Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 18:57
Static task
static1
Behavioral task
behavioral1
Sample
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe
Resource
win10v2004-20241007-en
General
-
Target
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe
-
Size
96KB
-
MD5
33a143bd0956dcb6eddb6fef60d65f4c
-
SHA1
b4c359334756b104f2dd682a3563506d71600a83
-
SHA256
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f
-
SHA512
3a2df9e26d97e70c52d5202e4ccbd5d306a0e735b07cc2b344500b8d223b695b6f5517fd20047b38fa9c5431f3ccaa591c3fdf450e012a8abda5b1f14d454ad0
-
SSDEEP
1536:6nQm4PK4iGyOnBaHiLU82JR+IbFFfUN1Avhw6JCMt:6nQmFGyc4Cm+IbFFfUrQlM2
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eblpgjha.exeOjhpimhp.exeAoabad32.exeAojlaeei.exeCofecami.exeMgaokl32.exeHoobdp32.exePifnhpmi.exeBbdhiojo.exeBbgeno32.exeFllkqn32.exeHdjbiheb.exeKqdaadln.exeMkohaj32.exeDflfac32.exeOhiemobf.exeAmnlme32.exeIefgbh32.exeFimodc32.exeHibafp32.exeLqbncb32.exeAolblopj.exeBojomm32.exeEofgpikj.exeFbbpmb32.exePhganm32.exeDckdjomg.exeMjahlgpf.exeKjblje32.exeMjaabq32.exeBmabggdm.exeDkfadkgf.exeKgkfnh32.exePeahgl32.exeOjigdcll.exeDngjff32.exeAagkhd32.exeCponen32.exeMalgcg32.exeHpabni32.exeNfaemp32.exeLjkifn32.exeIinjhh32.exeIgajal32.exeLnadagbm.exePkgcea32.exeHfhgkmpj.exeMgphpe32.exeQhhpop32.exeAaiimadl.exeDpdaepai.exeHmnmgnoh.exeIngpmmgm.exeJgkdbacp.exeMmnhcb32.exeDnpdegjp.exeHlepcdoa.exeCjnffjkl.exeJlgepanl.exeLomqcjie.exeMfeeabda.exeIlnbicff.exeCdnmfclj.exeGflhoo32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoabad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojlaeei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgaokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoobdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifnhpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdhiojo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgeno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdjbiheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqdaadln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflfac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiemobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefgbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibafp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bojomm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phganm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjblje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaabq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peahgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigdcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngjff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cponen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpabni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfaemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljkifn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igajal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnadagbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkgcea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmnmgnoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgkdbacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlepcdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlgepanl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gflhoo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ljkifn32.exeMbbagk32.exeMaeachag.exeMilidebi.exeMlkepaam.exeMjneln32.exeMbenmk32.exeMecjif32.exeMjpbam32.exeMbgjbkfg.exeMhdckaeo.exeMjbogmdb.exeMalgcg32.exeMicoed32.exeMlbkap32.exeMblcnj32.exeMhilfa32.exeNobdbkhf.exeNaaqofgj.exeNihipdhl.exeNlfelogp.exeNbqmiinl.exeNacmdf32.exeNhmeapmd.exeNklbmllg.exeNognnj32.exeNafjjf32.exeNknobkje.exeNojjcj32.exeNahgoe32.exeNhbolp32.exeNbgcih32.exeNefped32.exeNhdlao32.exeOkchnk32.exeObjpoh32.exeOehlkc32.exeOlbdhn32.exeOkedcjcm.exeOaompd32.exeOhiemobf.exeOldamm32.exeOboijgbl.exeOemefcap.exePefhlaie.exePlpqil32.exePoomegpf.exePamiaboj.exePhganm32.exePoajkgnc.exePapfgbmg.exePifnhpmi.exePhincl32.exePocfpf32.exePemomqcn.exeQhlkilba.exeQkjgegae.exeQofcff32.exeQcaofebg.exeQikgco32.exeQaflgago.exeAllpejfe.exeAojlaeei.exeAaiimadl.exepid Process 2844 Ljkifn32.exe 4424 Mbbagk32.exe 4432 Maeachag.exe 3964 Milidebi.exe 2444 Mlkepaam.exe 4284 Mjneln32.exe 4756 Mbenmk32.exe 4440 Mecjif32.exe 2840 Mjpbam32.exe 4368 Mbgjbkfg.exe 1744 Mhdckaeo.exe 2944 Mjbogmdb.exe 4476 Malgcg32.exe 4296 Micoed32.exe 1472 Mlbkap32.exe 4452 Mblcnj32.exe 2332 Mhilfa32.exe 4176 Nobdbkhf.exe 116 Naaqofgj.exe 4044 Nihipdhl.exe 1000 Nlfelogp.exe 4456 Nbqmiinl.exe 1628 Nacmdf32.exe 2388 Nhmeapmd.exe 4724 Nklbmllg.exe 4412 Nognnj32.exe 3120 Nafjjf32.exe 4660 Nknobkje.exe 4984 Nojjcj32.exe 3636 Nahgoe32.exe 972 Nhbolp32.exe 1268 Nbgcih32.exe 2672 Nefped32.exe 1968 Nhdlao32.exe 1712 Okchnk32.exe 4336 Objpoh32.exe 4944 Oehlkc32.exe 3664 Olbdhn32.exe 3680 Okedcjcm.exe 5084 Oaompd32.exe 4148 Ohiemobf.exe 5088 Oldamm32.exe 2600 Oboijgbl.exe 4520 Oemefcap.exe 5036 Pefhlaie.exe 1732 Plpqil32.exe 4068 Poomegpf.exe 324 Pamiaboj.exe 4548 Phganm32.exe 1760 Poajkgnc.exe 976 Papfgbmg.exe 2808 Pifnhpmi.exe 3840 Phincl32.exe 840 Pocfpf32.exe 3400 Pemomqcn.exe 3864 Qhlkilba.exe 4112 Qkjgegae.exe 4304 Qofcff32.exe 5100 Qcaofebg.exe 3608 Qikgco32.exe 440 Qaflgago.exe 4996 Allpejfe.exe 3776 Aojlaeei.exe 1684 Aaiimadl.exe -
Drops file in System32 directory 64 IoCs
Processes:
Aopemh32.exeBklomh32.exeCocjiehd.exeCofecami.exeOfmdio32.exeKeimof32.exeLomqcjie.exeNihipdhl.exeAleckinj.exeFflohaij.exeJmeede32.exeNnhmnn32.exeDdjmba32.exeDbnmke32.exeGmfplibd.exePfoann32.exeNefped32.exeMminhceb.exeNopfpgip.exeCfbcke32.exeEmoadlfo.exeIlqoobdd.exeMjjkaabc.exeDfgcakon.exeJqknkedi.exeHibjli32.exeQjfmkk32.exeBkafmd32.exeCleegp32.exeIpmbjgpi.exeNjfagf32.exeAekddhcb.exeJedccfqg.exeKcidmkpq.exeCijpahho.exeFbcfhibj.exeGemkelcd.exeBljlfh32.exeJpdhkf32.exeOcjoadei.exeKcpjnjii.exeOjajin32.exeDgcihgaj.exeBkoigdom.exeMglfplgk.exeEnkdaepb.exeOpqofe32.exeGfheof32.exeKdigadjo.exeOelolmnd.exeHfcnpn32.exeKnenkbio.exeBmabggdm.exeCihclh32.exeIefgbh32.exeLggejg32.exePapfgbmg.exeKjhloj32.exeHgmgqc32.exeDflmlj32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Apaadpng.exe Aopemh32.exe File created C:\Windows\SysWOW64\Ebggoi32.dll Bklomh32.exe File created C:\Windows\SysWOW64\Caageq32.exe Cocjiehd.exe File opened for modification C:\Windows\SysWOW64\Ccbadp32.exe Cofecami.exe File opened for modification C:\Windows\SysWOW64\Ojhpimhp.exe Ofmdio32.exe File created C:\Windows\SysWOW64\Nkbjmj32.dll Keimof32.exe File created C:\Windows\SysWOW64\Lfgipd32.exe Lomqcjie.exe File created C:\Windows\SysWOW64\Mcdibc32.dll Cocjiehd.exe File opened for modification C:\Windows\SysWOW64\Nlfelogp.exe Nihipdhl.exe File created C:\Windows\SysWOW64\Achnlqjp.dll Aleckinj.exe File opened for modification C:\Windows\SysWOW64\Feoodn32.exe Fflohaij.exe File created C:\Windows\SysWOW64\Jlgepanl.exe Jmeede32.exe File created C:\Windows\SysWOW64\Gmbjqfjb.dll Nnhmnn32.exe File created C:\Windows\SysWOW64\Ongbqjjf.dll Ddjmba32.exe File created C:\Windows\SysWOW64\Gahamgib.dll Dbnmke32.exe File created C:\Windows\SysWOW64\Gpelhd32.exe Gmfplibd.exe File created C:\Windows\SysWOW64\Omfmcjlk.dll Pfoann32.exe File opened for modification C:\Windows\SysWOW64\Nhdlao32.exe Nefped32.exe File created C:\Windows\SysWOW64\Fngjep32.dll Mminhceb.exe File opened for modification C:\Windows\SysWOW64\Nggnadib.exe Nopfpgip.exe File created C:\Windows\SysWOW64\Bgfeip32.dll Cfbcke32.exe File created C:\Windows\SysWOW64\Eblimcdf.exe Emoadlfo.exe File created C:\Windows\SysWOW64\Kiodpebj.dll Ilqoobdd.exe File created C:\Windows\SysWOW64\Mqdcnl32.exe Mjjkaabc.exe File created C:\Windows\SysWOW64\Difpmfna.exe Dfgcakon.exe File created C:\Windows\SysWOW64\Bhhqlkph.dll Jqknkedi.exe File created C:\Windows\SysWOW64\Hlpfhe32.exe Hibjli32.exe File opened for modification C:\Windows\SysWOW64\Qmeigg32.exe Qjfmkk32.exe File created C:\Windows\SysWOW64\Aqdjon32.dll Bkafmd32.exe File opened for modification C:\Windows\SysWOW64\Cocacl32.exe Cleegp32.exe File created C:\Windows\SysWOW64\Okbcgopo.dll Ipmbjgpi.exe File opened for modification C:\Windows\SysWOW64\Nnbnhedj.exe Njfagf32.exe File created C:\Windows\SysWOW64\Ahippdbe.exe Aekddhcb.exe File opened for modification C:\Windows\SysWOW64\Jnlkedai.exe Jedccfqg.exe File created C:\Windows\SysWOW64\Mglpdp32.dll Kcidmkpq.exe File created C:\Windows\SysWOW64\Micoommd.dll Cijpahho.exe File created C:\Windows\SysWOW64\Fimodc32.exe Fbcfhibj.exe File created C:\Windows\SysWOW64\Hiaafn32.dll Gemkelcd.exe File created C:\Windows\SysWOW64\Bbgeno32.exe Bljlfh32.exe File opened for modification C:\Windows\SysWOW64\Jdodkebj.exe Jpdhkf32.exe File created C:\Windows\SysWOW64\Ojdgnn32.exe Ocjoadei.exe File opened for modification C:\Windows\SysWOW64\Kgkfnh32.exe Kcpjnjii.exe File opened for modification C:\Windows\SysWOW64\Oakbehfe.exe Ojajin32.exe File created C:\Windows\SysWOW64\Dllfqd32.dll Dgcihgaj.exe File created C:\Windows\SysWOW64\Fdflahpe.dll Bkoigdom.exe File created C:\Windows\SysWOW64\Ejnocehc.dll Mglfplgk.exe File created C:\Windows\SysWOW64\Emmdom32.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Dgegjnih.dll Opqofe32.exe File created C:\Windows\SysWOW64\Gjdaodja.exe Gfheof32.exe File created C:\Windows\SysWOW64\Fbihneaj.dll Kdigadjo.exe File created C:\Windows\SysWOW64\Kkconn32.exe Kdigadjo.exe File created C:\Windows\SysWOW64\Jhghaf32.dll Oelolmnd.exe File created C:\Windows\SysWOW64\Hibjli32.exe Hfcnpn32.exe File opened for modification C:\Windows\SysWOW64\Kofkbk32.exe Knenkbio.exe File created C:\Windows\SysWOW64\Nbcpja32.dll Bmabggdm.exe File opened for modification C:\Windows\SysWOW64\Cobkhb32.exe Cihclh32.exe File created C:\Windows\SysWOW64\Chflphjh.dll Iefgbh32.exe File created C:\Windows\SysWOW64\Ljeafb32.exe Lggejg32.exe File created C:\Windows\SysWOW64\Pifnhpmi.exe Papfgbmg.exe File created C:\Windows\SysWOW64\Kmfhkf32.exe Kjhloj32.exe File created C:\Windows\SysWOW64\Ingpmmgm.exe Hgmgqc32.exe File opened for modification C:\Windows\SysWOW64\Bbgeno32.exe Bljlfh32.exe File created C:\Windows\SysWOW64\Dikihe32.exe Dflmlj32.exe File opened for modification C:\Windows\SysWOW64\Hibjli32.exe Hfcnpn32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 13828 13620 WerFault.exe 715 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nhmeapmd.exeOkchnk32.exeNjmhhefi.exeDojqjdbl.exeMlbkap32.exeAbbkcpma.exeBjpjel32.exeNmenca32.exeEmhkdmlg.exeJcmdaljn.exeApodoq32.exeAleckinj.exeGfkbde32.exeDbicpfdk.exeEbdcld32.exeNopfpgip.exeAlqjpi32.exeAdfnofpd.exeEmmdom32.exePaeelgnj.exeCgnomg32.exePefhlaie.exeIknmla32.exeBoihcf32.exeAllpejfe.exeDfefkkqp.exeDfgcakon.exeOjbacd32.exeQemhbj32.exeKcmmhj32.exePfoann32.exeFdglmkeg.exeMgehfkop.exeDokgdkeh.exePaiogf32.exeBdojjo32.exeLjkifn32.exeLqikmc32.exeOakbehfe.exeIlafiihp.exeCbbnpg32.exeDngjff32.exeMmkdcm32.exeOmdppiif.exeDflmlj32.exeHpabni32.exeCfbcke32.exeFpimlfke.exeIfmqfm32.exeQmgelf32.exeCkebcg32.exeMlkepaam.exePifnhpmi.exeDkbocbog.exeEiaoid32.exeHdhedh32.exeLcnmin32.exeKcpjnjii.exeMnmmboed.exeAfinioip.exeCcbadp32.exeCcgjopal.exeMnpabe32.exeFmkqpkla.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmeapmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okchnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojqjdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbkcpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmenca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhkdmlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmdaljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apodoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aleckinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbicpfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdcld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfnofpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paeelgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnomg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefhlaie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknmla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boihcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allpejfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfefkkqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgcakon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdglmkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokgdkeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljkifn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqikmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakbehfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilafiihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngjff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdppiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpabni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbcke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpimlfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmqfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmgelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkepaam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifnhpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbocbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiaoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpjnjii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmmboed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afinioip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbadp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgjopal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpabe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe -
Modifies registry class 64 IoCs
Processes:
Ngjbaj32.exeOjbacd32.exeEblpgjha.exeHienlpel.exeMkhapk32.exeGflhoo32.exeJcanll32.exeBoihcf32.exeNaaqofgj.exeAaiimadl.exeJlkipgpe.exeDnpdegjp.exeGidnkkpc.exeGmfplibd.exeCihclh32.exeCofecami.exeEmmdom32.exeJmeede32.exeBhmbqm32.exePlpqil32.exeBbiado32.exeJgpmmp32.exeKcpahpmd.exeLjobpiql.exeCocacl32.exeImgicgca.exePaeelgnj.exeInlihl32.exeMqdcnl32.exePnkbkk32.exeAfinioip.exeDckdjomg.exeDbicpfdk.exeDhclmp32.exePjbcplpe.exeKmfhkf32.exeLmpkadnm.exeLomqcjie.exeMicoed32.exeBnhenj32.exeBheplb32.exeQaalblgi.exeBhnikc32.exeIgajal32.exeNpbceggm.exeOkedcjcm.exeCnahdi32.exeDokgdkeh.exeJokkgl32.exeCocjiehd.exeMlbkap32.exeFdqfll32.exeGjdaodja.exeJlgepanl.exeMgphpe32.exeLoighj32.exeOfmdio32.exeApaadpng.exeMjneln32.exePehngkcg.exeAdfnofpd.exeFfqhcq32.exeLlodgnja.exeGnepna32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngjbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojbacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhidngmn.dll" Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kideagnd.dll" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajihlijd.dll" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfokn32.dll" Gflhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naaqofgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaiimadl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnpdegjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dibkjmof.dll" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhhmmcaa.dll" Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjfee32.dll" Emmdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmeede32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhmbqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plpqil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbiado32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgjlnfh.dll" Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imgicgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paeelgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfejnf32.dll" Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqdcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll" Pnkbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppioondd.dll" Dbicpfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll" Pjbcplpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekeodnf.dll" Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjdipap.dll" Lomqcjie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Micoed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bheplb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgfllg.dll" Bhnikc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npbceggm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnahdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dokgdkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jokkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhmmpnk.dll" Mlbkap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdqfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgflaec.dll" Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfonlkp.dll" Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll" Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddedlaq.dll" Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfoeejd.dll" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll" Apaadpng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjneln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pehngkcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkccgodj.dll" Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnepna32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exeLjkifn32.exeMbbagk32.exeMaeachag.exeMilidebi.exeMlkepaam.exeMjneln32.exeMbenmk32.exeMecjif32.exeMjpbam32.exeMbgjbkfg.exeMhdckaeo.exeMjbogmdb.exeMalgcg32.exeMicoed32.exeMlbkap32.exeMblcnj32.exeMhilfa32.exeNobdbkhf.exeNaaqofgj.exeNihipdhl.exeNlfelogp.exedescription pid Process procid_target PID 4080 wrote to memory of 2844 4080 c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe 84 PID 4080 wrote to memory of 2844 4080 c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe 84 PID 4080 wrote to memory of 2844 4080 c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe 84 PID 2844 wrote to memory of 4424 2844 Ljkifn32.exe 85 PID 2844 wrote to memory of 4424 2844 Ljkifn32.exe 85 PID 2844 wrote to memory of 4424 2844 Ljkifn32.exe 85 PID 4424 wrote to memory of 4432 4424 Mbbagk32.exe 86 PID 4424 wrote to memory of 4432 4424 Mbbagk32.exe 86 PID 4424 wrote to memory of 4432 4424 Mbbagk32.exe 86 PID 4432 wrote to memory of 3964 4432 Maeachag.exe 87 PID 4432 wrote to memory of 3964 4432 Maeachag.exe 87 PID 4432 wrote to memory of 3964 4432 Maeachag.exe 87 PID 3964 wrote to memory of 2444 3964 Milidebi.exe 89 PID 3964 wrote to memory of 2444 3964 Milidebi.exe 89 PID 3964 wrote to memory of 2444 3964 Milidebi.exe 89 PID 2444 wrote to memory of 4284 2444 Mlkepaam.exe 90 PID 2444 wrote to memory of 4284 2444 Mlkepaam.exe 90 PID 2444 wrote to memory of 4284 2444 Mlkepaam.exe 90 PID 4284 wrote to memory of 4756 4284 Mjneln32.exe 91 PID 4284 wrote to memory of 4756 4284 Mjneln32.exe 91 PID 4284 wrote to memory of 4756 4284 Mjneln32.exe 91 PID 4756 wrote to memory of 4440 4756 Mbenmk32.exe 92 PID 4756 wrote to memory of 4440 4756 Mbenmk32.exe 92 PID 4756 wrote to memory of 4440 4756 Mbenmk32.exe 92 PID 4440 wrote to memory of 2840 4440 Mecjif32.exe 93 PID 4440 wrote to memory of 2840 4440 Mecjif32.exe 93 PID 4440 wrote to memory of 2840 4440 Mecjif32.exe 93 PID 2840 wrote to memory of 4368 2840 Mjpbam32.exe 94 PID 2840 wrote to memory of 4368 2840 Mjpbam32.exe 94 PID 2840 wrote to memory of 4368 2840 Mjpbam32.exe 94 PID 4368 wrote to memory of 1744 4368 Mbgjbkfg.exe 95 PID 4368 wrote to memory of 1744 4368 Mbgjbkfg.exe 95 PID 4368 wrote to memory of 1744 4368 Mbgjbkfg.exe 95 PID 1744 wrote to memory of 2944 1744 Mhdckaeo.exe 96 PID 1744 wrote to memory of 2944 1744 Mhdckaeo.exe 96 PID 1744 wrote to memory of 2944 1744 Mhdckaeo.exe 96 PID 2944 wrote to memory of 4476 2944 Mjbogmdb.exe 97 PID 2944 wrote to memory of 4476 2944 Mjbogmdb.exe 97 PID 2944 wrote to memory of 4476 2944 Mjbogmdb.exe 97 PID 4476 wrote to memory of 4296 4476 Malgcg32.exe 98 PID 4476 wrote to memory of 4296 4476 Malgcg32.exe 98 PID 4476 wrote to memory of 4296 4476 Malgcg32.exe 98 PID 4296 wrote to memory of 1472 4296 Micoed32.exe 100 PID 4296 wrote to memory of 1472 4296 Micoed32.exe 100 PID 4296 wrote to memory of 1472 4296 Micoed32.exe 100 PID 1472 wrote to memory of 4452 1472 Mlbkap32.exe 101 PID 1472 wrote to memory of 4452 1472 Mlbkap32.exe 101 PID 1472 wrote to memory of 4452 1472 Mlbkap32.exe 101 PID 4452 wrote to memory of 2332 4452 Mblcnj32.exe 102 PID 4452 wrote to memory of 2332 4452 Mblcnj32.exe 102 PID 4452 wrote to memory of 2332 4452 Mblcnj32.exe 102 PID 2332 wrote to memory of 4176 2332 Mhilfa32.exe 103 PID 2332 wrote to memory of 4176 2332 Mhilfa32.exe 103 PID 2332 wrote to memory of 4176 2332 Mhilfa32.exe 103 PID 4176 wrote to memory of 116 4176 Nobdbkhf.exe 104 PID 4176 wrote to memory of 116 4176 Nobdbkhf.exe 104 PID 4176 wrote to memory of 116 4176 Nobdbkhf.exe 104 PID 116 wrote to memory of 4044 116 Naaqofgj.exe 105 PID 116 wrote to memory of 4044 116 Naaqofgj.exe 105 PID 116 wrote to memory of 4044 116 Naaqofgj.exe 105 PID 4044 wrote to memory of 1000 4044 Nihipdhl.exe 106 PID 4044 wrote to memory of 1000 4044 Nihipdhl.exe 106 PID 4044 wrote to memory of 1000 4044 Nihipdhl.exe 106 PID 1000 wrote to memory of 4456 1000 Nlfelogp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe"C:\Users\Admin\AppData\Local\Temp\c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe23⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe24⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe26⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe27⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe28⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe29⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe30⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe31⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe32⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe33⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe35⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe37⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe38⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe39⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3680 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe41⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe43⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe44⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe45⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe48⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe49⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe51⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe54⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe55⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe56⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe57⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe58⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe59⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe60⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe61⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe62⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe66⤵PID:2612
-
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe67⤵PID:1800
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe68⤵PID:1956
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe69⤵PID:4752
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe71⤵PID:728
-
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe73⤵PID:3540
-
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:524 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe75⤵PID:2588
-
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe77⤵
- System Location Discovery: System Language Discovery
PID:4956 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe78⤵PID:1552
-
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe79⤵PID:3532
-
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4052 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe81⤵PID:1984
-
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe82⤵
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4992 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe84⤵PID:3560
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe85⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe86⤵
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe87⤵
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe88⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe90⤵PID:708
-
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe91⤵PID:2008
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe93⤵PID:3032
-
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe94⤵PID:5136
-
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe95⤵PID:5188
-
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe96⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe97⤵PID:5320
-
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe98⤵PID:5388
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe99⤵PID:5440
-
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe100⤵PID:5488
-
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe101⤵PID:5520
-
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe102⤵PID:5576
-
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5668 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe105⤵PID:5728
-
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe106⤵PID:5772
-
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe107⤵PID:5816
-
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5856 -
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe109⤵PID:5900
-
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe110⤵
- System Location Discovery: System Language Discovery
PID:5940 -
C:\Windows\SysWOW64\Dfefkkqp.exeC:\Windows\system32\Dfefkkqp.exe111⤵
- System Location Discovery: System Language Discovery
PID:5980 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe112⤵
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe113⤵PID:6064
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6104 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe115⤵PID:5152
-
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe116⤵PID:5212
-
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe118⤵PID:5436
-
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe119⤵PID:1164
-
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5572 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe121⤵PID:5632
-
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-