Analysis
-
max time kernel
95s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 03:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c8487c624fc5c5ba59effc21e780075cb4351fdd7b71b7f2c4ea1502734a2b9a.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
c8487c624fc5c5ba59effc21e780075cb4351fdd7b71b7f2c4ea1502734a2b9a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
c8487c624fc5c5ba59effc21e780075cb4351fdd7b71b7f2c4ea1502734a2b9a.exe
-
Size
74KB
-
MD5
caf1e7fc65d3425e863deddecafd4962
-
SHA1
02ba12de80ae97e8382284d0e7e8cfc86c4dbba1
-
SHA256
c8487c624fc5c5ba59effc21e780075cb4351fdd7b71b7f2c4ea1502734a2b9a
-
SHA512
bd5891d0195f1ba9df6f155f0685d06affc4811ed69c09106c5fdf9673df9662ac99d3c0bf3f9bcbdf2a504f72fb96134074fc6eafb6f73e2b41452e45dcc4ac
-
SSDEEP
768:gjG1uquZo9XASkUpHehiMgpe3FKgo5zMfd+f78aqtxo3uoKtePV49v9qBMXKAv82:LruRIshiWoadtS3u289q6Xbp
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jdodkebj.exeMkohaj32.exeDfglfdkb.exeJbiejoaj.exePhedhmhi.exeQodeajbg.exeNbadcpbh.exeOoagno32.exePflibgil.exeHgelek32.exeJlmfeg32.exeBahkih32.exeBakgoh32.exeFmhdkknd.exeAfghneoo.exeJdbhkk32.exeLjkifn32.exeGmiclo32.exeLncjlq32.exeBllbaa32.exeKcidmkpq.exeAcmobchj.exeBjicdmmd.exeCjjlkk32.exeFfaong32.exeLfgipd32.exeAphnnafb.exeBacjdbch.exePfillg32.exeLndham32.exeGikdkj32.exeOnpjichj.exeChnbbqpn.exeHkdjfb32.exeOeheqm32.exePmoiqneg.exePdhbmh32.exeKqnbkl32.exeKageaj32.exeQhngolpo.exeHgdejd32.exeFihnomjp.exeJllokajf.exeBgeaifia.exeIqbbpm32.exeBblnindg.exeIdahjg32.exeGdmmbq32.exeHmechmip.exeApjkcadp.exeQdphngfl.exeQlgpod32.exeAolblopj.exeNcqlkemc.exePqcjepfo.exeDjdflp32.exeJdedak32.exeMilidebi.exeBdfpkm32.exeMiaboe32.exeOkjnnj32.exeEifaim32.exeKpoalo32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdodkebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkohaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfglfdkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phedhmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbadcpbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooagno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflibgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgelek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlmfeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmhdkknd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afghneoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbhkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljkifn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lncjlq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllbaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acmobchj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjicdmmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffaong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bacjdbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbadcpbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfillg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lndham32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjichj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeheqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoiqneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqnbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhngolpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdejd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihnomjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllokajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgeaifia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqbbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bblnindg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apjkcadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdphngfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqcjepfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djdflp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Milidebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miaboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpoalo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mekgdl32.exeMockmala.exeMfjcnold.exeNiipjj32.exeNbadcpbh.exeNeppokal.exeNpedmdab.exeNgomin32.exeNhpiafnm.exeNcfmno32.exeNhbfff32.exeNgdfdmdi.exeNibbqicm.exeNookip32.exeOidofh32.exeOoagno32.exeOhjlgefb.exeOgklelna.exeOcamjm32.exeOepifi32.exeOohnonij.exeOebflhaf.exeOphjiaql.exeOcffempp.exePloknb32.exePgdokkfg.exePhelcc32.exePfillg32.exePoaqemao.exePflibgil.exePgkelj32.exePqcjepfo.exeQhonib32.exeQgpogili.exeAokcklid.exeAgbkmijg.exeAmodep32.exeAfghneoo.exeAmaqjp32.exeAopmfk32.exeAihaoqlp.exeAqoiqn32.exeAflaie32.exeAqaffn32.exeAglnbhal.exeAimkjp32.exeBqdblmhl.exeBcbohigp.exeBoipmj32.exeBgpgng32.exeBmmpfn32.exeBoklbi32.exeBfedoc32.exeBidqko32.exeBmomlnjk.exeBgeaifia.exeBmbiamhi.exeBihjfnmm.exeCpbbch32.exeCcnncgmc.exeCabomkll.exeCglgjeci.exeCimcan32.exeCjmpkqqj.exepid Process 3728 Mekgdl32.exe 2012 Mockmala.exe 1424 Mfjcnold.exe 2744 Niipjj32.exe 1440 Nbadcpbh.exe 376 Neppokal.exe 4864 Npedmdab.exe 3160 Ngomin32.exe 704 Nhpiafnm.exe 2452 Ncfmno32.exe 224 Nhbfff32.exe 4716 Ngdfdmdi.exe 3904 Nibbqicm.exe 1536 Nookip32.exe 3216 Oidofh32.exe 4992 Ooagno32.exe 4560 Ohjlgefb.exe 2300 Ogklelna.exe 1696 Ocamjm32.exe 2460 Oepifi32.exe 2860 Oohnonij.exe 1784 Oebflhaf.exe 2144 Ophjiaql.exe 4228 Ocffempp.exe 1156 Ploknb32.exe 1180 Pgdokkfg.exe 2308 Phelcc32.exe 5004 Pfillg32.exe 3304 Poaqemao.exe 4980 Pflibgil.exe 512 Pgkelj32.exe 3648 Pqcjepfo.exe 2708 Qhonib32.exe 3124 Qgpogili.exe 4612 Aokcklid.exe 3840 Agbkmijg.exe 5072 Amodep32.exe 2604 Afghneoo.exe 4532 Amaqjp32.exe 412 Aopmfk32.exe 1724 Aihaoqlp.exe 2316 Aqoiqn32.exe 4052 Aflaie32.exe 4180 Aqaffn32.exe 2620 Aglnbhal.exe 1556 Aimkjp32.exe 5092 Bqdblmhl.exe 116 Bcbohigp.exe 1184 Boipmj32.exe 872 Bgpgng32.exe 4628 Bmmpfn32.exe 2964 Boklbi32.exe 2884 Bfedoc32.exe 1660 Bidqko32.exe 804 Bmomlnjk.exe 2020 Bgeaifia.exe 4164 Bmbiamhi.exe 5068 Bihjfnmm.exe 4644 Cpbbch32.exe 1688 Ccnncgmc.exe 4196 Cabomkll.exe 3976 Cglgjeci.exe 1016 Cimcan32.exe 4552 Cjmpkqqj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hnodaecc.exeJiiicf32.exeLfeljd32.exeDdgibkpc.exeJklphekp.exeFefedmil.exeBgkiaj32.exeQohpkf32.exeJlfpdh32.exeFmfgek32.exeCacckp32.exeFdamgb32.exePcjiff32.exeAmjillkj.exeAgimkk32.exeAglnbhal.exeNolgijpk.exeBfendmoc.exeKqbdldnq.exePhfjcf32.exeLpfgmnfp.exeFhflnpoi.exeJnkldqkc.exeJjdjoane.exeCfcjfk32.exeGnepna32.exeHibjli32.exeKjgeedch.exeFagjfflb.exeKnkekn32.exeAkhcfe32.exeDpdaepai.exeOmegjomb.exeOjomcopk.exeQjfmkk32.exeFggocmhf.exeNgjbaj32.exeClgbmp32.exeNmkmjjaa.exeOakbehfe.exeEblpgjha.exeMkmkkjko.exeEpmmqheb.exeMogcihaj.exeQodeajbg.exeAqoiqn32.exeMilidebi.exeOocmii32.exeFmhdkknd.exeNpiiffqe.exeOfkgcobj.exeCdbpgl32.exeAgbkmijg.exeLkofdbkj.exeLegjmh32.exePoajkgnc.exeAfgacokc.exeGmojkj32.exeJlmfeg32.exeAamknj32.exeAlelqb32.exeBihjfnmm.exedescription ioc Process File created C:\Windows\SysWOW64\Ocaikjof.dll Hnodaecc.exe File created C:\Windows\SysWOW64\Jpcapp32.exe Jiiicf32.exe File created C:\Windows\SysWOW64\Llodgnja.exe Lfeljd32.exe File created C:\Windows\SysWOW64\Dkqaoe32.exe Ddgibkpc.exe File opened for modification C:\Windows\SysWOW64\Jnkldqkc.exe Jklphekp.exe File created C:\Windows\SysWOW64\Jflbhhom.dll Fefedmil.exe File created C:\Windows\SysWOW64\Baannc32.exe Bgkiaj32.exe File created C:\Windows\SysWOW64\Ajndioga.exe Qohpkf32.exe File opened for modification C:\Windows\SysWOW64\Jdmgfedl.exe Jlfpdh32.exe File opened for modification C:\Windows\SysWOW64\Fpdcag32.exe Fmfgek32.exe File opened for modification C:\Windows\SysWOW64\Cdbpgl32.exe Cacckp32.exe File opened for modification C:\Windows\SysWOW64\Ffpicn32.exe Fdamgb32.exe File created C:\Windows\SysWOW64\Jlgkbp32.dll Pcjiff32.exe File created C:\Windows\SysWOW64\Cglblmfn.dll Amjillkj.exe File opened for modification C:\Windows\SysWOW64\Amcehdod.exe Agimkk32.exe File created C:\Windows\SysWOW64\Aimkjp32.exe Aglnbhal.exe File created C:\Windows\SysWOW64\Iadenp32.dll Nolgijpk.exe File created C:\Windows\SysWOW64\Inbhocbm.dll Bfendmoc.exe File created C:\Windows\SysWOW64\Gicbkkca.dll Kqbdldnq.exe File opened for modification C:\Windows\SysWOW64\Pmcclm32.exe Phfjcf32.exe File created C:\Windows\SysWOW64\Lgpoihnl.exe Lpfgmnfp.exe File created C:\Windows\SysWOW64\Ofdljpcg.dll Fhflnpoi.exe File created C:\Windows\SysWOW64\Ejlacgdj.dll Jnkldqkc.exe File created C:\Windows\SysWOW64\Nbklhm32.dll Jjdjoane.exe File created C:\Windows\SysWOW64\Njoddaaj.dll Cfcjfk32.exe File created C:\Windows\SysWOW64\Ghjnkpdc.dll Gnepna32.exe File created C:\Windows\SysWOW64\Cjgjmg32.dll Hibjli32.exe File created C:\Windows\SysWOW64\Edqnimdf.dll Kjgeedch.exe File opened for modification C:\Windows\SysWOW64\Fdffbake.exe Fagjfflb.exe File opened for modification C:\Windows\SysWOW64\Leenhhdn.exe Knkekn32.exe File created C:\Windows\SysWOW64\Nocedmfn.dll Knkekn32.exe File opened for modification C:\Windows\SysWOW64\Acokhc32.exe Akhcfe32.exe File opened for modification C:\Windows\SysWOW64\Dbcmakpl.exe Dpdaepai.exe File opened for modification C:\Windows\SysWOW64\Oodcdb32.exe Omegjomb.exe File created C:\Windows\SysWOW64\Qbdadm32.dll Ojomcopk.exe File opened for modification C:\Windows\SysWOW64\Qpcecb32.exe Qjfmkk32.exe File created C:\Windows\SysWOW64\Bbhkjmnj.dll Fggocmhf.exe File created C:\Windows\SysWOW64\Nlfnaicd.exe Ngjbaj32.exe File opened for modification C:\Windows\SysWOW64\Cofnik32.exe Clgbmp32.exe File opened for modification C:\Windows\SysWOW64\Npiiffqe.exe Nmkmjjaa.exe File opened for modification C:\Windows\SysWOW64\Ofhknodl.exe Oakbehfe.exe File opened for modification C:\Windows\SysWOW64\Eppqqn32.exe Eblpgjha.exe File opened for modification C:\Windows\SysWOW64\Mnkggfkb.exe Mkmkkjko.exe File opened for modification C:\Windows\SysWOW64\Efgemb32.exe Epmmqheb.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Mogcihaj.exe File created C:\Windows\SysWOW64\Hockka32.dll Qodeajbg.exe File opened for modification C:\Windows\SysWOW64\Aflaie32.exe Aqoiqn32.exe File created C:\Windows\SysWOW64\Jecffa32.dll Milidebi.exe File created C:\Windows\SysWOW64\Fjecoi32.dll Oocmii32.exe File created C:\Windows\SysWOW64\Fnipbc32.exe Fmhdkknd.exe File created C:\Windows\SysWOW64\Aepjgm32.dll Npiiffqe.exe File opened for modification C:\Windows\SysWOW64\Oaplqh32.exe Ofkgcobj.exe File opened for modification C:\Windows\SysWOW64\Llodgnja.exe Lfeljd32.exe File created C:\Windows\SysWOW64\Biafno32.dll Cdbpgl32.exe File created C:\Windows\SysWOW64\Nmhbnnof.dll Agbkmijg.exe File opened for modification C:\Windows\SysWOW64\Lbinam32.exe Lkofdbkj.exe File opened for modification C:\Windows\SysWOW64\Lkabjbih.exe Legjmh32.exe File opened for modification C:\Windows\SysWOW64\Phincl32.exe Poajkgnc.exe File created C:\Windows\SysWOW64\Ahenokjf.exe Afgacokc.exe File created C:\Windows\SysWOW64\Gblbca32.exe Gmojkj32.exe File created C:\Windows\SysWOW64\Jddnfd32.exe Jlmfeg32.exe File created C:\Windows\SysWOW64\Ahgcjddh.exe Aamknj32.exe File opened for modification C:\Windows\SysWOW64\Bnfihkqm.exe Alelqb32.exe File created C:\Windows\SysWOW64\Cpbbch32.exe Bihjfnmm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3124 1868 WerFault.exe 850 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pecellgl.exeChglab32.exeNliaao32.exeJgnqgqan.exeObjpoh32.exeIcnklbmj.exeBklfgo32.exeGpelhd32.exeMfchlbfd.exeOcamjm32.exeLlflea32.exePiphgq32.exeBahkih32.exeFmkqpkla.exeHbjoeojc.exeMfhbga32.exeOgjdmbil.exeDapkni32.exeLnbklm32.exeBgpcliao.exeBoldhf32.exeMbighjdd.exeBfpdin32.exeCbeapmll.exeDlkbjqgm.exeDmadco32.exeAfghneoo.exeAflaie32.exeEidbij32.exeEigonjcj.exeInjcmc32.exeNccokk32.exeGikdkj32.exeAokcklid.exeBidqko32.exePhedhmhi.exeHmechmip.exeJlfpdh32.exeJdaaaeqg.exeCnfaohbj.exeDfdpad32.exeFaenpf32.exeKjhcjq32.exeAgimkk32.exeIllfdc32.exeGgkiol32.exeFpbflg32.exeAfkknogn.exeDnbakghm.exeImkbnf32.exeOcffempp.exePhincl32.exeGhpocngo.exeKjmmepfj.exeMejpje32.exeCkmehb32.exeOmqmop32.exeAglnbhal.exeDabhdinj.exeIdahjg32.exeNfohgqlg.exeConanfli.exeGhkeio32.exeHcpojd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecellgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnqgqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objpoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocamjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llflea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piphgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjoeojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjdmbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpcliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbighjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkbjqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afghneoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflaie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidbij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eigonjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injcmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokcklid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidqko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phedhmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmechmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaaaeqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfaohbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faenpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agimkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illfdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkknogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbakghm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocffempp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phincl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpocngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmmepfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqmop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglnbhal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idahjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfohgqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conanfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkeio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe -
Modifies registry class 64 IoCs
Processes:
Ccpdoqgd.exeIdahjg32.exeOebflhaf.exeFaenpf32.exeMiofjepg.exeFmkqpkla.exeJhijqj32.exeMqfpckhm.exeOaplqh32.exeBaannc32.exeNlfnaicd.exeMoipoh32.exeNliaao32.exeDiccgfpd.exeDfjpfj32.exeOgcnmc32.exeCgqqdeod.exeGdmmbq32.exeKcndbp32.exeBomkcm32.exeIciaqc32.exeBddjpd32.exeHbjoeojc.exePabblb32.exeBkoigdom.exeOoagno32.exeMmnhcb32.exeAhgcjddh.exeCjliajmo.exeOaifpi32.exeMfjcnold.exeIgchfiof.exeMepfiq32.exeAoalgn32.exeCklhcfle.exeAfghneoo.exeJlmfeg32.exeAlelqb32.exePjpfjl32.exeQohpkf32.exeIloidijb.exeMglfplgk.exeNnkpnclp.exeFihnomjp.exeJoahqn32.exeBqdblmhl.exeDhlpqc32.exeLopmii32.exeNolgijpk.exeCkfphc32.exeHmbfbn32.exeNlhkgi32.exePfiddm32.exeQhonib32.exeHajpbckl.exeJnlbojee.exeMnmdme32.exeEofgpikj.exeGlgcbf32.exeLmaamn32.exeOfhknodl.exeKbmoen32.exeDjcoai32.exeHfaajnfb.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oebflhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggebqoki.dll" Faenpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headjohq.dll" Miofjepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmkqpkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhijqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll" Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldkg32.dll" Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moipoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khacqh32.dll" Diccgfpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfjpfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgqqdeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdmmbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcndbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bomkcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhdjbno.dll" Bddjpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pabblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllmfjk.dll" Ooagno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmnhcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfjcnold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpmgll32.dll" Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcebook.dll" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cklhcfle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afghneoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckdpoji.dll" Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alelqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abakhdbk.dll" Iloidijb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofmkc32.dll" Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fihnomjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icndnfbg.dll" Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllbhl32.dll" Dhlpqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadenp32.dll" Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckfphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhonib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hajpbckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnlbojee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnmdme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eofgpikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmaamn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbmoen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbmpk32.dll" Djcoai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfaajnfb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c8487c624fc5c5ba59effc21e780075cb4351fdd7b71b7f2c4ea1502734a2b9a.exeMekgdl32.exeMockmala.exeMfjcnold.exeNiipjj32.exeNbadcpbh.exeNeppokal.exeNpedmdab.exeNgomin32.exeNhpiafnm.exeNcfmno32.exeNhbfff32.exeNgdfdmdi.exeNibbqicm.exeNookip32.exeOidofh32.exeOoagno32.exeOhjlgefb.exeOgklelna.exeOcamjm32.exeOepifi32.exeOohnonij.exedescription pid Process procid_target PID 3836 wrote to memory of 3728 3836 c8487c624fc5c5ba59effc21e780075cb4351fdd7b71b7f2c4ea1502734a2b9a.exe 83 PID 3836 wrote to memory of 3728 3836 c8487c624fc5c5ba59effc21e780075cb4351fdd7b71b7f2c4ea1502734a2b9a.exe 83 PID 3836 wrote to memory of 3728 3836 c8487c624fc5c5ba59effc21e780075cb4351fdd7b71b7f2c4ea1502734a2b9a.exe 83 PID 3728 wrote to memory of 2012 3728 Mekgdl32.exe 84 PID 3728 wrote to memory of 2012 3728 Mekgdl32.exe 84 PID 3728 wrote to memory of 2012 3728 Mekgdl32.exe 84 PID 2012 wrote to memory of 1424 2012 Mockmala.exe 85 PID 2012 wrote to memory of 1424 2012 Mockmala.exe 85 PID 2012 wrote to memory of 1424 2012 Mockmala.exe 85 PID 1424 wrote to memory of 2744 1424 Mfjcnold.exe 86 PID 1424 wrote to memory of 2744 1424 Mfjcnold.exe 86 PID 1424 wrote to memory of 2744 1424 Mfjcnold.exe 86 PID 2744 wrote to memory of 1440 2744 Niipjj32.exe 87 PID 2744 wrote to memory of 1440 2744 Niipjj32.exe 87 PID 2744 wrote to memory of 1440 2744 Niipjj32.exe 87 PID 1440 wrote to memory of 376 1440 Nbadcpbh.exe 88 PID 1440 wrote to memory of 376 1440 Nbadcpbh.exe 88 PID 1440 wrote to memory of 376 1440 Nbadcpbh.exe 88 PID 376 wrote to memory of 4864 376 Neppokal.exe 89 PID 376 wrote to memory of 4864 376 Neppokal.exe 89 PID 376 wrote to memory of 4864 376 Neppokal.exe 89 PID 4864 wrote to memory of 3160 4864 Npedmdab.exe 90 PID 4864 wrote to memory of 3160 4864 Npedmdab.exe 90 PID 4864 wrote to memory of 3160 4864 Npedmdab.exe 90 PID 3160 wrote to memory of 704 3160 Ngomin32.exe 91 PID 3160 wrote to memory of 704 3160 Ngomin32.exe 91 PID 3160 wrote to memory of 704 3160 Ngomin32.exe 91 PID 704 wrote to memory of 2452 704 Nhpiafnm.exe 92 PID 704 wrote to memory of 2452 704 Nhpiafnm.exe 92 PID 704 wrote to memory of 2452 704 Nhpiafnm.exe 92 PID 2452 wrote to memory of 224 2452 Ncfmno32.exe 93 PID 2452 wrote to memory of 224 2452 Ncfmno32.exe 93 PID 2452 wrote to memory of 224 2452 Ncfmno32.exe 93 PID 224 wrote to memory of 4716 224 Nhbfff32.exe 94 PID 224 wrote to memory of 4716 224 Nhbfff32.exe 94 PID 224 wrote to memory of 4716 224 Nhbfff32.exe 94 PID 4716 wrote to memory of 3904 4716 Ngdfdmdi.exe 95 PID 4716 wrote to memory of 3904 4716 Ngdfdmdi.exe 95 PID 4716 wrote to memory of 3904 4716 Ngdfdmdi.exe 95 PID 3904 wrote to memory of 1536 3904 Nibbqicm.exe 96 PID 3904 wrote to memory of 1536 3904 Nibbqicm.exe 96 PID 3904 wrote to memory of 1536 3904 Nibbqicm.exe 96 PID 1536 wrote to memory of 3216 1536 Nookip32.exe 97 PID 1536 wrote to memory of 3216 1536 Nookip32.exe 97 PID 1536 wrote to memory of 3216 1536 Nookip32.exe 97 PID 3216 wrote to memory of 4992 3216 Oidofh32.exe 98 PID 3216 wrote to memory of 4992 3216 Oidofh32.exe 98 PID 3216 wrote to memory of 4992 3216 Oidofh32.exe 98 PID 4992 wrote to memory of 4560 4992 Ooagno32.exe 99 PID 4992 wrote to memory of 4560 4992 Ooagno32.exe 99 PID 4992 wrote to memory of 4560 4992 Ooagno32.exe 99 PID 4560 wrote to memory of 2300 4560 Ohjlgefb.exe 100 PID 4560 wrote to memory of 2300 4560 Ohjlgefb.exe 100 PID 4560 wrote to memory of 2300 4560 Ohjlgefb.exe 100 PID 2300 wrote to memory of 1696 2300 Ogklelna.exe 101 PID 2300 wrote to memory of 1696 2300 Ogklelna.exe 101 PID 2300 wrote to memory of 1696 2300 Ogklelna.exe 101 PID 1696 wrote to memory of 2460 1696 Ocamjm32.exe 102 PID 1696 wrote to memory of 2460 1696 Ocamjm32.exe 102 PID 1696 wrote to memory of 2460 1696 Ocamjm32.exe 102 PID 2460 wrote to memory of 2860 2460 Oepifi32.exe 103 PID 2460 wrote to memory of 2860 2460 Oepifi32.exe 103 PID 2460 wrote to memory of 2860 2460 Oepifi32.exe 103 PID 2860 wrote to memory of 1784 2860 Oohnonij.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8487c624fc5c5ba59effc21e780075cb4351fdd7b71b7f2c4ea1502734a2b9a.exe"C:\Users\Admin\AppData\Local\Temp\c8487c624fc5c5ba59effc21e780075cb4351fdd7b71b7f2c4ea1502734a2b9a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe24⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4228 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe26⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe27⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe28⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe30⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe32⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe35⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3840 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe38⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe40⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe41⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe42⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe45⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe47⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:5092 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe49⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe50⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe51⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe52⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe53⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe54⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe56⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe58⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe60⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe61⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe62⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe63⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe64⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe65⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe66⤵PID:4576
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe67⤵
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe68⤵PID:1420
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe69⤵PID:1296
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe70⤵PID:3228
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe71⤵PID:4484
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe72⤵PID:2496
-
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4664 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe74⤵PID:1508
-
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe75⤵PID:3636
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe76⤵PID:4944
-
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe78⤵PID:2024
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe79⤵PID:2656
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe80⤵
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe81⤵
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe82⤵PID:3168
-
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe83⤵PID:1804
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe84⤵PID:3404
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe85⤵PID:2336
-
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe86⤵PID:1224
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe87⤵PID:3400
-
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe88⤵
- System Location Discovery: System Language Discovery
PID:4988 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe89⤵
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe90⤵PID:3172
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe91⤵PID:4116
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe92⤵PID:4000
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe93⤵PID:4276
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe94⤵PID:4960
-
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe95⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe96⤵PID:3408
-
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe98⤵PID:3532
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe99⤵PID:388
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe100⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe101⤵PID:4476
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe102⤵PID:3044
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe103⤵PID:4940
-
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe104⤵
- Drops file in System32 directory
PID:3924 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe105⤵PID:660
-
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe106⤵PID:5136
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe107⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe108⤵PID:5224
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe109⤵PID:5268
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe111⤵
- System Location Discovery: System Language Discovery
PID:5356 -
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe112⤵PID:5400
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe113⤵PID:5444
-
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe114⤵
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe115⤵PID:5532
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe116⤵PID:5576
-
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe117⤵PID:5620
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe118⤵PID:5664
-
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe119⤵PID:5708
-
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe120⤵
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe121⤵PID:5796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-