Analysis
-
max time kernel
61s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:00
Static task
static1
Behavioral task
behavioral1
Sample
d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe
Resource
win10v2004-20241007-en
General
-
Target
d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe
-
Size
112KB
-
MD5
37929233cf7d74d643ae83143d0d0765
-
SHA1
3391046929831a2729cf9fa533477903ccdd86f8
-
SHA256
d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e
-
SHA512
a0a69dbc0b60c2cbd85739fe2bbf3ed98910f08572e5dbb0a1b1bcc97b347bc650cc88344d785d3236d3656db11836252aeb275850cac5cd3e3224ea77d5cb98
-
SSDEEP
1536:fCdMk7YAuxePEWWC9Eh26TnKXvlzDdnj2hrUQVoMdUT+irjVVKm1ieuRzKwD:fQY5SjWtFKXvlzDdj2hr1RhAo+ie0TD
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kapaaj32.exeJobocn32.exeJbedkhie.exeAnkedf32.exeBmjekahk.exeIhijhpdo.exeIaladj32.exeEfpbih32.exeFdlpnamm.exeLcedne32.exeDcmpcjcf.exeCgbfcjag.exeGdflgo32.exeJmdiahco.exeNedifo32.exeGeilah32.exeDcpmijqc.exeLmckeidj.exeQqbeel32.exeCfhlbe32.exeCdlmlidp.exeLmnkpc32.exeKmoekf32.exeEqnillbb.exeFdblkoco.exeOcfkaone.exeBbikig32.exeGfiaojkq.exeIloilcci.exeLjcbcngi.exeEkjgbi32.exeGegaeabe.exeJqeomfgc.exePkmmigjo.exeHbboiknb.exePncljmko.exeEcbfmm32.exeHolldk32.exeKnoaeimg.exeNmjmekan.exeCkiiiine.exeEblpke32.exeCedpdpdf.exeIaaekl32.exeIgpdnlgd.exePjmjdnop.exeIbadnhmb.exeJllakpdk.exeNdmeecmb.exeGfabkl32.exeIbkhak32.exeNchipb32.exeNmhqokcq.exeQfhddn32.exeBfjmia32.exeCdfgmnpa.exeGjljij32.exeHechkfkc.exeLnlaomae.exeEdmilpld.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kapaaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jobocn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbedkhie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ankedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmjekahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihijhpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ialadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efpbih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlpnamm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcedne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankedf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcmpcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgbfcjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdflgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmdiahco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedifo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geilah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcpmijqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmckeidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqbeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhlbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlmlidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmnkpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmoekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqnillbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdblkoco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocfkaone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbikig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfiaojkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iloilcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljcbcngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjgbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocfkaone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqeomfgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmmigjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbboiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pncljmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncljmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbfmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holldk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knoaeimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjmekan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckiiiine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eblpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cedpdpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igpdnlgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibadnhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jllakpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmeecmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfabkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkhak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nedifo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmhqokcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfhddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjmia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfgmnpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjljij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hechkfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnlaomae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edmilpld.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Emgdmc32.exeFllaopcg.exeFjaoplho.exeFdlpnamm.exeFfmipmjn.exeGfoeel32.exeGfabkl32.exeGbhcpmkm.exeGeilah32.exeGdnibdmf.exeHocmpm32.exeHofjem32.exeHipkfkgh.exeHchoop32.exeHghdjn32.exeIaaekl32.exeIfbkgj32.exeIhbdhepp.exeIbkhak32.exeJmdiahco.exeJcandb32.exeJqeomfgc.exeJcfgoadd.exeKmnlhg32.exeKapaaj32.exeKjhfjpdd.exeKaekljjo.exeKnikfnih.exeLcedne32.exeLmpeljkm.exeLigfakaa.exeLlhocfnb.exeLilomj32.exeMcacochk.exeNinhamne.exeNedifo32.exeNchipb32.exeNhebhipj.exeOgmkne32.exeOabplobe.exeOjndpqpq.exeOfdeeb32.exeOchenfdn.exeObnbpb32.exePkfghh32.exePfnhkq32.exePofldf32.exePkmmigjo.exePajeanhf.exePalbgn32.exeQcjoci32.exeQmcclolh.exeQfkgdd32.exeAbbhje32.exeAfpapcnc.exeAnkedf32.exeAfbnec32.exeAnmbje32.exeAegkfpah.exeAnpooe32.exeBldpiifb.exeBhjpnj32.exeBacefpbg.exeBmjekahk.exepid Process 2824 Emgdmc32.exe 664 Fllaopcg.exe 2172 Fjaoplho.exe 2684 Fdlpnamm.exe 984 Ffmipmjn.exe 2640 Gfoeel32.exe 1964 Gfabkl32.exe 2352 Gbhcpmkm.exe 1584 Geilah32.exe 2324 Gdnibdmf.exe 1256 Hocmpm32.exe 3048 Hofjem32.exe 756 Hipkfkgh.exe 2416 Hchoop32.exe 2592 Hghdjn32.exe 1096 Iaaekl32.exe 2096 Ifbkgj32.exe 3016 Ihbdhepp.exe 2660 Ibkhak32.exe 2008 Jmdiahco.exe 2624 Jcandb32.exe 1120 Jqeomfgc.exe 2276 Jcfgoadd.exe 1980 Kmnlhg32.exe 2856 Kapaaj32.exe 1656 Kjhfjpdd.exe 1608 Kaekljjo.exe 2088 Knikfnih.exe 3036 Lcedne32.exe 2720 Lmpeljkm.exe 2532 Ligfakaa.exe 1804 Llhocfnb.exe 2012 Lilomj32.exe 2480 Mcacochk.exe 2288 Ninhamne.exe 2396 Nedifo32.exe 2972 Nchipb32.exe 2632 Nhebhipj.exe 332 Ogmkne32.exe 2160 Oabplobe.exe 2128 Ojndpqpq.exe 2576 Ofdeeb32.exe 620 Ochenfdn.exe 912 Obnbpb32.exe 1492 Pkfghh32.exe 1348 Pfnhkq32.exe 1724 Pofldf32.exe 800 Pkmmigjo.exe 1764 Pajeanhf.exe 2020 Palbgn32.exe 880 Qcjoci32.exe 2952 Qmcclolh.exe 2956 Qfkgdd32.exe 2868 Abbhje32.exe 2520 Afpapcnc.exe 396 Ankedf32.exe 2536 Afbnec32.exe 2188 Anmbje32.exe 2980 Aegkfpah.exe 2252 Anpooe32.exe 1508 Bldpiifb.exe 2404 Bhjpnj32.exe 2076 Bacefpbg.exe 1436 Bmjekahk.exe -
Loads dropped DLL 64 IoCs
Processes:
d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exeEmgdmc32.exeFllaopcg.exeFjaoplho.exeFdlpnamm.exeFfmipmjn.exeGfoeel32.exeGfabkl32.exeGbhcpmkm.exeGeilah32.exeGdnibdmf.exeHocmpm32.exeHofjem32.exeHipkfkgh.exeHchoop32.exeHghdjn32.exeIaaekl32.exeIfbkgj32.exeIhbdhepp.exeIbkhak32.exeJmdiahco.exeJcandb32.exeJqeomfgc.exeJcfgoadd.exeKmnlhg32.exeKapaaj32.exeKjhfjpdd.exeKaekljjo.exeKnikfnih.exeLcedne32.exeLmpeljkm.exeLigfakaa.exepid Process 2888 d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe 2888 d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe 2824 Emgdmc32.exe 2824 Emgdmc32.exe 664 Fllaopcg.exe 664 Fllaopcg.exe 2172 Fjaoplho.exe 2172 Fjaoplho.exe 2684 Fdlpnamm.exe 2684 Fdlpnamm.exe 984 Ffmipmjn.exe 984 Ffmipmjn.exe 2640 Gfoeel32.exe 2640 Gfoeel32.exe 1964 Gfabkl32.exe 1964 Gfabkl32.exe 2352 Gbhcpmkm.exe 2352 Gbhcpmkm.exe 1584 Geilah32.exe 1584 Geilah32.exe 2324 Gdnibdmf.exe 2324 Gdnibdmf.exe 1256 Hocmpm32.exe 1256 Hocmpm32.exe 3048 Hofjem32.exe 3048 Hofjem32.exe 756 Hipkfkgh.exe 756 Hipkfkgh.exe 2416 Hchoop32.exe 2416 Hchoop32.exe 2592 Hghdjn32.exe 2592 Hghdjn32.exe 1096 Iaaekl32.exe 1096 Iaaekl32.exe 2096 Ifbkgj32.exe 2096 Ifbkgj32.exe 3016 Ihbdhepp.exe 3016 Ihbdhepp.exe 2660 Ibkhak32.exe 2660 Ibkhak32.exe 2008 Jmdiahco.exe 2008 Jmdiahco.exe 2624 Jcandb32.exe 2624 Jcandb32.exe 1120 Jqeomfgc.exe 1120 Jqeomfgc.exe 2276 Jcfgoadd.exe 2276 Jcfgoadd.exe 1980 Kmnlhg32.exe 1980 Kmnlhg32.exe 2856 Kapaaj32.exe 2856 Kapaaj32.exe 1656 Kjhfjpdd.exe 1656 Kjhfjpdd.exe 1608 Kaekljjo.exe 1608 Kaekljjo.exe 2088 Knikfnih.exe 2088 Knikfnih.exe 3036 Lcedne32.exe 3036 Lcedne32.exe 2720 Lmpeljkm.exe 2720 Lmpeljkm.exe 2532 Ligfakaa.exe 2532 Ligfakaa.exe -
Drops file in System32 directory 64 IoCs
Processes:
Oabplobe.exeBlaobmkq.exeDcmpcjcf.exeHbboiknb.exeIpdolbbj.exePglacbbo.exeKmnlhg32.exeKapaaj32.exeAjapoqmf.exeHlqfqo32.exeEnkdda32.exeFllaopcg.exeJobocn32.exeHpoofm32.exeIhqilnig.exeJcfgoadd.exeEcbfmm32.exeHilgfe32.exeIgpdnlgd.exeLjcbcngi.exePbhoip32.exeFjaoplho.exeGbhcpmkm.exeCpbnaj32.exeIiipeb32.exeDcjmcd32.exeGpjilj32.exeIbadnhmb.exeJdjgfomh.exePajeanhf.exeLmckeidj.exeMeffjjln.exeNmjmekan.exeKqqdjceh.exeGjngoj32.exeGnlpeh32.exeIloilcci.exeKkkhmadd.exeNpiiafpa.exeNdiomdde.exeAnhbdpje.exeElmkmo32.exeNkbcgnie.exeLckpbm32.exeOjndpqpq.exeCfhlbe32.exeEqnillbb.exeEcobmg32.exeFjaqhe32.exeOgpjmn32.exeKnikfnih.exeDbejjfek.exeNcnlnaim.exeLkhalo32.exeOpcejd32.exeAbbhje32.exeCkiiiine.exeFdblkoco.exedescription ioc Process File created C:\Windows\SysWOW64\Kcnnqifi.dll Oabplobe.exe File created C:\Windows\SysWOW64\Jlmhimhb.dll Blaobmkq.exe File opened for modification C:\Windows\SysWOW64\Djghpd32.exe Dcmpcjcf.exe File created C:\Windows\SysWOW64\Hilgfe32.exe Hbboiknb.exe File opened for modification C:\Windows\SysWOW64\Igngim32.exe Ipdolbbj.exe File created C:\Windows\SysWOW64\Pjmjdnop.exe Pglacbbo.exe File opened for modification C:\Windows\SysWOW64\Kapaaj32.exe Kmnlhg32.exe File created C:\Windows\SysWOW64\Kjhfjpdd.exe Kapaaj32.exe File created C:\Windows\SysWOW64\Bfjmia32.exe Ajapoqmf.exe File created C:\Windows\SysWOW64\Mhmkph32.dll Hlqfqo32.exe File created C:\Windows\SysWOW64\Egchmfnd.exe Enkdda32.exe File opened for modification C:\Windows\SysWOW64\Egchmfnd.exe Enkdda32.exe File opened for modification C:\Windows\SysWOW64\Fjaoplho.exe Fllaopcg.exe File created C:\Windows\SysWOW64\Pifjfmcm.dll Jobocn32.exe File opened for modification C:\Windows\SysWOW64\Iiipeb32.exe Hpoofm32.exe File created C:\Windows\SysWOW64\Ikoehj32.exe Ihqilnig.exe File created C:\Windows\SysWOW64\Kmnlhg32.exe Jcfgoadd.exe File created C:\Windows\SysWOW64\Fljkodkb.dll Ecbfmm32.exe File opened for modification C:\Windows\SysWOW64\Hoipnl32.exe Hilgfe32.exe File created C:\Windows\SysWOW64\Pcaopfhd.dll Igpdnlgd.exe File created C:\Windows\SysWOW64\Lccmhojk.dll Ljcbcngi.exe File created C:\Windows\SysWOW64\Pffgonbb.exe Pbhoip32.exe File opened for modification C:\Windows\SysWOW64\Fdlpnamm.exe Fjaoplho.exe File created C:\Windows\SysWOW64\Geilah32.exe Gbhcpmkm.exe File created C:\Windows\SysWOW64\Ceacoqfi.exe Cpbnaj32.exe File created C:\Windows\SysWOW64\Ikjlmjmp.exe Iiipeb32.exe File created C:\Windows\SysWOW64\Ebkilnbk.dll Dcjmcd32.exe File created C:\Windows\SysWOW64\Gegaeabe.exe Gpjilj32.exe File opened for modification C:\Windows\SysWOW64\Ikmibjkm.exe Ibadnhmb.exe File created C:\Windows\SysWOW64\Baipij32.dll Jdjgfomh.exe File created C:\Windows\SysWOW64\Palbgn32.exe Pajeanhf.exe File created C:\Windows\SysWOW64\Dngbdiei.dll Hbboiknb.exe File opened for modification C:\Windows\SysWOW64\Lflonn32.exe Lmckeidj.exe File opened for modification C:\Windows\SysWOW64\Mpkjgckc.exe Meffjjln.exe File created C:\Windows\SysWOW64\Npiiafpa.exe Nmjmekan.exe File created C:\Windows\SysWOW64\Kkfhglen.exe Kqqdjceh.exe File created C:\Windows\SysWOW64\Gdflgo32.exe Gjngoj32.exe File created C:\Windows\SysWOW64\Dgkbnmhi.dll Gnlpeh32.exe File opened for modification C:\Windows\SysWOW64\Ialadj32.exe Iloilcci.exe File created C:\Windows\SysWOW64\Kfaljjdj.exe Kkkhmadd.exe File opened for modification C:\Windows\SysWOW64\Nknnnoph.exe Npiiafpa.exe File opened for modification C:\Windows\SysWOW64\Nejkdm32.exe Ndiomdde.exe File created C:\Windows\SysWOW64\Gifjbd32.dll Anhbdpje.exe File created C:\Windows\SysWOW64\Ihhpdnkl.dll Ibadnhmb.exe File created C:\Windows\SysWOW64\Cbkgog32.exe Blaobmkq.exe File created C:\Windows\SysWOW64\Ncqodedk.dll Elmkmo32.exe File created C:\Windows\SysWOW64\Nhfdqb32.exe Nkbcgnie.exe File opened for modification C:\Windows\SysWOW64\Lkfdfo32.exe Lckpbm32.exe File created C:\Windows\SysWOW64\Ofdeeb32.exe Ojndpqpq.exe File created C:\Windows\SysWOW64\Cdlmlidp.exe Cfhlbe32.exe File created C:\Windows\SysWOW64\Fkecbl32.dll Iloilcci.exe File created C:\Windows\SysWOW64\Jkolkfab.dll Eqnillbb.exe File created C:\Windows\SysWOW64\Hingbldn.dll Ecobmg32.exe File created C:\Windows\SysWOW64\Fbiijb32.exe Fjaqhe32.exe File created C:\Windows\SysWOW64\Nmefoa32.dll Ogpjmn32.exe File created C:\Windows\SysWOW64\Lcedne32.exe Knikfnih.exe File created C:\Windows\SysWOW64\Fofdcm32.dll Dbejjfek.exe File opened for modification C:\Windows\SysWOW64\Ohmalgeb.exe Ncnlnaim.exe File created C:\Windows\SysWOW64\Okgfkeda.dll Lkhalo32.exe File created C:\Windows\SysWOW64\Oiljcj32.exe Opcejd32.exe File created C:\Windows\SysWOW64\Kljmfe32.dll Abbhje32.exe File opened for modification C:\Windows\SysWOW64\Cenmfbml.exe Ckiiiine.exe File created C:\Windows\SysWOW64\Ohmalgeb.exe Ncnlnaim.exe File created C:\Windows\SysWOW64\Ebkedh32.dll Fdblkoco.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3984 3912 WerFault.exe 299 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nhebhipj.exeJkllnn32.exeGegaeabe.exeGfadcemm.exeKjhfjpdd.exeBmjekahk.exeFiedfb32.exeNcnlnaim.exeOnapdmma.exePbhoip32.exeAnmbje32.exeDfbbpd32.exeGdflgo32.exeJdjgfomh.exeLffohikd.exeGjljij32.exeAkgibd32.exeEqnillbb.exeJgmlmj32.exeEmgdmc32.exeDcmpcjcf.exeDbejjfek.exeGjngoj32.exeJbijcgbc.exeHchoop32.exeNmjmekan.exeEgeecf32.exeJndhddaf.exeDjeljd32.exeJcgqbq32.exeLflonn32.exeQfhddn32.exeOgpjmn32.exeKaekljjo.exeLmpeljkm.exePkfghh32.exeAnhbdpje.exeOlopjddf.exeLigfakaa.exeOabplobe.exeCbkgog32.exeEhclbpic.exeHilgfe32.exeKfaljjdj.exeKmnlhg32.exePajeanhf.exeBldpiifb.exeKkkhmadd.exeBlgeahoo.exeIhijhpdo.exeEcobmg32.exeNokcbm32.exeGeilah32.exeJbedkhie.exeKninog32.exePkmmigjo.exeIphhgb32.exeKkaolm32.exeHghdjn32.exeJcandb32.exeCdfgmnpa.exeEbicee32.exeJohaalea.exeMnkfcjqe.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhebhipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkllnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegaeabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfadcemm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhfjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjekahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiedfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnlnaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onapdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhoip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmbje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbbpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdflgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdjgfomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjljij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgibd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqnillbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmlmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmpcjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbejjfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjngoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbijcgbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjmekan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egeecf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndhddaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgqbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflonn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfhddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaekljjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpeljkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhbdpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olopjddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ligfakaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabplobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkgog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehclbpic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hilgfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaljjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmnlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeanhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldpiifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkhmadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgeahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihijhpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecobmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nokcbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geilah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbedkhie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kninog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmmigjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphhgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcandb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfgmnpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebicee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johaalea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkfcjqe.exe -
Modifies registry class 64 IoCs
Processes:
Opcejd32.exeIfbkgj32.exeJcandb32.exeOgmkne32.exeQcjoci32.exeCfhlbe32.exeKqcqpc32.exeHghdjn32.exeHmefad32.exeNejkdm32.exeEcobmg32.exeGpjilj32.exeIiipeb32.exeEnkdda32.exeFnoiocfj.exeNhebhipj.exeBldpiifb.exeDpmgao32.exeDcmpcjcf.exeEbicee32.exeMeffjjln.exeMilaecdp.exeHofjem32.exeDlpdfjjp.exeFikgda32.exeHipkfkgh.exeJmdiahco.exeAfpapcnc.exeDjghpd32.exeElmkmo32.exeNokcbm32.exeGdnibdmf.exeCbkgog32.exeNhfdqb32.exeHocmpm32.exeCgbfcjag.exeCpbnaj32.exeMiiaogio.exeOiljcj32.exeIhqilnig.exeMnkfcjqe.exeLilomj32.exePofldf32.exeDljngoea.exeEdmilpld.exeKkkhmadd.exeQqbeel32.exeOchenfdn.exeJgmlmj32.exeIhijhpdo.exeKbcddlnd.exeLjcbcngi.exeNdbile32.exePglacbbo.exeJbedkhie.exeCdlmlidp.exeEkjgbi32.exeFjaqhe32.exeCedpdpdf.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opcejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifbkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcbqe32.dll" Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogmkne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcjoci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfhlbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqcqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hghdjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmefad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nejkdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hingbldn.dll" Ecobmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfmoo32.dll" Iiipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enkdda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnoiocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhebhipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bldpiifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpmgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcmpcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebicee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgkic32.dll" Kqcqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdlcl32.dll" Milaecdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hofjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kphipide.dll" Dlpdfjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facahjoh.dll" Fikgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loimal32.dll" Hipkfkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olilod32.dll" Afpapcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piipgfbo.dll" Djghpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elmkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boghbgla.dll" Nokcbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colojben.dll" Gdnibdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bldpiifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbkgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hocmpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgbfcjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpbnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honblmaq.dll" Miiaogio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmmjl32.dll" Oiljcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihqilnig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfhfkhm.dll" Mnkfcjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkbeloa.dll" Lilomj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pofldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dljngoea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edmilpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkkhmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qqbeel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhebhipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogmkne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ochenfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapchl32.dll" Jgmlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihijhpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbdnonc.dll" Kbcddlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccmhojk.dll" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndbile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammgib32.dll" Pglacbbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbedkhie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdlmlidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekjgbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjaqhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cedpdpdf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exeEmgdmc32.exeFllaopcg.exeFjaoplho.exeFdlpnamm.exeFfmipmjn.exeGfoeel32.exeGfabkl32.exeGbhcpmkm.exeGeilah32.exeGdnibdmf.exeHocmpm32.exeHofjem32.exeHipkfkgh.exeHchoop32.exeHghdjn32.exedescription pid Process procid_target PID 2888 wrote to memory of 2824 2888 d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe 30 PID 2888 wrote to memory of 2824 2888 d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe 30 PID 2888 wrote to memory of 2824 2888 d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe 30 PID 2888 wrote to memory of 2824 2888 d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe 30 PID 2824 wrote to memory of 664 2824 Emgdmc32.exe 31 PID 2824 wrote to memory of 664 2824 Emgdmc32.exe 31 PID 2824 wrote to memory of 664 2824 Emgdmc32.exe 31 PID 2824 wrote to memory of 664 2824 Emgdmc32.exe 31 PID 664 wrote to memory of 2172 664 Fllaopcg.exe 32 PID 664 wrote to memory of 2172 664 Fllaopcg.exe 32 PID 664 wrote to memory of 2172 664 Fllaopcg.exe 32 PID 664 wrote to memory of 2172 664 Fllaopcg.exe 32 PID 2172 wrote to memory of 2684 2172 Fjaoplho.exe 33 PID 2172 wrote to memory of 2684 2172 Fjaoplho.exe 33 PID 2172 wrote to memory of 2684 2172 Fjaoplho.exe 33 PID 2172 wrote to memory of 2684 2172 Fjaoplho.exe 33 PID 2684 wrote to memory of 984 2684 Fdlpnamm.exe 34 PID 2684 wrote to memory of 984 2684 Fdlpnamm.exe 34 PID 2684 wrote to memory of 984 2684 Fdlpnamm.exe 34 PID 2684 wrote to memory of 984 2684 Fdlpnamm.exe 34 PID 984 wrote to memory of 2640 984 Ffmipmjn.exe 35 PID 984 wrote to memory of 2640 984 Ffmipmjn.exe 35 PID 984 wrote to memory of 2640 984 Ffmipmjn.exe 35 PID 984 wrote to memory of 2640 984 Ffmipmjn.exe 35 PID 2640 wrote to memory of 1964 2640 Gfoeel32.exe 36 PID 2640 wrote to memory of 1964 2640 Gfoeel32.exe 36 PID 2640 wrote to memory of 1964 2640 Gfoeel32.exe 36 PID 2640 wrote to memory of 1964 2640 Gfoeel32.exe 36 PID 1964 wrote to memory of 2352 1964 Gfabkl32.exe 37 PID 1964 wrote to memory of 2352 1964 Gfabkl32.exe 37 PID 1964 wrote to memory of 2352 1964 Gfabkl32.exe 37 PID 1964 wrote to memory of 2352 1964 Gfabkl32.exe 37 PID 2352 wrote to memory of 1584 2352 Gbhcpmkm.exe 38 PID 2352 wrote to memory of 1584 2352 Gbhcpmkm.exe 38 PID 2352 wrote to memory of 1584 2352 Gbhcpmkm.exe 38 PID 2352 wrote to memory of 1584 2352 Gbhcpmkm.exe 38 PID 1584 wrote to memory of 2324 1584 Geilah32.exe 39 PID 1584 wrote to memory of 2324 1584 Geilah32.exe 39 PID 1584 wrote to memory of 2324 1584 Geilah32.exe 39 PID 1584 wrote to memory of 2324 1584 Geilah32.exe 39 PID 2324 wrote to memory of 1256 2324 Gdnibdmf.exe 40 PID 2324 wrote to memory of 1256 2324 Gdnibdmf.exe 40 PID 2324 wrote to memory of 1256 2324 Gdnibdmf.exe 40 PID 2324 wrote to memory of 1256 2324 Gdnibdmf.exe 40 PID 1256 wrote to memory of 3048 1256 Hocmpm32.exe 41 PID 1256 wrote to memory of 3048 1256 Hocmpm32.exe 41 PID 1256 wrote to memory of 3048 1256 Hocmpm32.exe 41 PID 1256 wrote to memory of 3048 1256 Hocmpm32.exe 41 PID 3048 wrote to memory of 756 3048 Hofjem32.exe 42 PID 3048 wrote to memory of 756 3048 Hofjem32.exe 42 PID 3048 wrote to memory of 756 3048 Hofjem32.exe 42 PID 3048 wrote to memory of 756 3048 Hofjem32.exe 42 PID 756 wrote to memory of 2416 756 Hipkfkgh.exe 43 PID 756 wrote to memory of 2416 756 Hipkfkgh.exe 43 PID 756 wrote to memory of 2416 756 Hipkfkgh.exe 43 PID 756 wrote to memory of 2416 756 Hipkfkgh.exe 43 PID 2416 wrote to memory of 2592 2416 Hchoop32.exe 44 PID 2416 wrote to memory of 2592 2416 Hchoop32.exe 44 PID 2416 wrote to memory of 2592 2416 Hchoop32.exe 44 PID 2416 wrote to memory of 2592 2416 Hchoop32.exe 44 PID 2592 wrote to memory of 1096 2592 Hghdjn32.exe 45 PID 2592 wrote to memory of 1096 2592 Hghdjn32.exe 45 PID 2592 wrote to memory of 1096 2592 Hghdjn32.exe 45 PID 2592 wrote to memory of 1096 2592 Hghdjn32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe"C:\Users\Admin\AppData\Local\Temp\d472583e2bee8e57e205c06f5aa4eb140a059666dfd9f0277493699e75a69f8e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Emgdmc32.exeC:\Windows\system32\Emgdmc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Gfabkl32.exeC:\Windows\system32\Gfabkl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Hipkfkgh.exeC:\Windows\system32\Hipkfkgh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1120 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Lmpeljkm.exeC:\Windows\system32\Lmpeljkm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe33⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Lilomj32.exeC:\Windows\system32\Lilomj32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe35⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ninhamne.exeC:\Windows\system32\Ninhamne.exe36⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Nedifo32.exeC:\Windows\system32\Nedifo32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Nchipb32.exeC:\Windows\system32\Nchipb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Nhebhipj.exeC:\Windows\system32\Nhebhipj.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Ofdeeb32.exeC:\Windows\system32\Ofdeeb32.exe43⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Obnbpb32.exeC:\Windows\system32\Obnbpb32.exe45⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Pkfghh32.exeC:\Windows\system32\Pkfghh32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe47⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Pofldf32.exeC:\Windows\system32\Pofldf32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Palbgn32.exeC:\Windows\system32\Palbgn32.exe51⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Qcjoci32.exeC:\Windows\system32\Qcjoci32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe53⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe54⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Afpapcnc.exeC:\Windows\system32\Afpapcnc.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Ankedf32.exeC:\Windows\system32\Ankedf32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe58⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Aegkfpah.exeC:\Windows\system32\Aegkfpah.exe60⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Anpooe32.exeC:\Windows\system32\Anpooe32.exe61⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Bldpiifb.exeC:\Windows\system32\Bldpiifb.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Bhjpnj32.exeC:\Windows\system32\Bhjpnj32.exe63⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe64⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe66⤵PID:2648
-
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe67⤵PID:1552
-
C:\Windows\SysWOW64\Bbikig32.exeC:\Windows\system32\Bbikig32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe69⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe71⤵PID:1044
-
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe72⤵PID:2224
-
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe74⤵PID:2708
-
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe75⤵PID:2588
-
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Cdfgmnpa.exeC:\Windows\system32\Cdfgmnpa.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe78⤵PID:2280
-
C:\Windows\SysWOW64\Dpmgao32.exeC:\Windows\system32\Dpmgao32.exe79⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe80⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Djghpd32.exeC:\Windows\system32\Djghpd32.exe82⤵
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe84⤵PID:956
-
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe86⤵
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Ebicee32.exeC:\Windows\system32\Ebicee32.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe90⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Eblpke32.exeC:\Windows\system32\Eblpke32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe92⤵PID:1056
-
C:\Windows\SysWOW64\Enbapf32.exeC:\Windows\system32\Enbapf32.exe93⤵PID:2564
-
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe95⤵PID:1792
-
C:\Windows\SysWOW64\Ecbfmm32.exeC:\Windows\system32\Ecbfmm32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:748 -
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe98⤵PID:2616
-
C:\Windows\SysWOW64\Fiedfb32.exeC:\Windows\system32\Fiedfb32.exe99⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe100⤵PID:1156
-
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe101⤵PID:1936
-
C:\Windows\SysWOW64\Gjljij32.exeC:\Windows\system32\Gjljij32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe103⤵PID:2800
-
C:\Windows\SysWOW64\Gjngoj32.exeC:\Windows\system32\Gjngoj32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Gdflgo32.exeC:\Windows\system32\Gdflgo32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Gnlpeh32.exeC:\Windows\system32\Gnlpeh32.exe106⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe107⤵PID:2304
-
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe108⤵PID:2228
-
C:\Windows\SysWOW64\Gfiaojkq.exeC:\Windows\system32\Gfiaojkq.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916 -
C:\Windows\SysWOW64\Glfjgaih.exeC:\Windows\system32\Glfjgaih.exe110⤵PID:1932
-
C:\Windows\SysWOW64\Hflndjin.exeC:\Windows\system32\Hflndjin.exe111⤵PID:2580
-
C:\Windows\SysWOW64\Hmefad32.exeC:\Windows\system32\Hmefad32.exe112⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Hbboiknb.exeC:\Windows\system32\Hbboiknb.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Hilgfe32.exeC:\Windows\system32\Hilgfe32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Hoipnl32.exeC:\Windows\system32\Hoipnl32.exe115⤵PID:304
-
C:\Windows\SysWOW64\Hechkfkc.exeC:\Windows\system32\Hechkfkc.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Holldk32.exeC:\Windows\system32\Holldk32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Heedqe32.exeC:\Windows\system32\Heedqe32.exe118⤵PID:2392
-
C:\Windows\SysWOW64\Hkbmil32.exeC:\Windows\system32\Hkbmil32.exe119⤵PID:1992
-
C:\Windows\SysWOW64\Haleefoe.exeC:\Windows\system32\Haleefoe.exe120⤵PID:2452
-
C:\Windows\SysWOW64\Iaobkf32.exeC:\Windows\system32\Iaobkf32.exe121⤵PID:3040
-
C:\Windows\SysWOW64\Ihijhpdo.exeC:\Windows\system32\Ihijhpdo.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-