Analysis
-
max time kernel
94s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe
Resource
win10v2004-20241007-en
General
-
Target
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe
-
Size
112KB
-
MD5
c2ddc875422d1af76b58beffca89c109
-
SHA1
6db9d55b71726260f1ff266c02d794025d2979c3
-
SHA256
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32
-
SHA512
3ede5efdc14a22890c33cf84a0201c93e356d37c3d152c064b2234ead9265265db0ef932e08281cb4e861ff05e0254f9867117d0931b1aa67224c4edf44b907e
-
SSDEEP
3072:Uwe5BbcAyqTMJZAH73xnGfeCrywCF5FeJLCQnFIBOaCUjKaVLjd:UpO2MJihnbQywe5FeJLbnCBbC+nVLjd
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jlhljhbg.exeLqkgbcff.exePdfehh32.exeJphkkpbp.exeOaifpi32.exeAmjbbfgo.exeLlflea32.exeBdmmeo32.exeCpmapodj.exeGbnoiqdq.exeAckbmcjl.exeMjahlgpf.exeDhclmp32.exeEkkkoj32.exeEnpmld32.exeFngcmcfe.exeKgamnded.exeOihagaji.exeNggnadib.exeIqbbpm32.exeNjpdnedf.exeLmaamn32.exeMgphpe32.exeEfjimhnh.exeAjbmdn32.exeHpjmnjqn.exeCamddhoi.exeLobjni32.exeMfchlbfd.exeJqiipljg.exeFfqhcq32.exeOghghb32.exeBdbnjdfg.exeCklhcfle.exeIlnbicff.exeInomhbeq.exeInainbcn.exeLbpdblmo.exeNafjjf32.exeObafpg32.exeNmgjia32.exeDoaneiop.exeIkqqlgem.exeMjjkaabc.exeOhlqcagj.exePjmjdm32.exeBnoddcef.exeLnldla32.exeNabfjpak.exeEkodjiol.exeHffken32.exeJcmdaljn.exeFimodc32.exeJcfggkac.exeOondnini.exeQachgk32.exeJniood32.exeChkobkod.exeAcokhc32.exeNmlddqem.exeNklbmllg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlhljhbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqkgbcff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjbbfgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llflea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmmeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhclmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkkoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgamnded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqbbpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmaamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efjimhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Camddhoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqiipljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffqhcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghghb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inomhbeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inainbcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpdblmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nafjjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmgjia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doaneiop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikqqlgem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohlqcagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnoddcef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekodjiol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcmdaljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fimodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oondnini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jniood32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nklbmllg.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Hjlkge32.exeIdbodn32.exeIgqkqiai.exeIjogmdqm.exeIgchfiof.exeIahlcaol.exeIkqqlgem.exeInomhbeq.exeIggaah32.exeInainbcn.exeIhgnkkbd.exeIndfca32.exeIqbbpm32.exeJglklggl.exeJdpkflfe.exeJnhpoamf.exeJdbhkk32.exeJjopcb32.exeJqiipljg.exeJkomneim.exeJqlefl32.exeJnpfop32.exeKdinljnk.exeKjffdalb.exeKqpoakco.exeKkfcndce.exeKqbkfkal.exeKijchhbo.exeKnflpoqf.exeKilpmh32.exeKgopidgf.exeKbddfmgl.exeKgamnded.exeKjpijpdg.exeLeenhhdn.exeLkofdbkj.exeLbinam32.exeLicfngjd.exeLkabjbih.exeLbkkgl32.exeLieccf32.exeLjgpkonp.exeLbngllob.exeLelchgne.exeLlflea32.exeLbpdblmo.exeLijlof32.exeLjkifn32.exeMbbagk32.exeMeamcg32.exeMlkepaam.exeMniallpq.exeMhafeb32.exeMnlnbl32.exeMeefofek.exeMlpokp32.exeMnnkgl32.exeMicoed32.exeMjellmbp.exeMejpje32.exeNjghbl32.exeNaaqofgj.exeNemmoe32.exeNhkikq32.exepid process 4112 Hjlkge32.exe 4708 Idbodn32.exe 4608 Igqkqiai.exe 4388 Ijogmdqm.exe 1196 Igchfiof.exe 1068 Iahlcaol.exe 4228 Ikqqlgem.exe 3760 Inomhbeq.exe 3664 Iggaah32.exe 1180 Inainbcn.exe 4544 Ihgnkkbd.exe 2312 Indfca32.exe 1052 Iqbbpm32.exe 1388 Jglklggl.exe 2508 Jdpkflfe.exe 2440 Jnhpoamf.exe 1532 Jdbhkk32.exe 4964 Jjopcb32.exe 1816 Jqiipljg.exe 2488 Jkomneim.exe 2788 Jqlefl32.exe 2596 Jnpfop32.exe 1332 Kdinljnk.exe 2280 Kjffdalb.exe 4304 Kqpoakco.exe 4664 Kkfcndce.exe 4716 Kqbkfkal.exe 1628 Kijchhbo.exe 2692 Knflpoqf.exe 3824 Kilpmh32.exe 2940 Kgopidgf.exe 4904 Kbddfmgl.exe 212 Kgamnded.exe 4728 Kjpijpdg.exe 4420 Leenhhdn.exe 1152 Lkofdbkj.exe 3076 Lbinam32.exe 4012 Licfngjd.exe 4684 Lkabjbih.exe 4220 Lbkkgl32.exe 4268 Lieccf32.exe 2576 Ljgpkonp.exe 4968 Lbngllob.exe 2520 Lelchgne.exe 1684 Llflea32.exe 3524 Lbpdblmo.exe 1912 Lijlof32.exe 2536 Ljkifn32.exe 1096 Mbbagk32.exe 384 Meamcg32.exe 1652 Mlkepaam.exe 3836 Mniallpq.exe 4680 Mhafeb32.exe 4364 Mnlnbl32.exe 1224 Meefofek.exe 1760 Mlpokp32.exe 4208 Mnnkgl32.exe 4472 Micoed32.exe 388 Mjellmbp.exe 4588 Mejpje32.exe 2688 Njghbl32.exe 940 Naaqofgj.exe 1940 Nemmoe32.exe 3968 Nhkikq32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lkabjbih.exeJphkkpbp.exeLjeafb32.exeBhblllfo.exeMonjjgkb.exePhajna32.exeLicfngjd.exeCkpbnb32.exeKcndbp32.exeKnhakh32.exeOlanmgig.exeCfbcke32.exePcmeke32.exeAhqddk32.exeNcofplba.exeAnmfbl32.exeIpoheakj.exeEfccmidp.exeFlngfn32.exeJgbjbp32.exeJjafok32.exeBdickcpo.exeQjfmkk32.exeKjpijpdg.exeOaajed32.exeDooaoj32.exeGmimai32.exeNcnofeof.exeEnpmld32.exeFngcmcfe.exeAhjgjj32.exeGmbmkpie.exeGiinpa32.exeMmbanbmg.exeOdmbaj32.exeAhdged32.exeKlahfp32.exeNcchae32.exeBddjpd32.exeDnmaea32.exeMbbagk32.exeAjbmdn32.exeAcokhc32.exeDjelgied.exeAnclbkbp.exeFmhdkknd.exeAhgjejhd.exeBhcjqinf.exeHpjmnjqn.exeHefnkkkj.exeNjhgbp32.exeElgaeolp.exeIpflihfq.exeKgdpni32.exeInlihl32.exeQlgpod32.exeBlnoga32.exeGbnoiqdq.exeBnoddcef.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lbkkgl32.exe Lkabjbih.exe File opened for modification C:\Windows\SysWOW64\Jcfggkac.exe Jphkkpbp.exe File created C:\Windows\SysWOW64\Fihgkk32.dll Ljeafb32.exe File created C:\Windows\SysWOW64\Lahoec32.dll Bhblllfo.exe File created C:\Windows\SysWOW64\Mfhbga32.exe Monjjgkb.exe File opened for modification C:\Windows\SysWOW64\Pmnbfhal.exe Phajna32.exe File created C:\Windows\SysWOW64\Lkabjbih.exe Licfngjd.exe File opened for modification C:\Windows\SysWOW64\Ccgjopal.exe Ckpbnb32.exe File created C:\Windows\SysWOW64\Dfpcgbim.dll Kcndbp32.exe File created C:\Windows\SysWOW64\Fgaemg32.dll Knhakh32.exe File created C:\Windows\SysWOW64\Gaakdpkj.dll Olanmgig.exe File created C:\Windows\SysWOW64\Dkokcl32.exe Cfbcke32.exe File created C:\Windows\SysWOW64\Plejdkmm.exe Pcmeke32.exe File created C:\Windows\SysWOW64\Alnmjjdb.exe Ahqddk32.exe File opened for modification C:\Windows\SysWOW64\Ngjbaj32.exe Ncofplba.exe File created C:\Windows\SysWOW64\Aednci32.exe Anmfbl32.exe File opened for modification C:\Windows\SysWOW64\Jcmdaljn.exe Ipoheakj.exe File opened for modification C:\Windows\SysWOW64\Elpkep32.exe Efccmidp.exe File opened for modification C:\Windows\SysWOW64\Fbhpch32.exe Flngfn32.exe File opened for modification C:\Windows\SysWOW64\Jjafok32.exe Jgbjbp32.exe File created C:\Windows\SysWOW64\Jlobkg32.exe Jjafok32.exe File opened for modification C:\Windows\SysWOW64\Camddhoi.exe Bdickcpo.exe File created C:\Windows\SysWOW64\Cggkemhh.dll Qjfmkk32.exe File created C:\Windows\SysWOW64\Leenhhdn.exe Kjpijpdg.exe File opened for modification C:\Windows\SysWOW64\Oihagaji.exe Oaajed32.exe File created C:\Windows\SysWOW64\Dbnmke32.exe Dooaoj32.exe File created C:\Windows\SysWOW64\Gpgind32.exe Gmimai32.exe File created C:\Windows\SysWOW64\Njhgbp32.exe Ncnofeof.exe File created C:\Windows\SysWOW64\Ofpnmakg.dll Enpmld32.exe File opened for modification C:\Windows\SysWOW64\Fbbpmb32.exe Fngcmcfe.exe File opened for modification C:\Windows\SysWOW64\Acokhc32.exe Ahjgjj32.exe File created C:\Windows\SysWOW64\Giinpa32.exe Gmbmkpie.exe File created C:\Windows\SysWOW64\Ifhahnbj.dll Giinpa32.exe File created C:\Windows\SysWOW64\Meiioonj.exe Mmbanbmg.exe File created C:\Windows\SysWOW64\Mmddqemj.dll Odmbaj32.exe File opened for modification C:\Windows\SysWOW64\Aonoao32.exe Ahdged32.exe File created C:\Windows\SysWOW64\Abhemohm.dll Klahfp32.exe File created C:\Windows\SysWOW64\Bhgbbckh.dll Ncchae32.exe File created C:\Windows\SysWOW64\Bahkih32.exe Bddjpd32.exe File opened for modification C:\Windows\SysWOW64\Ddgibkpc.exe Dnmaea32.exe File created C:\Windows\SysWOW64\Keimof32.exe Klahfp32.exe File opened for modification C:\Windows\SysWOW64\Mfhbga32.exe Monjjgkb.exe File created C:\Windows\SysWOW64\Meamcg32.exe Mbbagk32.exe File created C:\Windows\SysWOW64\Egjoqncg.dll Ajbmdn32.exe File created C:\Windows\SysWOW64\Aaopkj32.dll Acokhc32.exe File created C:\Windows\SysWOW64\Djhimica.exe Djelgied.exe File created C:\Windows\SysWOW64\Adndoe32.exe Anclbkbp.exe File opened for modification C:\Windows\SysWOW64\Ffqhcq32.exe Fmhdkknd.exe File created C:\Windows\SysWOW64\Afkknogn.exe Ahgjejhd.exe File opened for modification C:\Windows\SysWOW64\Bcinna32.exe Bhcjqinf.exe File opened for modification C:\Windows\SysWOW64\Hkpqkcpd.exe Hpjmnjqn.exe File created C:\Windows\SysWOW64\Cjgjmg32.dll Hefnkkkj.exe File opened for modification C:\Windows\SysWOW64\Nqbpojnp.exe Njhgbp32.exe File created C:\Windows\SysWOW64\Ddgibkpc.exe Dnmaea32.exe File created C:\Windows\SysWOW64\Hclnnc32.dll Elgaeolp.exe File created C:\Windows\SysWOW64\Icdheded.exe Ipflihfq.exe File created C:\Windows\SysWOW64\Hqdkac32.dll Anclbkbp.exe File created C:\Windows\SysWOW64\Jcfggkac.exe Jphkkpbp.exe File opened for modification C:\Windows\SysWOW64\Klahfp32.exe Kgdpni32.exe File created C:\Windows\SysWOW64\Pioelhgj.dll Inlihl32.exe File created C:\Windows\SysWOW64\Qmhlgmmm.exe Qlgpod32.exe File created C:\Windows\SysWOW64\Bkaobnio.exe Blnoga32.exe File opened for modification C:\Windows\SysWOW64\Gmdcfidg.exe Gbnoiqdq.exe File opened for modification C:\Windows\SysWOW64\Cpmapodj.exe Bnoddcef.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 11292 12152 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Agimkk32.exeJkomneim.exeMlkepaam.exeKkjeomld.exeNemmoe32.exeEkkkoj32.exeMfhbga32.exeJgpmmp32.exeGbnoiqdq.exeQhlkilba.exeJniood32.exeLcimdh32.exeFnnjmbpm.exePalklf32.exeFbhpch32.exeMadjhb32.exeAafemk32.exeAednci32.exeEejeiocj.exeNghekkmn.exeIbaeen32.exeOfkgcobj.exeJnpfop32.exeLicfngjd.exeCkmehb32.exeNabfjpak.exeLelchgne.exeGmojkj32.exeKgkfnh32.exeQohpkf32.exeNapjdpcn.exeQaalblgi.exeCamddhoi.exeDdligq32.exePcjiff32.exeKqphfe32.exeEmjgim32.exePnmopk32.exeMlpokp32.exeLmaamn32.exeCoegoe32.exeBlgifbil.exeHolfoqcm.exeOcohmc32.exeMeamcg32.exeMokmdh32.exeOjdgnn32.exeLlflea32.exeCimmggfl.exeMkhapk32.exeMfeeabda.exeElpkep32.exeGlcaambb.exeOejbfmpg.exePpahmb32.exeBknlbhhe.exeGmbmkpie.exeHmnmgnoh.exeBlielbfi.exeCkgohf32.exeKkfcndce.exeKgamnded.exeMeiioonj.exeJqiipljg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agimkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkomneim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkepaam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjeomld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemmoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhlkilba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcimdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aednci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejeiocj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghekkmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkgcobj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpfop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licfngjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelchgne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmojkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohpkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napjdpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaalblgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddligq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcjiff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqphfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpokp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coegoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgifbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holfoqcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meamcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdgnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llflea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimmggfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhapk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeeabda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcaambb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejbfmpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppahmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknlbhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbmkpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnmgnoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blielbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgohf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfcndce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgamnded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiioonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqiipljg.exe -
Modifies registry class 64 IoCs
Processes:
Ooqqdi32.exeAhjgjj32.exeKnfeeimj.exeJiglnf32.exeLgibpf32.exeKilpmh32.exeLbkkgl32.exeNacmdf32.exeKmfhkf32.exeLkalplel.exeBahkih32.exeDbbffdlq.exeNjiegl32.exeIjegcm32.exeCleegp32.exeOjdgnn32.exeKnchpiom.exeFihnomjp.exeAjbmdn32.exeEleepoob.exeKmdlffhj.exeDdjmba32.exeDeqcbpld.exeGpgind32.exeKnflpoqf.exeMejpje32.exeFbhpch32.exeBemqih32.exeIliinc32.exeIebngial.exeKgdpni32.exeLncjlq32.exeAdhdjpjf.exeKkfcndce.exeLicfngjd.exeFnnjmbpm.exeCoegoe32.exeKdinljnk.exeNabfjpak.exeOaifpi32.exeBmhocd32.exeJlkipgpe.exeQlgpod32.exeDbnmke32.exeIpoheakj.exeLgpoihnl.exeJdpkflfe.exeMjellmbp.exeCkpbnb32.exeCndeii32.exeNijeec32.exeOejbfmpg.exeGlipgf32.exePmiikh32.exeLlflea32.exeLjkifn32.exeDckdjomg.exeEpndknin.exeHplicjok.exeBogkmgba.exeAlkijdci.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbfpo32.dll" Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnpcnol.dll" Knfeeimj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiglnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihqiqn32.dll" Kilpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apddkmko.dll" Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonlon32.dll" Nacmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgkpagl.dll" Kmfhkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bahkih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaocia32.dll" Ijegcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cleegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knchpiom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjoqncg.dll" Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eleepoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmphblgf.dll" Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndcedao.dll" Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mejpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbhpch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bemqih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhdfi32.dll" Iebngial.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgdpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkfcndce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaiilmd.dll" Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhkd32.dll" Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coegoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdinljnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahjgjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nabfjpak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll" Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbigf32.dll" Njiegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlkipgpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlgpod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbnmke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipoheakj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpoihnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdpkflfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjellmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckpbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqqpnlk.dll" Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcplmmbl.dll" Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfgeigk.dll" Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glipgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmiikh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llflea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinnnm32.dll" Ljkifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dckdjomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epndknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoljp32.dll" Alkijdci.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exeHjlkge32.exeIdbodn32.exeIgqkqiai.exeIjogmdqm.exeIgchfiof.exeIahlcaol.exeIkqqlgem.exeInomhbeq.exeIggaah32.exeInainbcn.exeIhgnkkbd.exeIndfca32.exeIqbbpm32.exeJglklggl.exeJdpkflfe.exeJnhpoamf.exeJdbhkk32.exeJjopcb32.exeJqiipljg.exeJkomneim.exeJqlefl32.exedescription pid process target process PID 2340 wrote to memory of 4112 2340 b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe Hjlkge32.exe PID 2340 wrote to memory of 4112 2340 b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe Hjlkge32.exe PID 2340 wrote to memory of 4112 2340 b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe Hjlkge32.exe PID 4112 wrote to memory of 4708 4112 Hjlkge32.exe Idbodn32.exe PID 4112 wrote to memory of 4708 4112 Hjlkge32.exe Idbodn32.exe PID 4112 wrote to memory of 4708 4112 Hjlkge32.exe Idbodn32.exe PID 4708 wrote to memory of 4608 4708 Idbodn32.exe Igqkqiai.exe PID 4708 wrote to memory of 4608 4708 Idbodn32.exe Igqkqiai.exe PID 4708 wrote to memory of 4608 4708 Idbodn32.exe Igqkqiai.exe PID 4608 wrote to memory of 4388 4608 Igqkqiai.exe Ijogmdqm.exe PID 4608 wrote to memory of 4388 4608 Igqkqiai.exe Ijogmdqm.exe PID 4608 wrote to memory of 4388 4608 Igqkqiai.exe Ijogmdqm.exe PID 4388 wrote to memory of 1196 4388 Ijogmdqm.exe Igchfiof.exe PID 4388 wrote to memory of 1196 4388 Ijogmdqm.exe Igchfiof.exe PID 4388 wrote to memory of 1196 4388 Ijogmdqm.exe Igchfiof.exe PID 1196 wrote to memory of 1068 1196 Igchfiof.exe Iahlcaol.exe PID 1196 wrote to memory of 1068 1196 Igchfiof.exe Iahlcaol.exe PID 1196 wrote to memory of 1068 1196 Igchfiof.exe Iahlcaol.exe PID 1068 wrote to memory of 4228 1068 Iahlcaol.exe Ikqqlgem.exe PID 1068 wrote to memory of 4228 1068 Iahlcaol.exe Ikqqlgem.exe PID 1068 wrote to memory of 4228 1068 Iahlcaol.exe Ikqqlgem.exe PID 4228 wrote to memory of 3760 4228 Ikqqlgem.exe Inomhbeq.exe PID 4228 wrote to memory of 3760 4228 Ikqqlgem.exe Inomhbeq.exe PID 4228 wrote to memory of 3760 4228 Ikqqlgem.exe Inomhbeq.exe PID 3760 wrote to memory of 3664 3760 Inomhbeq.exe Iggaah32.exe PID 3760 wrote to memory of 3664 3760 Inomhbeq.exe Iggaah32.exe PID 3760 wrote to memory of 3664 3760 Inomhbeq.exe Iggaah32.exe PID 3664 wrote to memory of 1180 3664 Iggaah32.exe Inainbcn.exe PID 3664 wrote to memory of 1180 3664 Iggaah32.exe Inainbcn.exe PID 3664 wrote to memory of 1180 3664 Iggaah32.exe Inainbcn.exe PID 1180 wrote to memory of 4544 1180 Inainbcn.exe Ihgnkkbd.exe PID 1180 wrote to memory of 4544 1180 Inainbcn.exe Ihgnkkbd.exe PID 1180 wrote to memory of 4544 1180 Inainbcn.exe Ihgnkkbd.exe PID 4544 wrote to memory of 2312 4544 Ihgnkkbd.exe Indfca32.exe PID 4544 wrote to memory of 2312 4544 Ihgnkkbd.exe Indfca32.exe PID 4544 wrote to memory of 2312 4544 Ihgnkkbd.exe Indfca32.exe PID 2312 wrote to memory of 1052 2312 Indfca32.exe Iqbbpm32.exe PID 2312 wrote to memory of 1052 2312 Indfca32.exe Iqbbpm32.exe PID 2312 wrote to memory of 1052 2312 Indfca32.exe Iqbbpm32.exe PID 1052 wrote to memory of 1388 1052 Iqbbpm32.exe Jglklggl.exe PID 1052 wrote to memory of 1388 1052 Iqbbpm32.exe Jglklggl.exe PID 1052 wrote to memory of 1388 1052 Iqbbpm32.exe Jglklggl.exe PID 1388 wrote to memory of 2508 1388 Jglklggl.exe Jdpkflfe.exe PID 1388 wrote to memory of 2508 1388 Jglklggl.exe Jdpkflfe.exe PID 1388 wrote to memory of 2508 1388 Jglklggl.exe Jdpkflfe.exe PID 2508 wrote to memory of 2440 2508 Jdpkflfe.exe Jnhpoamf.exe PID 2508 wrote to memory of 2440 2508 Jdpkflfe.exe Jnhpoamf.exe PID 2508 wrote to memory of 2440 2508 Jdpkflfe.exe Jnhpoamf.exe PID 2440 wrote to memory of 1532 2440 Jnhpoamf.exe Jdbhkk32.exe PID 2440 wrote to memory of 1532 2440 Jnhpoamf.exe Jdbhkk32.exe PID 2440 wrote to memory of 1532 2440 Jnhpoamf.exe Jdbhkk32.exe PID 1532 wrote to memory of 4964 1532 Jdbhkk32.exe Jjopcb32.exe PID 1532 wrote to memory of 4964 1532 Jdbhkk32.exe Jjopcb32.exe PID 1532 wrote to memory of 4964 1532 Jdbhkk32.exe Jjopcb32.exe PID 4964 wrote to memory of 1816 4964 Jjopcb32.exe Jqiipljg.exe PID 4964 wrote to memory of 1816 4964 Jjopcb32.exe Jqiipljg.exe PID 4964 wrote to memory of 1816 4964 Jjopcb32.exe Jqiipljg.exe PID 1816 wrote to memory of 2488 1816 Jqiipljg.exe Jkomneim.exe PID 1816 wrote to memory of 2488 1816 Jqiipljg.exe Jkomneim.exe PID 1816 wrote to memory of 2488 1816 Jqiipljg.exe Jkomneim.exe PID 2488 wrote to memory of 2788 2488 Jkomneim.exe Jqlefl32.exe PID 2488 wrote to memory of 2788 2488 Jkomneim.exe Jqlefl32.exe PID 2488 wrote to memory of 2788 2488 Jkomneim.exe Jqlefl32.exe PID 2788 wrote to memory of 2596 2788 Jqlefl32.exe Jnpfop32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe"C:\Users\Admin\AppData\Local\Temp\b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe25⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe26⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4664 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe28⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe29⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3824 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe32⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe33⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:212 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4728 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe36⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe37⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe38⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4684 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe42⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe43⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe44⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe48⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:384 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe53⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe54⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe55⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe56⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe58⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe59⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4588 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe62⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe63⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe65⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe66⤵
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe67⤵
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe68⤵
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3568 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe71⤵PID:2384
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe72⤵PID:1300
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe73⤵PID:3676
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe74⤵PID:4088
-
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe75⤵PID:1952
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:688 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe77⤵PID:3964
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe78⤵
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe79⤵PID:116
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe80⤵PID:2616
-
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe81⤵PID:4204
-
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe82⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3164 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4248 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe85⤵PID:4860
-
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe86⤵PID:4712
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe87⤵PID:4376
-
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe88⤵PID:5128
-
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe89⤵PID:5184
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe90⤵PID:5228
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe91⤵PID:5272
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe92⤵PID:5316
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe93⤵
- System Location Discovery: System Language Discovery
PID:5360 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe94⤵PID:5408
-
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe95⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe96⤵PID:5496
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe97⤵PID:5540
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe98⤵
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe99⤵PID:5628
-
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe100⤵PID:5672
-
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe101⤵
- System Location Discovery: System Language Discovery
PID:5716 -
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe102⤵
- Drops file in System32 directory
PID:5756 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe103⤵PID:5800
-
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe104⤵PID:5844
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe106⤵PID:5932
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe108⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe109⤵PID:6064
-
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe112⤵PID:5200
-
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe113⤵PID:5256
-
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe114⤵PID:5328
-
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe115⤵PID:5396
-
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe116⤵PID:5468
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe117⤵PID:5524
-
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe118⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe119⤵PID:5680
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe120⤵PID:5744
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe121⤵PID:5832
-
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe122⤵PID:5896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-