysWOW64\Bhkeohhn.exeC:\Windows\system32\Bhkeohhn.exe120⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe121⤵PID:560
-
C:\Windows\SysWOW64\Bhmaeg32.exeC:\Windows\system32\Bhmaeg32.exe122⤵
- Modifies registry class
PID:2060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-