Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 17:12
Static task
static1
Behavioral task
behavioral1
Sample
5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe
Resource
win10v2004-20241007-en
General
-
Target
5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe
-
Size
226KB
-
MD5
c43b3e61fe867f5a731ccf6efc88ef20
-
SHA1
86ce5cc948d96bf0626f8139d6349694048aa5a7
-
SHA256
5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70
-
SHA512
074b5f8c206bad462460aed34eadca71502ba8c95eb5cb171e0955832665839266483b4143c50a494b732a4e608856c0490dbd4e5ce7b3c853931cfe4a037dcc
-
SSDEEP
3072:jD/1urdGMS6R1DDKcWmjRvDKcpDKcWmjRrzNtQtjDKcWmjRrzNtb:XU5Gl6R1MxEtQtsEtb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kimjhnnl.exeLgpfpe32.exeQbobaf32.exeEfhcej32.exeOmbddbah.exeDbdham32.exeKcmdjgbh.exeQhkkim32.exeAkfnkmei.exeIjnnao32.exeMaanab32.exeOiahnnji.exeKageia32.exeJacibm32.exeGagmbkik.exeInepgn32.exeIjcngenj.exeGeqlnjcf.exeGckfpc32.exeOmphocck.exeEjklan32.exeAbfoll32.exeKpfbegei.exeLhimji32.exeHcepqh32.exeAebobgmi.exeEloipb32.exeDoqkpl32.exeIaimipjl.exeKenhopmf.exePnhjgj32.exeBomlppdb.exeFkkhpadq.exeGpmjcg32.exeEkghcq32.exeJllqplnp.exeOchcem32.exeLdhgnk32.exeOnldqejb.exePbglpg32.exeKadica32.exeKijmbnpo.exeNqbaic32.exePeeoidik.exePlbmom32.exeHklhae32.exeDilchhgg.exeAiaqle32.exeKekkiq32.exeFodgkp32.exeGoiafp32.exeEepmlf32.exeIkgkei32.exePiohgbng.exeIoiidfon.exeNlohmonb.exeCdpdnpif.exeCfnkmi32.exeGdcmig32.exeIqapnjli.exeCjppfl32.exeFobkfqpo.exeMjilmejf.exeDdkgbc32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpfpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbobaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhcej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombddbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbdham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcmdjgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akfnkmei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maanab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiahnnji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacibm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inepgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omphocck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejklan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abfoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpfbegei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhimji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcepqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebobgmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doqkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaimipjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenhopmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bomlppdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkhpadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekghcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllqplnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochcem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldhgnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbglpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peeoidik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plbmom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dilchhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiaqle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fodgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepmlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioiidfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlohmonb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnkmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqapnjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjppfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fobkfqpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjilmejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddkgbc32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Hcepqh32.exeHklhae32.exeHqiqjlga.exeHcgmfgfd.exeHjcaha32.exeHiioin32.exeIkgkei32.exeIbcphc32.exeIebldo32.exeIkldqile.exeIaimipjl.exeIgebkiof.exeIjcngenj.exeJjfkmdlg.exeJjhgbd32.exeJllqplnp.exeJcciqi32.exeJnmiag32.exeJlqjkk32.exeKeioca32.exeKekkiq32.exeKocpbfei.exeKenhopmf.exeKhldkllj.exeKadica32.exeKdbepm32.exeKageia32.exeKbhbai32.exeLplbjm32.exeLmpcca32.exeLekghdad.exeLhiddoph.exeLemdncoa.exeLofifi32.exeLcadghnk.exeLklikj32.exeMdendpbg.exeMgcjpkak.exeMhcfjnhm.exeMnpobefe.exeMghckj32.exeMlelda32.exeMjilmejf.exeMlgiiaij.exeMgmmfjip.exeNohaklfk.exeNbfnggeo.exeNjmfhe32.exeNkobpmlo.exeNcfjajma.exeNdggib32.exeNmnojp32.exeNomkfk32.exeNnokahip.exeNffccejb.exeNhepoaif.exeNkclkl32.exeNbmdhfog.exeNigldq32.exeNgjlpmnn.exeNndemg32.exeNqbaic32.exeNcamen32.exeOkhefl32.exepid Process 2752 Hcepqh32.exe 2788 Hklhae32.exe 2416 Hqiqjlga.exe 2696 Hcgmfgfd.exe 2608 Hjcaha32.exe 2576 Hiioin32.exe 2956 Ikgkei32.exe 2008 Ibcphc32.exe 1704 Iebldo32.exe 1900 Ikldqile.exe 808 Iaimipjl.exe 2592 Igebkiof.exe 812 Ijcngenj.exe 1092 Jjfkmdlg.exe 1384 Jjhgbd32.exe 2052 Jllqplnp.exe 2372 Jcciqi32.exe 2500 Jnmiag32.exe 3064 Jlqjkk32.exe 3032 Keioca32.exe 2364 Kekkiq32.exe 1012 Kocpbfei.exe 1504 Kenhopmf.exe 2300 Khldkllj.exe 2764 Kadica32.exe 1708 Kdbepm32.exe 2812 Kageia32.exe 2684 Kbhbai32.exe 2536 Lplbjm32.exe 2604 Lmpcca32.exe 1040 Lekghdad.exe 2940 Lhiddoph.exe 1484 Lemdncoa.exe 1684 Lofifi32.exe 2832 Lcadghnk.exe 1976 Lklikj32.exe 2776 Mdendpbg.exe 1744 Mgcjpkak.exe 2192 Mhcfjnhm.exe 2224 Mnpobefe.exe 1652 Mghckj32.exe 928 Mlelda32.exe 1712 Mjilmejf.exe 1772 Mlgiiaij.exe 1716 Mgmmfjip.exe 1296 Nohaklfk.exe 2152 Nbfnggeo.exe 2884 Njmfhe32.exe 1440 Nkobpmlo.exe 2216 Ncfjajma.exe 2824 Ndggib32.exe 2072 Nmnojp32.exe 2584 Nomkfk32.exe 1032 Nnokahip.exe 2380 Nffccejb.exe 332 Nhepoaif.exe 2044 Nkclkl32.exe 1072 Nbmdhfog.exe 1904 Nigldq32.exe 620 Ngjlpmnn.exe 1916 Nndemg32.exe 3008 Nqbaic32.exe 892 Ncamen32.exe 3012 Okhefl32.exe -
Loads dropped DLL 64 IoCs
Processes:
5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exeHcepqh32.exeHklhae32.exeHqiqjlga.exeHcgmfgfd.exeHjcaha32.exeHiioin32.exeIkgkei32.exeIbcphc32.exeIebldo32.exeIkldqile.exeIaimipjl.exeIgebkiof.exeIjcngenj.exeJjfkmdlg.exeJjhgbd32.exeJllqplnp.exeJcciqi32.exeJnmiag32.exeJlqjkk32.exeKeioca32.exeKekkiq32.exeKocpbfei.exeKenhopmf.exeKhldkllj.exeKadica32.exeKdbepm32.exeKageia32.exeKbhbai32.exeLplbjm32.exeLmpcca32.exeLekghdad.exepid Process 684 5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe 684 5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe 2752 Hcepqh32.exe 2752 Hcepqh32.exe 2788 Hklhae32.exe 2788 Hklhae32.exe 2416 Hqiqjlga.exe 2416 Hqiqjlga.exe 2696 Hcgmfgfd.exe 2696 Hcgmfgfd.exe 2608 Hjcaha32.exe 2608 Hjcaha32.exe 2576 Hiioin32.exe 2576 Hiioin32.exe 2956 Ikgkei32.exe 2956 Ikgkei32.exe 2008 Ibcphc32.exe 2008 Ibcphc32.exe 1704 Iebldo32.exe 1704 Iebldo32.exe 1900 Ikldqile.exe 1900 Ikldqile.exe 808 Iaimipjl.exe 808 Iaimipjl.exe 2592 Igebkiof.exe 2592 Igebkiof.exe 812 Ijcngenj.exe 812 Ijcngenj.exe 1092 Jjfkmdlg.exe 1092 Jjfkmdlg.exe 1384 Jjhgbd32.exe 1384 Jjhgbd32.exe 2052 Jllqplnp.exe 2052 Jllqplnp.exe 2372 Jcciqi32.exe 2372 Jcciqi32.exe 2500 Jnmiag32.exe 2500 Jnmiag32.exe 3064 Jlqjkk32.exe 3064 Jlqjkk32.exe 3032 Keioca32.exe 3032 Keioca32.exe 2364 Kekkiq32.exe 2364 Kekkiq32.exe 1012 Kocpbfei.exe 1012 Kocpbfei.exe 1504 Kenhopmf.exe 1504 Kenhopmf.exe 2300 Khldkllj.exe 2300 Khldkllj.exe 2764 Kadica32.exe 2764 Kadica32.exe 1708 Kdbepm32.exe 1708 Kdbepm32.exe 2812 Kageia32.exe 2812 Kageia32.exe 2684 Kbhbai32.exe 2684 Kbhbai32.exe 2536 Lplbjm32.exe 2536 Lplbjm32.exe 2604 Lmpcca32.exe 2604 Lmpcca32.exe 1040 Lekghdad.exe 1040 Lekghdad.exe -
Drops file in System32 directory 64 IoCs
Processes:
Iaimipjl.exeEannmi32.exeHofqpc32.exeFaijggao.exeHklhae32.exeQdlipplq.exeHgiked32.exeOqmmbqgd.exeBoleejag.exeMjilmejf.exeDijfch32.exeHhoeii32.exeIejkhlip.exeNjnokdaq.exePhgannal.exeAfqhjj32.exeJllqplnp.exeDjdjalea.exeLijiaabk.exeOkpdjjil.exePadccpal.exeQjgjpi32.exeBkcfjk32.exeCgnpjkhj.exeOfafgipc.exeAhedjb32.exeBphooc32.exeFiqibj32.exeOoggpiek.exeOkbapi32.exeQbobaf32.exePiieicgl.exeAocbokia.exeQlgndbil.exeKimjhnnl.exeAiaqle32.exeAicmadmm.exeClefdcog.exeDoabjbci.exeDpfkeb32.exeHnnjfo32.exeHfebhmbm.exeDklepmal.exeNkclkl32.exeBngfmhbj.exeFpjaodmj.exeHlhddh32.exePjhnqfla.exeBlipno32.exeBogljj32.exeAhqkocmm.exeCgqmpkfg.exeCdpdnpif.exePpcmfn32.exeDdbmcb32.exeEpqgopbi.exeEiilge32.exeHcgmfgfd.exePllkpn32.exeObcffefa.exeCcgnelll.exedescription ioc Process File created C:\Windows\SysWOW64\Igebkiof.exe Iaimipjl.exe File created C:\Windows\SysWOW64\Ecmjid32.exe Eannmi32.exe File opened for modification C:\Windows\SysWOW64\Haemloni.exe Hofqpc32.exe File created C:\Windows\SysWOW64\Kmpnop32.dll Faijggao.exe File opened for modification C:\Windows\SysWOW64\Hqiqjlga.exe Hklhae32.exe File created C:\Windows\SysWOW64\Qfkelkkd.exe Qdlipplq.exe File created C:\Windows\SysWOW64\Aaknah32.dll Hgiked32.exe File created C:\Windows\SysWOW64\Oggeokoq.exe Oqmmbqgd.exe File opened for modification C:\Windows\SysWOW64\Bnofaf32.exe Boleejag.exe File created C:\Windows\SysWOW64\Ffgpgl32.dll Mjilmejf.exe File created C:\Windows\SysWOW64\Dqaode32.exe Dijfch32.exe File created C:\Windows\SysWOW64\Dblknlpo.dll Hhoeii32.exe File created C:\Windows\SysWOW64\Jkdcdf32.exe Iejkhlip.exe File created C:\Windows\SysWOW64\Naegmabc.exe Njnokdaq.exe File created C:\Windows\SysWOW64\Pbiffmpn.dll Phgannal.exe File created C:\Windows\SysWOW64\Jdncnflm.dll Afqhjj32.exe File created C:\Windows\SysWOW64\Aaqbpk32.dll Jllqplnp.exe File created C:\Windows\SysWOW64\Dmcfngde.exe Djdjalea.exe File opened for modification C:\Windows\SysWOW64\Lmeebpkd.exe Lijiaabk.exe File created C:\Windows\SysWOW64\Onoqfehp.exe Okpdjjil.exe File opened for modification C:\Windows\SysWOW64\Pbepkh32.exe Padccpal.exe File created C:\Windows\SysWOW64\Qbobaf32.exe Qjgjpi32.exe File created C:\Windows\SysWOW64\Alakfjbc.dll Bkcfjk32.exe File created C:\Windows\SysWOW64\Cnhhge32.exe Cgnpjkhj.exe File created C:\Windows\SysWOW64\Omlncc32.exe Ofafgipc.exe File created C:\Windows\SysWOW64\Fmbfnakd.dll Ahedjb32.exe File opened for modification C:\Windows\SysWOW64\Bcflko32.exe Bphooc32.exe File created C:\Windows\SysWOW64\Floeof32.exe Fiqibj32.exe File created C:\Windows\SysWOW64\Aedkomok.dll Fiqibj32.exe File created C:\Windows\SysWOW64\Fhecgqad.dll Ooggpiek.exe File created C:\Windows\SysWOW64\Omcngamh.exe Okbapi32.exe File created C:\Windows\SysWOW64\Qaablcej.exe Qbobaf32.exe File created C:\Windows\SysWOW64\Aeeima32.dll Piieicgl.exe File opened for modification C:\Windows\SysWOW64\Bfjkphjd.exe Aocbokia.exe File created C:\Windows\SysWOW64\Oadilg32.dll Qlgndbil.exe File opened for modification C:\Windows\SysWOW64\Kpfbegei.exe Kimjhnnl.exe File opened for modification C:\Windows\SysWOW64\Aahimb32.exe Aiaqle32.exe File created C:\Windows\SysWOW64\Albjnplq.exe Aicmadmm.exe File opened for modification C:\Windows\SysWOW64\Ppcmfn32.exe Piieicgl.exe File opened for modification C:\Windows\SysWOW64\Cngcll32.exe Clefdcog.exe File created C:\Windows\SysWOW64\Dcmnja32.exe Doabjbci.exe File created C:\Windows\SysWOW64\Dbdham32.exe Dpfkeb32.exe File opened for modification C:\Windows\SysWOW64\Hfebhmbm.exe Hnnjfo32.exe File opened for modification C:\Windows\SysWOW64\Hhcndhap.exe Hfebhmbm.exe File created C:\Windows\SysWOW64\Dnjalhpp.exe Dklepmal.exe File created C:\Windows\SysWOW64\Nnmihice.dll Nkclkl32.exe File opened for modification C:\Windows\SysWOW64\Bpebidam.exe Bngfmhbj.exe File created C:\Windows\SysWOW64\Ffdilo32.exe Fpjaodmj.exe File created C:\Windows\SysWOW64\Pagmgi32.dll Hlhddh32.exe File created C:\Windows\SysWOW64\Fdbhpk32.dll Lijiaabk.exe File created C:\Windows\SysWOW64\Afiganaa.dll Pjhnqfla.exe File opened for modification C:\Windows\SysWOW64\Bogljj32.exe Blipno32.exe File created C:\Windows\SysWOW64\Bbchkime.exe Bogljj32.exe File created C:\Windows\SysWOW64\Abfoll32.exe Ahqkocmm.exe File opened for modification C:\Windows\SysWOW64\Cjoilfek.exe Cgqmpkfg.exe File created C:\Windows\SysWOW64\Ienjoljk.dll Cdpdnpif.exe File created C:\Windows\SysWOW64\Djaelqba.dll Ppcmfn32.exe File created C:\Windows\SysWOW64\Elfkmcdp.dll Ddbmcb32.exe File created C:\Windows\SysWOW64\Ebockkal.exe Epqgopbi.exe File created C:\Windows\SysWOW64\Hehaja32.dll Eiilge32.exe File created C:\Windows\SysWOW64\Hjcaha32.exe Hcgmfgfd.exe File created C:\Windows\SysWOW64\Ldknflmi.dll Pllkpn32.exe File opened for modification C:\Windows\SysWOW64\Odacbpee.exe Obcffefa.exe File opened for modification C:\Windows\SysWOW64\Djafaf32.exe Ccgnelll.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5032 6088 WerFault.exe 537 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cnflae32.exeHijhhl32.exeNcipjieo.exeOnldqejb.exeAahimb32.exePaggce32.exeKpfbegei.exeOfafgipc.exeNddcimag.exeEmgdmc32.exeIjnnao32.exeLophacfl.exeFlnndp32.exeDmcfngde.exeGpogiglp.exeHdjoii32.exeIkagogco.exePhobjp32.exeHfebhmbm.exeBomlppdb.exeKppldhla.exePpcmfn32.exePnkglj32.exeIoiidfon.exeMlgiiaij.exeHofqpc32.exeKpdeoh32.exeOiokholk.exePgibdjln.exeNhepoaif.exeCgadja32.exeCkecpjdh.exePimkbbpi.exeBojipjcj.exeCceapl32.exeNohaklfk.exeFpjaodmj.exeIqcmcj32.exeKecjmodq.exeMneaacno.exeNggipg32.exePaafmp32.exeIgebkiof.exeQlgndbil.exeOhmoco32.exeEjcofica.exeGmidlmcd.exeKcmdjgbh.exeAoaill32.exeFlcojeak.exeGdcmig32.exeOnoqfehp.exeAiaqle32.exeNcamen32.exePiieicgl.exeAmjpgdik.exeAfcdpi32.exeIqapnjli.exeMkibjgli.exeAdgein32.exeEnmnahnm.exeNomkfk32.exeGoiafp32.exeLlpoohik.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnflae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijhhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncipjieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onldqejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahimb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paggce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpfbegei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofafgipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nddcimag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnnao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lophacfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcfngde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpogiglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjoii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikagogco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phobjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfebhmbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomlppdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppldhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkglj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioiidfon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgiiaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiokholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgibdjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhepoaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgadja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckecpjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimkbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojipjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohaklfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjaodmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqcmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecjmodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgndbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcofica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmidlmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmdjgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoaill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcojeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onoqfehp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncamen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piieicgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjpgdik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcdpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqapnjli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkibjgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgein32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmnahnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomkfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpoohik.exe -
Modifies registry class 64 IoCs
Processes:
Qifnhaho.exeQjgjpi32.exeBaclaf32.exeKecjmodq.exeOmcngamh.exeLijiaabk.exeLcdjpfgh.exeEjcofica.exeMghckj32.exeKihpmnbb.exeLlpoohik.exeOnoqfehp.exeIgebkiof.exePjahakgb.exeFenphjei.exeGgklka32.exeAfcdpi32.exeBlkmdodf.exeCkhpejbf.exeKbhbai32.exeBaneak32.exeLmeebpkd.exeMeecaa32.exeOodjjign.exeBbchkime.exeEloipb32.exeHaemloni.exeIblola32.exeJihdnk32.exeIjcngenj.exeNohaklfk.exeEphdjeol.exeFobkfqpo.exeNknkeg32.exeOiokholk.exeHcgmfgfd.exeClciod32.exeLemdncoa.exeNjmfhe32.exeGkpakq32.exeHjggap32.exeJgpndg32.exeAdblnnbk.exeIebldo32.exeKdbepm32.exeDdmchcnd.exeKcmdjgbh.exeOnjgkf32.exeDochelmj.exeNbfnggeo.exeGdcmig32.exeOccjjnap.exePiieicgl.exeQfkelkkd.exeBccoeo32.exeEcmjid32.exeGdfiofhn.exeKekkiq32.exeOmiand32.exeMpkhoj32.exeMnhnfckm.exeQjddgj32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjckae.dll" Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baclaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peecqfmk.dll" Kecjmodq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omcngamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaakbg32.dll" Lcdjpfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpkpl32.dll" Ejcofica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mghckj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onoqfehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjgjpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igebkiof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjahakgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggklka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akpcdopi.dll" Blkmdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckhpejbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baneak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmeebpkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meecaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copjlmfa.dll" Oodjjign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnnkldn.dll" Haemloni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iblola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jihdnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnhnc32.dll" Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldhk32.dll" Nohaklfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ephdjeol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fobkfqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmeoijkk.dll" Nknkeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiokholk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcgmfgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clciod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lemdncoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkpakq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkegikfe.dll" Hjggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgpndg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adblnnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhalbm32.dll" Ddmchcnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcmdjgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjgkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dochelmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbfnggeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmpji32.dll" Gdcmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Occjjnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeeima32.dll" Piieicgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfkelkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bccoeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecmjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgacc32.dll" Gdfiofhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekkiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omiand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogckopd.dll" Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honlnbae.dll" Mnhnfckm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjddgj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exeHcepqh32.exeHklhae32.exeHqiqjlga.exeHcgmfgfd.exeHjcaha32.exeHiioin32.exeIkgkei32.exeIbcphc32.exeIebldo32.exeIkldqile.exeIaimipjl.exeIgebkiof.exeIjcngenj.exeJjfkmdlg.exeJjhgbd32.exedescription pid Process procid_target PID 684 wrote to memory of 2752 684 5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe 30 PID 684 wrote to memory of 2752 684 5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe 30 PID 684 wrote to memory of 2752 684 5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe 30 PID 684 wrote to memory of 2752 684 5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe 30 PID 2752 wrote to memory of 2788 2752 Hcepqh32.exe 31 PID 2752 wrote to memory of 2788 2752 Hcepqh32.exe 31 PID 2752 wrote to memory of 2788 2752 Hcepqh32.exe 31 PID 2752 wrote to memory of 2788 2752 Hcepqh32.exe 31 PID 2788 wrote to memory of 2416 2788 Hklhae32.exe 32 PID 2788 wrote to memory of 2416 2788 Hklhae32.exe 32 PID 2788 wrote to memory of 2416 2788 Hklhae32.exe 32 PID 2788 wrote to memory of 2416 2788 Hklhae32.exe 32 PID 2416 wrote to memory of 2696 2416 Hqiqjlga.exe 33 PID 2416 wrote to memory of 2696 2416 Hqiqjlga.exe 33 PID 2416 wrote to memory of 2696 2416 Hqiqjlga.exe 33 PID 2416 wrote to memory of 2696 2416 Hqiqjlga.exe 33 PID 2696 wrote to memory of 2608 2696 Hcgmfgfd.exe 34 PID 2696 wrote to memory of 2608 2696 Hcgmfgfd.exe 34 PID 2696 wrote to memory of 2608 2696 Hcgmfgfd.exe 34 PID 2696 wrote to memory of 2608 2696 Hcgmfgfd.exe 34 PID 2608 wrote to memory of 2576 2608 Hjcaha32.exe 35 PID 2608 wrote to memory of 2576 2608 Hjcaha32.exe 35 PID 2608 wrote to memory of 2576 2608 Hjcaha32.exe 35 PID 2608 wrote to memory of 2576 2608 Hjcaha32.exe 35 PID 2576 wrote to memory of 2956 2576 Hiioin32.exe 36 PID 2576 wrote to memory of 2956 2576 Hiioin32.exe 36 PID 2576 wrote to memory of 2956 2576 Hiioin32.exe 36 PID 2576 wrote to memory of 2956 2576 Hiioin32.exe 36 PID 2956 wrote to memory of 2008 2956 Ikgkei32.exe 37 PID 2956 wrote to memory of 2008 2956 Ikgkei32.exe 37 PID 2956 wrote to memory of 2008 2956 Ikgkei32.exe 37 PID 2956 wrote to memory of 2008 2956 Ikgkei32.exe 37 PID 2008 wrote to memory of 1704 2008 Ibcphc32.exe 38 PID 2008 wrote to memory of 1704 2008 Ibcphc32.exe 38 PID 2008 wrote to memory of 1704 2008 Ibcphc32.exe 38 PID 2008 wrote to memory of 1704 2008 Ibcphc32.exe 38 PID 1704 wrote to memory of 1900 1704 Iebldo32.exe 39 PID 1704 wrote to memory of 1900 1704 Iebldo32.exe 39 PID 1704 wrote to memory of 1900 1704 Iebldo32.exe 39 PID 1704 wrote to memory of 1900 1704 Iebldo32.exe 39 PID 1900 wrote to memory of 808 1900 Ikldqile.exe 40 PID 1900 wrote to memory of 808 1900 Ikldqile.exe 40 PID 1900 wrote to memory of 808 1900 Ikldqile.exe 40 PID 1900 wrote to memory of 808 1900 Ikldqile.exe 40 PID 808 wrote to memory of 2592 808 Iaimipjl.exe 41 PID 808 wrote to memory of 2592 808 Iaimipjl.exe 41 PID 808 wrote to memory of 2592 808 Iaimipjl.exe 41 PID 808 wrote to memory of 2592 808 Iaimipjl.exe 41 PID 2592 wrote to memory of 812 2592 Igebkiof.exe 42 PID 2592 wrote to memory of 812 2592 Igebkiof.exe 42 PID 2592 wrote to memory of 812 2592 Igebkiof.exe 42 PID 2592 wrote to memory of 812 2592 Igebkiof.exe 42 PID 812 wrote to memory of 1092 812 Ijcngenj.exe 43 PID 812 wrote to memory of 1092 812 Ijcngenj.exe 43 PID 812 wrote to memory of 1092 812 Ijcngenj.exe 43 PID 812 wrote to memory of 1092 812 Ijcngenj.exe 43 PID 1092 wrote to memory of 1384 1092 Jjfkmdlg.exe 44 PID 1092 wrote to memory of 1384 1092 Jjfkmdlg.exe 44 PID 1092 wrote to memory of 1384 1092 Jjfkmdlg.exe 44 PID 1092 wrote to memory of 1384 1092 Jjfkmdlg.exe 44 PID 1384 wrote to memory of 2052 1384 Jjhgbd32.exe 45 PID 1384 wrote to memory of 2052 1384 Jjhgbd32.exe 45 PID 1384 wrote to memory of 2052 1384 Jjhgbd32.exe 45 PID 1384 wrote to memory of 2052 1384 Jjhgbd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe"C:\Users\Admin\AppData\Local\Temp\5394595079355a24f9682fb8e06e8e303a47ed909f318bec5a0012fb9b3fcd70N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Hklhae32.exeC:\Windows\system32\Hklhae32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Hcgmfgfd.exeC:\Windows\system32\Hcgmfgfd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Hjcaha32.exeC:\Windows\system32\Hjcaha32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Hiioin32.exeC:\Windows\system32\Hiioin32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ikgkei32.exeC:\Windows\system32\Ikgkei32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Ibcphc32.exeC:\Windows\system32\Ibcphc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Iebldo32.exeC:\Windows\system32\Iebldo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Ikldqile.exeC:\Windows\system32\Ikldqile.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Iaimipjl.exeC:\Windows\system32\Iaimipjl.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Igebkiof.exeC:\Windows\system32\Igebkiof.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Ijcngenj.exeC:\Windows\system32\Ijcngenj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Jjfkmdlg.exeC:\Windows\system32\Jjfkmdlg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Jjhgbd32.exeC:\Windows\system32\Jjhgbd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Jcciqi32.exeC:\Windows\system32\Jcciqi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Jnmiag32.exeC:\Windows\system32\Jnmiag32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Keioca32.exeC:\Windows\system32\Keioca32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Kekkiq32.exeC:\Windows\system32\Kekkiq32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Kenhopmf.exeC:\Windows\system32\Kenhopmf.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Kadica32.exeC:\Windows\system32\Kadica32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Kageia32.exeC:\Windows\system32\Kageia32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Lmpcca32.exeC:\Windows\system32\Lmpcca32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe33⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe35⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe36⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Lklikj32.exeC:\Windows\system32\Lklikj32.exe37⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe38⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe39⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe40⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe41⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Mghckj32.exeC:\Windows\system32\Mghckj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Mlelda32.exeC:\Windows\system32\Mlelda32.exe43⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Mgmmfjip.exeC:\Windows\system32\Mgmmfjip.exe46⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Nbfnggeo.exeC:\Windows\system32\Nbfnggeo.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe50⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe51⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe52⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe53⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe55⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe56⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:332 -
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe59⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe60⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe61⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe62⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe65⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe66⤵PID:1004
-
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe67⤵
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe68⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe70⤵PID:2668
-
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe71⤵PID:3048
-
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe72⤵PID:2544
-
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe73⤵PID:2124
-
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe74⤵PID:1988
-
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:484 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe76⤵PID:1252
-
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe78⤵PID:2328
-
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe79⤵PID:1628
-
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe80⤵PID:276
-
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe82⤵PID:1788
-
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe83⤵PID:1776
-
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Pbajbi32.exeC:\Windows\system32\Pbajbi32.exe86⤵PID:1604
-
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe90⤵
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe91⤵
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe93⤵PID:852
-
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe94⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe95⤵PID:1536
-
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe96⤵PID:1728
-
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe97⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Qmbqcf32.exeC:\Windows\system32\Qmbqcf32.exe98⤵PID:796
-
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe99⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe100⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe101⤵PID:2068
-
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe103⤵PID:2688
-
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe104⤵PID:2140
-
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe105⤵PID:2384
-
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe106⤵PID:2860
-
C:\Windows\SysWOW64\Aebobgmi.exeC:\Windows\system32\Aebobgmi.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe108⤵
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:448 -
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe110⤵PID:976
-
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe111⤵PID:1856
-
C:\Windows\SysWOW64\Abhlak32.exeC:\Windows\system32\Abhlak32.exe112⤵PID:588
-
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe113⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe114⤵PID:696
-
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe115⤵PID:2924
-
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe116⤵PID:2612
-
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe119⤵PID:1360
-
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe120⤵PID:3044
-
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe121⤵PID:2120
-
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe122⤵
- Drops file in System32 directory
PID:2240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-