Analysis
-
max time kernel
89s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 18:56
Static task
static1
Behavioral task
behavioral1
Sample
8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe
Resource
win10v2004-20241007-en
General
-
Target
8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe
-
Size
240KB
-
MD5
4cf5d8513d95d7c4ebbedd94ad3175d9
-
SHA1
980a2b9fe65fe3e76fb0294b21d604ba17723dd0
-
SHA256
8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95
-
SHA512
25534b75f07c169f146ba28a3012d888c450d82b3b5db952fd8eab69da7c980f876cf2411775910f8bfa4c4b0721fb8ed281e2b9e19e661e1f1ac06004fda6b3
-
SSDEEP
6144:L75goh2e6RGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEAT:XnIGyXu1jGG1wsGeBgRTGAT
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Llhocfnb.exeCenmfbml.exeEodknifb.exeFmbkfd32.exeFbjchfaq.exeOoidei32.exeEhgaknbp.exeCgjhkpbj.exeCbagdq32.exeOicbma32.exeEhdpcahk.exeMnqdpj32.exeEgbffj32.exeIimenapo.exeCnnimkom.exeKhojcj32.exeEeeanm32.exeLilfgq32.exeEnepnoji.exeBfpkfb32.exeKacakgip.exeMcaafk32.exeGhgjflof.exeMcghajkq.exePedmbg32.exeJlgcncli.exeChdjpl32.exePbomli32.exeKngaig32.exeIhlbih32.exeFgffck32.exeCldolj32.exeLhimji32.exeOecnkk32.exeDajiok32.exeClilmbhd.exeBgnaekil.exeIopeoknn.exeAinmlomf.exeOlgpff32.exeJffhec32.exePmjaadjm.exeFpfkhbon.exeKjdpcnfi.exeOpkpme32.exeOgliemkk.exeHhaanh32.exeMmjomogn.exeFqhclqnc.exeGfggbcdg.exeAogmdk32.exeBohoogbk.exeFichqckn.exeAgonig32.exeJfigdl32.exeClkicbfa.exeMagdam32.exeGfdaid32.exeNilpmo32.exeFeeilbhg.exeBhfhnofg.exeKppldhla.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhocfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenmfbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eodknifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmbkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjchfaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooidei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgaknbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjhkpbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbagdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicbma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehdpcahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnqdpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egbffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iimenapo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnimkom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khojcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeeanm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilfgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enepnoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfpkfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kacakgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnqdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcaafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghgjflof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcghajkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pedmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlgcncli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chdjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbomli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihlbih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgffck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldolj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhimji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecnkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clilmbhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iopeoknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ainmlomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olgpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jffhec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaadjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfkhbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjdpcnfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogliemkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmjomogn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqhclqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqhclqnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfggbcdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aogmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bohoogbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fichqckn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agonig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfigdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clkicbfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magdam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdaid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilpmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feeilbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhfhnofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppldhla.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mkcplien.exeMfmqmgbm.exeMcaafk32.exeNkaoemjm.exeNgjlpmnn.exeOgliemkk.exeOibohdmd.exeOlchjp32.exePbomli32.exePnkglj32.exePfhhflmg.exeQbafalph.exeApefjqob.exeAlodeacc.exeAlaqjaaa.exeBikjmj32.exeBedhgj32.exeBjembh32.exeCfknhi32.exeCngcll32.exeCbdkbjkl.exeCnnimkom.exeDgfmep32.exeDocopbaf.exeDeeqch32.exeEldbkbop.exeEcogodlk.exeFjnignob.exeFdfmpc32.exeFpmned32.exeFapgblob.exeGdcmig32.exeGmlablaa.exeGkbnap32.exeGeloanjg.exeHcblqb32.exeHkmaed32.exeHhaanh32.exeHonfqb32.exeHgiked32.exeIqapnjli.exeImhqbkbm.exeIjlaloaf.exeIcdeee32.exeIcfbkded.exeImogcj32.exeIejkhlip.exeJoppeeif.exeJgkdigfa.exeJnemfa32.exeJjlmkb32.exeJaeehmko.exeJnifaajh.exeJjpgfbom.exeKgdgpfnf.exeKppldhla.exeKmclmm32.exeKmficl32.exeKhojcj32.exeKaholp32.exeLbgkfbbj.exeLkbpke32.exeLhfpdi32.exeLhimji32.exepid Process 1636 Mkcplien.exe 2740 Mfmqmgbm.exe 2720 Mcaafk32.exe 2860 Nkaoemjm.exe 2800 Ngjlpmnn.exe 1300 Ogliemkk.exe 1240 Oibohdmd.exe 2032 Olchjp32.exe 944 Pbomli32.exe 436 Pnkglj32.exe 1264 Pfhhflmg.exe 2428 Qbafalph.exe 2116 Apefjqob.exe 2144 Alodeacc.exe 2412 Alaqjaaa.exe 1980 Bikjmj32.exe 1760 Bedhgj32.exe 1536 Bjembh32.exe 1036 Cfknhi32.exe 704 Cngcll32.exe 824 Cbdkbjkl.exe 2392 Cnnimkom.exe 548 Dgfmep32.exe 1308 Docopbaf.exe 1792 Deeqch32.exe 1580 Eldbkbop.exe 2752 Ecogodlk.exe 2844 Fjnignob.exe 2648 Fdfmpc32.exe 2748 Fpmned32.exe 2632 Fapgblob.exe 1804 Gdcmig32.exe 2956 Gmlablaa.exe 2280 Gkbnap32.exe 1052 Geloanjg.exe 2680 Hcblqb32.exe 524 Hkmaed32.exe 2128 Hhaanh32.exe 2208 Honfqb32.exe 2140 Hgiked32.exe 2508 Iqapnjli.exe 1748 Imhqbkbm.exe 1776 Ijlaloaf.exe 2152 Icdeee32.exe 772 Icfbkded.exe 1932 Imogcj32.exe 2476 Iejkhlip.exe 1336 Joppeeif.exe 1660 Jgkdigfa.exe 2848 Jnemfa32.exe 2744 Jjlmkb32.exe 2620 Jaeehmko.exe 2660 Jnifaajh.exe 2596 Jjpgfbom.exe 1676 Kgdgpfnf.exe 2936 Kppldhla.exe 780 Kmclmm32.exe 1428 Kmficl32.exe 2168 Khojcj32.exe 1984 Kaholp32.exe 1380 Lbgkfbbj.exe 880 Lkbpke32.exe 2112 Lhfpdi32.exe 1556 Lhimji32.exe -
Loads dropped DLL 64 IoCs
Processes:
8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exeMkcplien.exeMfmqmgbm.exeMcaafk32.exeNkaoemjm.exeNgjlpmnn.exeOgliemkk.exeOibohdmd.exeOlchjp32.exePbomli32.exePnkglj32.exePfhhflmg.exeQbafalph.exeApefjqob.exeAlodeacc.exeAlaqjaaa.exeBikjmj32.exeBedhgj32.exeBjembh32.exeCfknhi32.exeCngcll32.exeCbdkbjkl.exeCnnimkom.exeDgfmep32.exeDocopbaf.exeDeeqch32.exeEldbkbop.exeEcogodlk.exeFjnignob.exeFdfmpc32.exeFpmned32.exeFapgblob.exepid Process 3044 8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe 3044 8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe 1636 Mkcplien.exe 1636 Mkcplien.exe 2740 Mfmqmgbm.exe 2740 Mfmqmgbm.exe 2720 Mcaafk32.exe 2720 Mcaafk32.exe 2860 Nkaoemjm.exe 2860 Nkaoemjm.exe 2800 Ngjlpmnn.exe 2800 Ngjlpmnn.exe 1300 Ogliemkk.exe 1300 Ogliemkk.exe 1240 Oibohdmd.exe 1240 Oibohdmd.exe 2032 Olchjp32.exe 2032 Olchjp32.exe 944 Pbomli32.exe 944 Pbomli32.exe 436 Pnkglj32.exe 436 Pnkglj32.exe 1264 Pfhhflmg.exe 1264 Pfhhflmg.exe 2428 Qbafalph.exe 2428 Qbafalph.exe 2116 Apefjqob.exe 2116 Apefjqob.exe 2144 Alodeacc.exe 2144 Alodeacc.exe 2412 Alaqjaaa.exe 2412 Alaqjaaa.exe 1980 Bikjmj32.exe 1980 Bikjmj32.exe 1760 Bedhgj32.exe 1760 Bedhgj32.exe 1536 Bjembh32.exe 1536 Bjembh32.exe 1036 Cfknhi32.exe 1036 Cfknhi32.exe 704 Cngcll32.exe 704 Cngcll32.exe 824 Cbdkbjkl.exe 824 Cbdkbjkl.exe 2392 Cnnimkom.exe 2392 Cnnimkom.exe 548 Dgfmep32.exe 548 Dgfmep32.exe 1308 Docopbaf.exe 1308 Docopbaf.exe 1792 Deeqch32.exe 1792 Deeqch32.exe 1580 Eldbkbop.exe 1580 Eldbkbop.exe 2752 Ecogodlk.exe 2752 Ecogodlk.exe 2844 Fjnignob.exe 2844 Fjnignob.exe 2648 Fdfmpc32.exe 2648 Fdfmpc32.exe 2748 Fpmned32.exe 2748 Fpmned32.exe 2632 Fapgblob.exe 2632 Fapgblob.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jgkdigfa.exeLnnndl32.exeMhkhgd32.exeCbajme32.exeHjoiiffo.exeJfpmifoa.exeKngaig32.exeLojjfo32.exeJemiiqmh.exeObniel32.exeFpncbjqj.exeCnnimkom.exePncljmko.exeEbekej32.exeGgphji32.exePblinp32.exeAmmoel32.exeFpcblkje.exeBglghdbc.exeCobhdhha.exeIclfccmq.exeAbbknb32.exeLbojjq32.exeCikbjpqd.exeEeameodq.exeFichqckn.exeJdadadkl.exeLcncbc32.exeAlknnodh.exePfjbdn32.exeLchqcd32.exeEhgaknbp.exeFhcjilcb.exeIflmlfcn.exeNjjieace.exeCdngip32.exeMigbpocm.exeCfjihdcc.exeOmgfdhbq.exePmkdhq32.exeOlgpff32.exeAjcldpkd.exeGmlablaa.exeCpiaipmh.exeNmggllha.exeMemncbmj.exeDoapanne.exeDbneekan.exeCofohkgi.exeOpcejd32.exeKejahn32.exePcpbik32.exeNohddd32.exeAcadchoo.exeNmmjjk32.exeAijfihip.exeGdflgo32.exeBllomg32.exeEhbcnajn.exeAahimb32.exeNeibanod.exeDochelmj.exeKjhfjpdd.exedescription ioc Process File created C:\Windows\SysWOW64\Maflig32.dll Jgkdigfa.exe File opened for modification C:\Windows\SysWOW64\Lckflc32.exe Lnnndl32.exe File created C:\Windows\SysWOW64\Nhnemdbf.exe Mhkhgd32.exe File opened for modification C:\Windows\SysWOW64\Cikbjpqd.exe Cbajme32.exe File created C:\Windows\SysWOW64\Hffjng32.exe Hjoiiffo.exe File created C:\Windows\SysWOW64\Jafmngde.exe Jfpmifoa.exe File created C:\Windows\SysWOW64\Lqnmhm32.dll Kngaig32.exe File created C:\Windows\SysWOW64\Lfdbcing.exe Lojjfo32.exe File opened for modification C:\Windows\SysWOW64\Jdbfjm32.exe Jemiiqmh.exe File created C:\Windows\SysWOW64\Aokdfe32.dll Obniel32.exe File created C:\Windows\SysWOW64\Gledgkfn.exe Fpncbjqj.exe File opened for modification C:\Windows\SysWOW64\Dgfmep32.exe Cnnimkom.exe File opened for modification C:\Windows\SysWOW64\Pcqebd32.exe Pncljmko.exe File created C:\Windows\SysWOW64\Ehbcnajn.exe Ebekej32.exe File created C:\Windows\SysWOW64\Opdnaj32.dll Ggphji32.exe File opened for modification C:\Windows\SysWOW64\Pppihdha.exe Pblinp32.exe File created C:\Windows\SysWOW64\Abldll32.dll Ammoel32.exe File created C:\Windows\SysWOW64\Akmbepcb.dll Fpcblkje.exe File created C:\Windows\SysWOW64\Egedlo32.dll Bglghdbc.exe File created C:\Windows\SysWOW64\Chjmmnnb.exe Cobhdhha.exe File created C:\Windows\SysWOW64\Iekbmfdc.exe Iclfccmq.exe File opened for modification C:\Windows\SysWOW64\Apglgfde.exe Abbknb32.exe File created C:\Windows\SysWOW64\Egqcce32.dll Lbojjq32.exe File opened for modification C:\Windows\SysWOW64\Cimooo32.exe Cikbjpqd.exe File opened for modification C:\Windows\SysWOW64\Jafmngde.exe Jfpmifoa.exe File created C:\Windows\SysWOW64\Ebemnc32.exe Eeameodq.exe File opened for modification C:\Windows\SysWOW64\Fblljhbo.exe Fichqckn.exe File created C:\Windows\SysWOW64\Jcgqbq32.exe Jdadadkl.exe File created C:\Windows\SysWOW64\Laackgka.exe Lcncbc32.exe File opened for modification C:\Windows\SysWOW64\Afcbgd32.exe Alknnodh.exe File created C:\Windows\SysWOW64\Ppbfmdfo.exe Pfjbdn32.exe File opened for modification C:\Windows\SysWOW64\Lidilk32.exe Lchqcd32.exe File opened for modification C:\Windows\SysWOW64\Ehinpnpm.exe Ehgaknbp.exe File created C:\Windows\SysWOW64\Bjnqffod.dll Fhcjilcb.exe File opened for modification C:\Windows\SysWOW64\Imfeip32.exe Iflmlfcn.exe File opened for modification C:\Windows\SysWOW64\Ndpmbjbk.exe Njjieace.exe File opened for modification C:\Windows\SysWOW64\Clilmbhd.exe Cdngip32.exe File created C:\Windows\SysWOW64\Ligleljk.dll Migbpocm.exe File created C:\Windows\SysWOW64\Fdnpephg.dll Cfjihdcc.exe File created C:\Windows\SysWOW64\Ocdnloph.exe Omgfdhbq.exe File created C:\Windows\SysWOW64\Gnokee32.dll Pmkdhq32.exe File created C:\Windows\SysWOW64\Ohmalgeb.exe Olgpff32.exe File created C:\Windows\SysWOW64\Blgeahoo.exe Ajcldpkd.exe File created C:\Windows\SysWOW64\Gkbnap32.exe Gmlablaa.exe File opened for modification C:\Windows\SysWOW64\Cbjnqh32.exe Cpiaipmh.exe File created C:\Windows\SysWOW64\Gfjkqg32.dll Nmggllha.exe File created C:\Windows\SysWOW64\Nbaomf32.exe Memncbmj.exe File created C:\Windows\SysWOW64\Dkhpfo32.exe Doapanne.exe File opened for modification C:\Windows\SysWOW64\Dflnkjhe.exe Dbneekan.exe File created C:\Windows\SysWOW64\Cmjoaofc.exe Cofohkgi.exe File created C:\Windows\SysWOW64\Omgfdhbq.exe Opcejd32.exe File created C:\Windows\SysWOW64\Kneflplf.exe Kejahn32.exe File created C:\Windows\SysWOW64\Ppgcol32.exe Pcpbik32.exe File created C:\Windows\SysWOW64\Nokqidll.exe Nohddd32.exe File created C:\Windows\SysWOW64\Ainmlomf.exe Acadchoo.exe File opened for modification C:\Windows\SysWOW64\Ncjbba32.exe Nmmjjk32.exe File opened for modification C:\Windows\SysWOW64\Aodnfbpm.exe Aijfihip.exe File created C:\Windows\SysWOW64\Gajlac32.exe Gdflgo32.exe File created C:\Windows\SysWOW64\Bedcembk.exe Bllomg32.exe File created C:\Windows\SysWOW64\Ehdpcahk.exe Ehbcnajn.exe File created C:\Windows\SysWOW64\Eenfifcn.dll Aahimb32.exe File created C:\Windows\SysWOW64\Mlbpgjjo.dll Neibanod.exe File created C:\Windows\SysWOW64\Dkjhjm32.exe Dochelmj.exe File opened for modification C:\Windows\SysWOW64\Kabngjla.exe Kjhfjpdd.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4936 2764 WerFault.exe 928 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ldjmidcj.exeColdmfkf.exePhhmeehg.exeCbljgpja.exeDkhpfo32.exeJigagocd.exeOfmiea32.exeNcnmhajo.exeFichqckn.exeMgbcfdmo.exePgodcich.exeGfdaid32.exeQjeihl32.exeDeikhhhe.exeOlokighn.exeMeafpibb.exeBaqhapdj.exeKikpgk32.exeJlkigbef.exeAnmbje32.exeGeaofc32.exeFnnobl32.exeGmlablaa.exeGgnqfgce.exeNmpiicdm.exeCfkkam32.exeIpimic32.exeNakikpin.exeGdkebolm.exePcqebd32.exeDfdngl32.exeNbmcjc32.exeObopobhe.exeLhmjha32.exeKgdgpfnf.exeLbpolb32.exeKemgqm32.exeFlmecm32.exeNokqidll.exePabncj32.exeFeeilbhg.exeOfobgc32.exeKabngjla.exeGhpkbn32.exeKbkgig32.exeFkjbpkag.exeKjhfjpdd.exeFqnfkoen.exeNbilhkig.exePjqdjn32.exeElieipej.exeDgkiih32.exeBpkqfdmp.exeHbpmbndm.exeOebffm32.exePnnmeh32.exeEqamla32.exeBedcembk.exeBqambacb.exeCdngip32.exeMmmnkglp.exeNpffaq32.exeKejahn32.exeNcdciq32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjmidcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coldmfkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhmeehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbljgpja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhpfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigagocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmiea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnmhajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fichqckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcfdmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgodcich.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdaid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjeihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deikhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olokighn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meafpibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baqhapdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikpgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkigbef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmbje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaofc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnobl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlablaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnqfgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpiicdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkkam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipimic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakikpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkebolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcqebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmcjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obopobhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmjha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdgpfnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemgqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmecm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nokqidll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabncj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeilbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofobgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabngjla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpkbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkgig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjbpkag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhfjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqnfkoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbilhkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjqdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elieipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkiih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpkqfdmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpmbndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqamla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedcembk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqambacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdngip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmnkglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npffaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdciq32.exe -
Modifies registry class 64 IoCs
Processes:
Pnkglj32.exeDgkiih32.exeIloilcci.exePgogla32.exeIimenapo.exeHhlaiccm.exeJjfmem32.exeAhhchk32.exeJghcbjll.exeKejahn32.exeMmjomogn.exeJndflk32.exeDkmghe32.exeLkhcdhmk.exeOfpmegpe.exeQjgjpi32.exeHgckoofa.exeNkdndeon.exeMlhmkbhb.exeGnoaliln.exeFpncbjqj.exeHcblqb32.exeIgcgnbim.exeGnjehaio.exeCmocha32.exeDflnkjhe.exeLpodmb32.exeNhalag32.exeDbfaopqo.exeBafkookd.exeEhgaknbp.exeHqjfgb32.exeMfkebkjk.exePghjqlmi.exeMfijfdca.exeNokdnail.exeGoocenaa.exeEhclbpic.exeLckflc32.exeAjjgei32.exeAlbjnplq.exeEbicee32.exePncljmko.exePofomolo.exeFjfllm32.exeHqpahkmj.exeHklhca32.exeNkaoemjm.exeJnemfa32.exeLdjmidcj.exeFjhgidjk.exeLkcqfifp.exeCfkkam32.exeDghjmlnm.exeBmnofp32.exeFpcblkje.exeMifmoa32.exeDfdngl32.exeDfkclf32.exeKhcbpa32.exeEhgmiq32.exeBpnibl32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnkglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgkiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iloilcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgogla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iimenapo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhlaiccm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjfmem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahhchk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jghcbjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldepenep.dll" Kejahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbgmkqd.dll" Mmjomogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jndflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkmghe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkdpgdb.dll" Ofpmegpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchhdfem.dll" Qjgjpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgckoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peiejhfb.dll" Nkdndeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkmcjlp.dll" Mlhmkbhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnoaliln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpncbjqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcblqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igcgnbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdpml32.dll" Gnjehaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhenkpja.dll" Cmocha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dflnkjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpodmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhalag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nibmdpam.dll" Dbfaopqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bafkookd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehgaknbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqjfgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honblmaq.dll" Mfkebkjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pghjqlmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfijfdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhljbpfd.dll" Nokdnail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchkhe32.dll" Goocenaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehclbpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpiei32.dll" Lckflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajjgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdaehpn.dll" Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebicee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkbii32.dll" Pncljmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pofomolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhfem32.dll" Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqpahkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hklhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcjnb32.dll" Nkaoemjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnemfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pncljmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldjmidcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjhgidjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkcqfifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bojcalcl.dll" Cfkkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmgmelp.dll" Dghjmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbfaopqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmnofp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmbepcb.dll" Fpcblkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbnoj32.dll" Mifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoogjlk.dll" Dfdngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfkclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khcbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehgmiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpnibl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exeMkcplien.exeMfmqmgbm.exeMcaafk32.exeNkaoemjm.exeNgjlpmnn.exeOgliemkk.exeOibohdmd.exeOlchjp32.exePbomli32.exePnkglj32.exePfhhflmg.exeQbafalph.exeApefjqob.exeAlodeacc.exeAlaqjaaa.exedescription pid Process procid_target PID 3044 wrote to memory of 1636 3044 8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe 30 PID 3044 wrote to memory of 1636 3044 8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe 30 PID 3044 wrote to memory of 1636 3044 8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe 30 PID 3044 wrote to memory of 1636 3044 8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe 30 PID 1636 wrote to memory of 2740 1636 Mkcplien.exe 31 PID 1636 wrote to memory of 2740 1636 Mkcplien.exe 31 PID 1636 wrote to memory of 2740 1636 Mkcplien.exe 31 PID 1636 wrote to memory of 2740 1636 Mkcplien.exe 31 PID 2740 wrote to memory of 2720 2740 Mfmqmgbm.exe 32 PID 2740 wrote to memory of 2720 2740 Mfmqmgbm.exe 32 PID 2740 wrote to memory of 2720 2740 Mfmqmgbm.exe 32 PID 2740 wrote to memory of 2720 2740 Mfmqmgbm.exe 32 PID 2720 wrote to memory of 2860 2720 Mcaafk32.exe 33 PID 2720 wrote to memory of 2860 2720 Mcaafk32.exe 33 PID 2720 wrote to memory of 2860 2720 Mcaafk32.exe 33 PID 2720 wrote to memory of 2860 2720 Mcaafk32.exe 33 PID 2860 wrote to memory of 2800 2860 Nkaoemjm.exe 34 PID 2860 wrote to memory of 2800 2860 Nkaoemjm.exe 34 PID 2860 wrote to memory of 2800 2860 Nkaoemjm.exe 34 PID 2860 wrote to memory of 2800 2860 Nkaoemjm.exe 34 PID 2800 wrote to memory of 1300 2800 Ngjlpmnn.exe 35 PID 2800 wrote to memory of 1300 2800 Ngjlpmnn.exe 35 PID 2800 wrote to memory of 1300 2800 Ngjlpmnn.exe 35 PID 2800 wrote to memory of 1300 2800 Ngjlpmnn.exe 35 PID 1300 wrote to memory of 1240 1300 Ogliemkk.exe 36 PID 1300 wrote to memory of 1240 1300 Ogliemkk.exe 36 PID 1300 wrote to memory of 1240 1300 Ogliemkk.exe 36 PID 1300 wrote to memory of 1240 1300 Ogliemkk.exe 36 PID 1240 wrote to memory of 2032 1240 Oibohdmd.exe 37 PID 1240 wrote to memory of 2032 1240 Oibohdmd.exe 37 PID 1240 wrote to memory of 2032 1240 Oibohdmd.exe 37 PID 1240 wrote to memory of 2032 1240 Oibohdmd.exe 37 PID 2032 wrote to memory of 944 2032 Olchjp32.exe 38 PID 2032 wrote to memory of 944 2032 Olchjp32.exe 38 PID 2032 wrote to memory of 944 2032 Olchjp32.exe 38 PID 2032 wrote to memory of 944 2032 Olchjp32.exe 38 PID 944 wrote to memory of 436 944 Pbomli32.exe 39 PID 944 wrote to memory of 436 944 Pbomli32.exe 39 PID 944 wrote to memory of 436 944 Pbomli32.exe 39 PID 944 wrote to memory of 436 944 Pbomli32.exe 39 PID 436 wrote to memory of 1264 436 Pnkglj32.exe 40 PID 436 wrote to memory of 1264 436 Pnkglj32.exe 40 PID 436 wrote to memory of 1264 436 Pnkglj32.exe 40 PID 436 wrote to memory of 1264 436 Pnkglj32.exe 40 PID 1264 wrote to memory of 2428 1264 Pfhhflmg.exe 41 PID 1264 wrote to memory of 2428 1264 Pfhhflmg.exe 41 PID 1264 wrote to memory of 2428 1264 Pfhhflmg.exe 41 PID 1264 wrote to memory of 2428 1264 Pfhhflmg.exe 41 PID 2428 wrote to memory of 2116 2428 Qbafalph.exe 42 PID 2428 wrote to memory of 2116 2428 Qbafalph.exe 42 PID 2428 wrote to memory of 2116 2428 Qbafalph.exe 42 PID 2428 wrote to memory of 2116 2428 Qbafalph.exe 42 PID 2116 wrote to memory of 2144 2116 Apefjqob.exe 43 PID 2116 wrote to memory of 2144 2116 Apefjqob.exe 43 PID 2116 wrote to memory of 2144 2116 Apefjqob.exe 43 PID 2116 wrote to memory of 2144 2116 Apefjqob.exe 43 PID 2144 wrote to memory of 2412 2144 Alodeacc.exe 44 PID 2144 wrote to memory of 2412 2144 Alodeacc.exe 44 PID 2144 wrote to memory of 2412 2144 Alodeacc.exe 44 PID 2144 wrote to memory of 2412 2144 Alodeacc.exe 44 PID 2412 wrote to memory of 1980 2412 Alaqjaaa.exe 45 PID 2412 wrote to memory of 1980 2412 Alaqjaaa.exe 45 PID 2412 wrote to memory of 1980 2412 Alaqjaaa.exe 45 PID 2412 wrote to memory of 1980 2412 Alaqjaaa.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe"C:\Users\Admin\AppData\Local\Temp\8c9513061433e59556e9672c2fe97c6393560b0e95d5609e517c768c9d786e95.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Nkaoemjm.exeC:\Windows\system32\Nkaoemjm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Alaqjaaa.exeC:\Windows\system32\Alaqjaaa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Bjembh32.exeC:\Windows\system32\Bjembh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Cbdkbjkl.exeC:\Windows\system32\Cbdkbjkl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Fapgblob.exeC:\Windows\system32\Fapgblob.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe33⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Gmlablaa.exeC:\Windows\system32\Gmlablaa.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe35⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe36⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Hcblqb32.exeC:\Windows\system32\Hcblqb32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe38⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe40⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe41⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Iqapnjli.exeC:\Windows\system32\Iqapnjli.exe42⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe43⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe44⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Icdeee32.exeC:\Windows\system32\Icdeee32.exe45⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Icfbkded.exeC:\Windows\system32\Icfbkded.exe46⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe47⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe48⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe49⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe52⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe53⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe54⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe55⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe58⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe59⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe61⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe62⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe63⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe64⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe66⤵PID:2088
-
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe68⤵PID:884
-
C:\Windows\SysWOW64\Mmjomogn.exeC:\Windows\system32\Mmjomogn.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe70⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe71⤵PID:2216
-
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe72⤵PID:2404
-
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe73⤵PID:2808
-
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe74⤵PID:2452
-
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe75⤵PID:1268
-
C:\Windows\SysWOW64\Nnlhab32.exeC:\Windows\system32\Nnlhab32.exe76⤵PID:2992
-
C:\Windows\SysWOW64\Ngeljh32.exeC:\Windows\system32\Ngeljh32.exe77⤵PID:2872
-
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe78⤵PID:584
-
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe79⤵PID:3008
-
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe80⤵PID:3004
-
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe82⤵PID:564
-
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe84⤵PID:1128
-
C:\Windows\SysWOW64\Onoqfehp.exeC:\Windows\system32\Onoqfehp.exe85⤵PID:868
-
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe86⤵PID:2092
-
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe87⤵PID:2576
-
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe88⤵PID:2892
-
C:\Windows\SysWOW64\Pcpbik32.exeC:\Windows\system32\Pcpbik32.exe89⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe90⤵PID:2920
-
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe91⤵
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Pfchqf32.exeC:\Windows\system32\Pfchqf32.exe92⤵PID:2672
-
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe93⤵
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe94⤵PID:2496
-
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe95⤵PID:1620
-
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe96⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe97⤵PID:2136
-
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe98⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe99⤵PID:1488
-
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe100⤵PID:540
-
C:\Windows\SysWOW64\Aahimb32.exeC:\Windows\system32\Aahimb32.exe101⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Afeaei32.exeC:\Windows\system32\Afeaei32.exe102⤵PID:2076
-
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe103⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Aifjgdkj.exeC:\Windows\system32\Aifjgdkj.exe104⤵PID:2612
-
C:\Windows\SysWOW64\Aocbokia.exeC:\Windows\system32\Aocbokia.exe105⤵PID:2516
-
C:\Windows\SysWOW64\Bpboinpd.exeC:\Windows\system32\Bpboinpd.exe106⤵PID:1724
-
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe107⤵PID:3012
-
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe108⤵PID:1164
-
C:\Windows\SysWOW64\Bojipjcj.exeC:\Windows\system32\Bojipjcj.exe109⤵PID:2396
-
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe110⤵PID:1820
-
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe111⤵PID:1964
-
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe112⤵PID:2104
-
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe113⤵PID:2472
-
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe116⤵PID:1704
-
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe118⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe119⤵PID:3020
-
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe120⤵PID:2156
-
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe121⤵PID:1856
-
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe122⤵
- Modifies registry class
PID:2304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-