Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe
Resource
win10v2004-20241007-en
General
-
Target
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe
-
Size
1.2MB
-
MD5
9eefab4fbd0fc7b47747b57441d0073b
-
SHA1
f25ff646aa83a1e4b5afea562a0d2bfab19eee20
-
SHA256
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7
-
SHA512
24a73049d23abb4a64a3cc9ab45a03ff070fe449d510510063597a9c400f009b2d89f537b64ea2e3cdb5185560bdaa88a054ac82d2a80e330c44ed2f3169ae0e
-
SSDEEP
6144:8RNZaZNAkOCOu0EajNVBZtHr9zM8d9CXdPipmMH/gysNkvC8vA+XTv7FYUwMOFut:8FqSHCXwpnsKvNA+XTvZHWuEo3oW6c
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Klahfp32.exeBmhocd32.exeDfhjkabi.exeHglaej32.exeDbkqfe32.exeFimhjl32.exeOeoblb32.exeJklinohd.exeMkadfj32.exeKjblje32.exeMfnoqc32.exeDojqjdbl.exeJjjghcfp.exeJhlgfj32.exeIoolkncg.exeLjceqb32.exeLqmmmmph.exeHkdjfb32.exeLmpkadnm.exeKcbfcigf.exeLljklo32.exeBgeaifia.exeLelchgne.exeAlcfei32.exeBokehc32.exePibdmp32.exeIcnklbmj.exeOjgjndno.exeGpgind32.exeHdkidohn.exeIipfmggc.exeNadleilm.exeQgnbaj32.exeFlinkojm.exeNabfjpak.exeQfbobf32.exeLldopb32.exeMnlnbl32.exeJdfjld32.exeEigonjcj.exeNnfgcd32.exeBepmoh32.exeDcogje32.exeDfamapjo.exeNhdlao32.exeQaflgago.exeLclpdncg.exeAonoao32.exeAqkpeopg.exeKkfcndce.exeLbpdblmo.exeCoohhlpe.exeJlgepanl.exeCibmlmeb.exeCbbnpg32.exeGmimai32.exePpahmb32.exeLjqhkckn.exeEfhcbodf.exeDcpmen32.exeMmpdhboj.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfhjkabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fimhjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeoblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklinohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkadfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfnoqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojqjdbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjghcfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhlgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqmmmmph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcbfcigf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bokehc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibdmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnklbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgjndno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdkidohn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nadleilm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfbobf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnlnbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfjld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eigonjcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfgcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepmoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcogje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfamapjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhdlao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaflgago.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclpdncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabfjpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqkpeopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkidohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkfcndce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpdblmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coohhlpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibmlmeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmimai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppahmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljqhkckn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcbodf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpmen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpdhboj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Neffpj32.exeOpogbbig.exeOigllh32.exeOlehhc32.exeOcopdn32.exeOenlqi32.exeOhlimd32.exeOpcqnb32.exeOcamjm32.exeOileggkb.exeOljaccjf.exeOcdjpmac.exeOebflhaf.exeOhqbhdpj.exeOokjdn32.exePedbahod.exePhcomcng.exePpjgoaoj.exePgdokkfg.exePhelcc32.exePpmcdq32.exePckppl32.exePfillg32.exePhhhhc32.exePpopjp32.exePcmlfl32.exePgihfj32.exePjgebf32.exePodmkm32.exePgkelj32.exePjjahe32.exePlhnda32.exePofjpl32.exeQgnbaj32.exeQjlnnemp.exeQqffjo32.exeQcdbfk32.exeQfbobf32.exeQhakoa32.exeAokcklid.exeAgbkmijg.exeAqkpeopg.exeAcilajpk.exeAfghneoo.exeAhfdjanb.exeAqmlknnd.exeAckigjmh.exeAfjeceml.exeAihaoqlp.exeAqoiqn32.exeAcnemi32.exeAflaie32.exeAijnep32.exeAmfjeobf.exeAcpbbi32.exeAfnnnd32.exeAimkjp32.exeBqdblmhl.exeBcbohigp.exeBgnkhg32.exeBjlgdc32.exeBmkcqn32.exeBoipmj32.exeBgpgng32.exepid Process 3648 Neffpj32.exe 1160 Opogbbig.exe 1012 Oigllh32.exe 1192 Olehhc32.exe 2632 Ocopdn32.exe 2268 Oenlqi32.exe 4068 Ohlimd32.exe 2004 Opcqnb32.exe 1696 Ocamjm32.exe 840 Oileggkb.exe 4956 Oljaccjf.exe 1816 Ocdjpmac.exe 2352 Oebflhaf.exe 4616 Ohqbhdpj.exe 1684 Ookjdn32.exe 1832 Pedbahod.exe 1596 Phcomcng.exe 3752 Ppjgoaoj.exe 4580 Pgdokkfg.exe 1196 Phelcc32.exe 3656 Ppmcdq32.exe 2192 Pckppl32.exe 3496 Pfillg32.exe 4536 Phhhhc32.exe 3244 Ppopjp32.exe 4028 Pcmlfl32.exe 2616 Pgihfj32.exe 3324 Pjgebf32.exe 4912 Podmkm32.exe 4516 Pgkelj32.exe 2364 Pjjahe32.exe 3672 Plhnda32.exe 3116 Pofjpl32.exe 3964 Qgnbaj32.exe 3228 Qjlnnemp.exe 3748 Qqffjo32.exe 4160 Qcdbfk32.exe 892 Qfbobf32.exe 4332 Qhakoa32.exe 3312 Aokcklid.exe 2492 Agbkmijg.exe 5060 Aqkpeopg.exe 4988 Acilajpk.exe 3560 Afghneoo.exe 4876 Ahfdjanb.exe 244 Aqmlknnd.exe 2664 Ackigjmh.exe 2236 Afjeceml.exe 1952 Aihaoqlp.exe 212 Aqoiqn32.exe 2292 Acnemi32.exe 1140 Aflaie32.exe 2244 Aijnep32.exe 3320 Amfjeobf.exe 3112 Acpbbi32.exe 4520 Afnnnd32.exe 3188 Aimkjp32.exe 1604 Bqdblmhl.exe 1172 Bcbohigp.exe 2432 Bgnkhg32.exe 4412 Bjlgdc32.exe 1792 Bmkcqn32.exe 2748 Boipmj32.exe 400 Bgpgng32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Acmobchj.exeMcbpjg32.exeHpdfnolo.exeOidhlb32.exeFfobhg32.exeGmimai32.exeAaoaic32.exeJhijqj32.exeAeddnp32.exeNjhgbp32.exeBfjnjcni.exeLobjni32.exeLgccinoe.exeCoohhlpe.exeDoaneiop.exeNfjola32.exeEfdjgo32.exePhincl32.exeBbiado32.exeJljbeali.exeLmdnbn32.exeNmkmjjaa.exeOhqbhdpj.exeAchegd32.exeLjqhkckn.exeJjjghcfp.exeLmpkadnm.exeHildmn32.exeKomhll32.exeOmpfej32.exeBcbohigp.exeLjbfpo32.exeDijbno32.exeCiafbg32.exeBheplb32.exeHienlpel.exeIpgbdbqb.exeBffcpg32.exeEfhcbodf.exeIjfnmc32.exeBhldpj32.exeBoipmj32.exePibdmp32.exePakllc32.exeHoeieolb.exeKglmio32.exeKnhakh32.exeNndjndbh.exeQoelkp32.exeOokjdn32.exeCpihcgoa.exeHlnjbedi.exeIlcldb32.exeCocacl32.exeDeqcbpld.exeMkadfj32.exeOclkgccf.exeCnhgjaml.exeDcpmen32.exeOileggkb.exeAjggomog.exedescription ioc Process File created C:\Windows\SysWOW64\Ajggomog.exe Acmobchj.exe File created C:\Windows\SysWOW64\Ojnkocdc.dll Mcbpjg32.exe File created C:\Windows\SysWOW64\Hhknpmma.exe Hpdfnolo.exe File created C:\Windows\SysWOW64\Ingcceof.dll Oidhlb32.exe File created C:\Windows\SysWOW64\Npodfe32.dll Ffobhg32.exe File opened for modification C:\Windows\SysWOW64\Gpgind32.exe Gmimai32.exe File created C:\Windows\SysWOW64\Lpmkebjc.dll Aaoaic32.exe File created C:\Windows\SysWOW64\Fnknamej.dll Jhijqj32.exe File created C:\Windows\SysWOW64\Alnmjjdb.exe Aeddnp32.exe File created C:\Windows\SysWOW64\Nmfcok32.exe Njhgbp32.exe File created C:\Windows\SysWOW64\Fliabjbh.dll Bfjnjcni.exe File opened for modification C:\Windows\SysWOW64\Lncjlq32.exe Lobjni32.exe File created C:\Windows\SysWOW64\Dbdplc32.dll Lgccinoe.exe File created C:\Windows\SysWOW64\Npefkf32.dll Coohhlpe.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll Doaneiop.exe File created C:\Windows\SysWOW64\Nbgqin32.dll Nfjola32.exe File created C:\Windows\SysWOW64\Gcklla32.dll Efdjgo32.exe File created C:\Windows\SysWOW64\Pocfpf32.exe Phincl32.exe File created C:\Windows\SysWOW64\Dqboip32.dll Bbiado32.exe File created C:\Windows\SysWOW64\Jebfng32.exe Jljbeali.exe File created C:\Windows\SysWOW64\Fihgkk32.dll Lmdnbn32.exe File opened for modification C:\Windows\SysWOW64\Ngqagcag.exe Nmkmjjaa.exe File created C:\Windows\SysWOW64\Opakdijo.dll Ohqbhdpj.exe File created C:\Windows\SysWOW64\Ajbmdn32.exe Achegd32.exe File opened for modification C:\Windows\SysWOW64\Lqkqhm32.exe Ljqhkckn.exe File created C:\Windows\SysWOW64\Gcnobqph.dll Jjjghcfp.exe File created C:\Windows\SysWOW64\Eleeje32.dll Lmpkadnm.exe File created C:\Windows\SysWOW64\Keaebdpc.dll Hildmn32.exe File created C:\Windows\SysWOW64\Mglpdp32.dll Komhll32.exe File created C:\Windows\SysWOW64\Ocjoadei.exe Ompfej32.exe File created C:\Windows\SysWOW64\Dgplfcko.dll Bcbohigp.exe File created C:\Windows\SysWOW64\Gaeaha32.dll Ljbfpo32.exe File created C:\Windows\SysWOW64\Dodjjimm.exe Dijbno32.exe File opened for modification C:\Windows\SysWOW64\Diccgfpd.exe Ciafbg32.exe File created C:\Windows\SysWOW64\Pqindg32.dll Bheplb32.exe File created C:\Windows\SysWOW64\Qfdngj32.dll Hienlpel.exe File created C:\Windows\SysWOW64\Iipfmggc.exe Ipgbdbqb.exe File created C:\Windows\SysWOW64\Pbbmemif.dll Bffcpg32.exe File opened for modification C:\Windows\SysWOW64\Eigonjcj.exe Efhcbodf.exe File opened for modification C:\Windows\SysWOW64\Ibmeoq32.exe Ijfnmc32.exe File created C:\Windows\SysWOW64\Nondlbmd.dll Bhldpj32.exe File opened for modification C:\Windows\SysWOW64\Bgpgng32.exe Boipmj32.exe File created C:\Windows\SysWOW64\Qfmjef32.dll Pibdmp32.exe File created C:\Windows\SysWOW64\Pibdmp32.exe Pakllc32.exe File created C:\Windows\SysWOW64\Qfgllk32.dll Hoeieolb.exe File created C:\Windows\SysWOW64\Hpaolmbc.dll Achegd32.exe File created C:\Windows\SysWOW64\Kmieae32.exe Kglmio32.exe File created C:\Windows\SysWOW64\Lgqfdnah.exe Knhakh32.exe File created C:\Windows\SysWOW64\Jjgobjmp.dll Nndjndbh.exe File created C:\Windows\SysWOW64\Qhmqdemc.exe Qoelkp32.exe File opened for modification C:\Windows\SysWOW64\Coohhlpe.exe Bheplb32.exe File created C:\Windows\SysWOW64\Pedbahod.exe Ookjdn32.exe File created C:\Windows\SysWOW64\Gdbpil32.dll Cpihcgoa.exe File created C:\Windows\SysWOW64\Hbhboolf.exe Hlnjbedi.exe File opened for modification C:\Windows\SysWOW64\Ipoheakj.exe Ilcldb32.exe File created C:\Windows\SysWOW64\Cbbnpg32.exe Cocacl32.exe File created C:\Windows\SysWOW64\Mfbjdgmg.dll Deqcbpld.exe File created C:\Windows\SysWOW64\Bafehe32.dll Mkadfj32.exe File created C:\Windows\SysWOW64\Nphihiif.dll Oclkgccf.exe File created C:\Windows\SysWOW64\Cgqlcg32.exe Cnhgjaml.exe File opened for modification C:\Windows\SysWOW64\Boflmdkk.exe Bhldpj32.exe File created C:\Windows\SysWOW64\Dmhand32.exe Dcpmen32.exe File opened for modification C:\Windows\SysWOW64\Oljaccjf.exe Oileggkb.exe File created C:\Windows\SysWOW64\Akhcfe32.exe Ajggomog.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2748 4528 WerFault.exe 702 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bgnkhg32.exePiphgq32.exePkcadhgm.exeQhlkilba.exeLjceqb32.exeAijnep32.exeAcpbbi32.exeDapkni32.exePlndcl32.exeEmkndc32.exeKglmio32.exeLfjfecno.exePhcomcng.exePjjahe32.exeAfghneoo.exeHnaqgd32.exeHnhghcki.exeNiooqcad.exeOaompd32.exeBhldpj32.exeDpiplm32.exeDakacjdb.exeDfhjkabi.exeDcogje32.exeIjfnmc32.exeAbbkcpma.exePkgcea32.exePkenjh32.exeQhhpop32.exeOebflhaf.exeBjaqpbkh.exeDabhdinj.exeLiqihglg.exeOoqqdi32.exeKpoalo32.exeLgbloglj.exePcmlfl32.exeDdadpdmn.exeGpkchqdj.exeCijpahho.exeCkilmcgb.exeCfkmkf32.exeIpeeobbe.exeQobhkjdi.exeBfgjjm32.exeIgpdfb32.exeOnnmdcjm.exeFmhdkknd.exePpahmb32.exeQhakoa32.exeJnmijq32.exeAlcfei32.exeLjclki32.exeHgelek32.exeIhphkl32.exeLgccinoe.exePffgom32.exeOpcqnb32.exeMjbogmdb.exeBoflmdkk.exeChkobkod.exeQjlnnemp.exeBmmpfn32.exeKiejmi32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnkhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piphgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcadhgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhlkilba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljceqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijnep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglmio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcomcng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjahe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afghneoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnaqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhghcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niooqcad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaompd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhldpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpiplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakacjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhjkabi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcogje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbkcpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgcea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkenjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhhpop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebflhaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjaqpbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqihglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooqqdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmlfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddadpdmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkchqdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijpahho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmcgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeeobbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgjjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnmdcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppahmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhakoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmijq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljclki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgelek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihphkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgccinoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pffgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcqnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjbogmdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boflmdkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkobkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjlnnemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmpfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiejmi32.exe -
Modifies registry class 64 IoCs
Processes:
Qjlnnemp.exeKniieo32.exeDfhjkabi.exeHdmein32.exeOidhlb32.exeEibfck32.exeJllokajf.exeKcmmhj32.exePhcomcng.exeLmpkadnm.exeEiahnnph.exeCkilmcgb.exeEnkdaepb.exeBjaqpbkh.exeDfamapjo.exeKageaj32.exePkenjh32.exeQkmdkgob.exeCijpahho.exeNqmfdj32.exePedbahod.exePjjahe32.exeDkdliame.exeCamddhoi.exeDkahilkl.exeDnbakghm.exeKkconn32.exeQhjmdp32.exeAfghneoo.exeCflkpblf.exeDiicml32.exeEipinkib.exeNijeec32.exeJjafok32.exeMifljdjo.exeOhnohn32.exeIjegcm32.exeGnqfcbnj.exeOenlqi32.exeDeqcbpld.exeIgfclkdj.exeBoldhf32.exeCjmpkqqj.exeEjflhm32.exeBebjdgmj.exeGmimai32.exeAfpjel32.exePgkelj32.exeOaompd32.exeCnfkdb32.exeAlelqb32.exeJljbeali.exePffgom32.exeEofgpikj.exeMjbogmdb.exeBhkfkmmg.exeOdjeljhd.exeGpgind32.exeDcjnoece.exeMnlnbl32.exeGfeaopqo.exeIkndgg32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjlnnemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfhjkabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdmein32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oidhlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eibfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleiba32.dll" Jllokajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aablof32.dll" Kcmmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phcomcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleeje32.dll" Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiahnnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjnjq32.dll" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enkdaepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjaqpbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmcqa32.dll" Dfamapjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kageaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilcp32.dll" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjebhadm.dll" Qkmdkgob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cijpahho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffangg32.dll" Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidcecbj.dll" Pjjahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binnimfj.dll" Dkdliame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeghb32.dll" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnbakghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll" Qhjmdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afghneoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepdhaek.dll" Cflkpblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diicml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbnag32.dll" Eipinkib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifdaage.dll" Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohnohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijegcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnqfcbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oenlqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjmpkqqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdpiacg.dll" Bebjdgmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefqkm32.dll" Pgkelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmiag32.dll" Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll" Cnfkdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alelqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll" Pffgom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnbakghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnafk32.dll" Mjbogmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifpa32.dll" Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhkfkmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll" Odjeljhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldldehjm.dll" Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmliok32.dll" Dcjnoece.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnlnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhkd32.dll" Gfeaopqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikndgg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exeNeffpj32.exeOpogbbig.exeOigllh32.exeOlehhc32.exeOcopdn32.exeOenlqi32.exeOhlimd32.exeOpcqnb32.exeOcamjm32.exeOileggkb.exeOljaccjf.exeOcdjpmac.exeOebflhaf.exeOhqbhdpj.exeOokjdn32.exePedbahod.exePhcomcng.exePpjgoaoj.exePgdokkfg.exePhelcc32.exePpmcdq32.exedescription pid Process procid_target PID 4852 wrote to memory of 3648 4852 91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe 84 PID 4852 wrote to memory of 3648 4852 91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe 84 PID 4852 wrote to memory of 3648 4852 91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe 84 PID 3648 wrote to memory of 1160 3648 Neffpj32.exe 86 PID 3648 wrote to memory of 1160 3648 Neffpj32.exe 86 PID 3648 wrote to memory of 1160 3648 Neffpj32.exe 86 PID 1160 wrote to memory of 1012 1160 Opogbbig.exe 88 PID 1160 wrote to memory of 1012 1160 Opogbbig.exe 88 PID 1160 wrote to memory of 1012 1160 Opogbbig.exe 88 PID 1012 wrote to memory of 1192 1012 Oigllh32.exe 89 PID 1012 wrote to memory of 1192 1012 Oigllh32.exe 89 PID 1012 wrote to memory of 1192 1012 Oigllh32.exe 89 PID 1192 wrote to memory of 2632 1192 Olehhc32.exe 90 PID 1192 wrote to memory of 2632 1192 Olehhc32.exe 90 PID 1192 wrote to memory of 2632 1192 Olehhc32.exe 90 PID 2632 wrote to memory of 2268 2632 Ocopdn32.exe 91 PID 2632 wrote to memory of 2268 2632 Ocopdn32.exe 91 PID 2632 wrote to memory of 2268 2632 Ocopdn32.exe 91 PID 2268 wrote to memory of 4068 2268 Oenlqi32.exe 92 PID 2268 wrote to memory of 4068 2268 Oenlqi32.exe 92 PID 2268 wrote to memory of 4068 2268 Oenlqi32.exe 92 PID 4068 wrote to memory of 2004 4068 Ohlimd32.exe 93 PID 4068 wrote to memory of 2004 4068 Ohlimd32.exe 93 PID 4068 wrote to memory of 2004 4068 Ohlimd32.exe 93 PID 2004 wrote to memory of 1696 2004 Opcqnb32.exe 94 PID 2004 wrote to memory of 1696 2004 Opcqnb32.exe 94 PID 2004 wrote to memory of 1696 2004 Opcqnb32.exe 94 PID 1696 wrote to memory of 840 1696 Ocamjm32.exe 95 PID 1696 wrote to memory of 840 1696 Ocamjm32.exe 95 PID 1696 wrote to memory of 840 1696 Ocamjm32.exe 95 PID 840 wrote to memory of 4956 840 Oileggkb.exe 96 PID 840 wrote to memory of 4956 840 Oileggkb.exe 96 PID 840 wrote to memory of 4956 840 Oileggkb.exe 96 PID 4956 wrote to memory of 1816 4956 Oljaccjf.exe 97 PID 4956 wrote to memory of 1816 4956 Oljaccjf.exe 97 PID 4956 wrote to memory of 1816 4956 Oljaccjf.exe 97 PID 1816 wrote to memory of 2352 1816 Ocdjpmac.exe 98 PID 1816 wrote to memory of 2352 1816 Ocdjpmac.exe 98 PID 1816 wrote to memory of 2352 1816 Ocdjpmac.exe 98 PID 2352 wrote to memory of 4616 2352 Oebflhaf.exe 99 PID 2352 wrote to memory of 4616 2352 Oebflhaf.exe 99 PID 2352 wrote to memory of 4616 2352 Oebflhaf.exe 99 PID 4616 wrote to memory of 1684 4616 Ohqbhdpj.exe 100 PID 4616 wrote to memory of 1684 4616 Ohqbhdpj.exe 100 PID 4616 wrote to memory of 1684 4616 Ohqbhdpj.exe 100 PID 1684 wrote to memory of 1832 1684 Ookjdn32.exe 101 PID 1684 wrote to memory of 1832 1684 Ookjdn32.exe 101 PID 1684 wrote to memory of 1832 1684 Ookjdn32.exe 101 PID 1832 wrote to memory of 1596 1832 Pedbahod.exe 102 PID 1832 wrote to memory of 1596 1832 Pedbahod.exe 102 PID 1832 wrote to memory of 1596 1832 Pedbahod.exe 102 PID 1596 wrote to memory of 3752 1596 Phcomcng.exe 103 PID 1596 wrote to memory of 3752 1596 Phcomcng.exe 103 PID 1596 wrote to memory of 3752 1596 Phcomcng.exe 103 PID 3752 wrote to memory of 4580 3752 Ppjgoaoj.exe 104 PID 3752 wrote to memory of 4580 3752 Ppjgoaoj.exe 104 PID 3752 wrote to memory of 4580 3752 Ppjgoaoj.exe 104 PID 4580 wrote to memory of 1196 4580 Pgdokkfg.exe 105 PID 4580 wrote to memory of 1196 4580 Pgdokkfg.exe 105 PID 4580 wrote to memory of 1196 4580 Pgdokkfg.exe 105 PID 1196 wrote to memory of 3656 1196 Phelcc32.exe 106 PID 1196 wrote to memory of 3656 1196 Phelcc32.exe 106 PID 1196 wrote to memory of 3656 1196 Phelcc32.exe 106 PID 3656 wrote to memory of 2192 3656 Ppmcdq32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe"C:\Users\Admin\AppData\Local\Temp\91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe23⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe24⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe25⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe26⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4028 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe28⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe29⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe30⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4516 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe33⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe34⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe37⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe38⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe41⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe42⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe44⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe46⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe47⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe48⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe49⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe50⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe51⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe52⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe53⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe55⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe57⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe58⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe59⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe62⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe63⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe65⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe66⤵PID:4488
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe67⤵
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe68⤵PID:1156
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe69⤵PID:2652
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe71⤵PID:1808
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe72⤵PID:4596
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe74⤵PID:2228
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe75⤵PID:1388
-
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe76⤵PID:4772
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe77⤵PID:4012
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe78⤵
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe79⤵PID:2024
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe80⤵PID:3484
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe81⤵PID:5124
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe82⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe83⤵PID:5196
-
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe84⤵PID:5232
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe85⤵PID:5268
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe86⤵PID:5304
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe87⤵PID:5340
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe88⤵PID:5376
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe89⤵PID:5412
-
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe90⤵PID:5448
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe91⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe92⤵PID:5520
-
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe93⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe94⤵PID:5592
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe95⤵PID:5628
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5664 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe97⤵PID:5700
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe98⤵PID:5736
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe99⤵PID:5772
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe100⤵PID:5808
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe101⤵
- System Location Discovery: System Language Discovery
PID:5844 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe102⤵
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5916 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe104⤵PID:5956
-
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe105⤵PID:5988
-
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe106⤵PID:6024
-
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe107⤵PID:6060
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe108⤵
- Modifies registry class
PID:6096 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe109⤵
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe111⤵PID:2036
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe112⤵PID:2684
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe113⤵
- System Location Discovery: System Language Discovery
PID:3832 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe114⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe115⤵PID:1144
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe116⤵PID:4460
-
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe117⤵PID:1996
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe118⤵PID:5184
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe120⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe121⤵PID:5372
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe122⤵PID:5436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-