Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 03:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe
-
Size
108KB
-
MD5
590a4c9d667853615cd74ed088282055
-
SHA1
be078cd0f28227e4e36e871307a346369666c452
-
SHA256
46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19
-
SHA512
c551cfeed254758ae341b12469b5229d352dcf0365c368614067e91acc6393fb1685f7c4679e65ca14c25f03b9813208bd5889726ce841f0230490fc5ff30f10
-
SSDEEP
1536:dJejlMhPqT1hHtKDf4+vqBqSvhHwaV5PU12saHoloFcFmKcUsvKwFo:dJejOiIf4PR55QLaIGFcFmKcUsvKwFo
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jjdofm32.exeOcllehcj.exeAkhfoldn.exeBfkifhib.exeCedpbd32.exeEhgbhbgn.exeIdfnicfl.exeJhljdm32.exeLnpgeopa.exeGjojef32.exeGqahqd32.exePddnnp32.exeFffefjmi.exeOmqlpp32.exeQkffng32.exeAkqpom32.exeHegnahjo.exeMpmcielb.exeIjnbcmkk.exeJaoqqflp.exeJpdnbbah.exeNpccpo32.exeOhcaoajg.exeCicpch32.exePalepb32.exeEobchk32.exeJbqmhnbo.exeQglmpi32.exeGbaken32.exeDfphcj32.exeNmlgfnal.exeIjbdha32.exeIleiplhn.exeLjkomfjl.exeOllajp32.exeGegabegc.exeMfdopp32.exeGdboig32.exeInafbooe.exeLflplbpi.exeNemhhpmp.exeNijnln32.exeClmdmm32.exeDnjngk32.exeGnefapmj.exeKljabgnh.exeQqeicede.exeBmeimhdj.exeDchmkkkj.exeKfnmpn32.exeJnmlhchd.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocllehcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akhfoldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfkifhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedpbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehgbhbgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idfnicfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pddnnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omqlpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkffng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hegnahjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpmcielb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npccpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohcaoajg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Palepb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobchk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqmhnbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qglmpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbaken32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmlgfnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbdha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileiplhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkomfjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfdopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdboig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inafbooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflplbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemhhpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nijnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnjngk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnefapmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kljabgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqeicede.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dchmkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfnmpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlhchd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ilncom32.exeIompkh32.exeIjbdha32.exeIoolqh32.exeIamimc32.exeIjdqna32.exeIlcmjl32.exeIoaifhid.exeIdnaoohk.exeIleiplhn.exeJocflgga.exeJabbhcfe.exeJhljdm32.exeJofbag32.exeJqgoiokm.exeJkmcfhkc.exeJjpcbe32.exeJbgkcb32.exeJdehon32.exeJgcdki32.exeJnmlhchd.exeJqlhdo32.exeJdgdempa.exeJcmafj32.exeKiijnq32.exeKmefooki.exeKconkibf.exeKilfcpqm.exeKkjcplpa.exeKcakaipc.exeKbdklf32.exeKebgia32.exeKnklagmb.exeKbfhbeek.exeKeednado.exeKgcpjmcb.exeKbidgeci.exeKgemplap.exeKjdilgpc.exeLlcefjgf.exeLmebnb32.exeLcojjmea.exeLgjfkk32.exeLmgocb32.exeLabkdack.exeLjkomfjl.exeLmikibio.exeLbfdaigg.exeLiplnc32.exeLlohjo32.exeLcfqkl32.exeLfdmggnm.exeLibicbma.exeMpmapm32.exeMbkmlh32.exeMhhfdo32.exeMbmjah32.exeMelfncqb.exeMigbnb32.exeMkhofjoj.exeMbpgggol.exeMencccop.exeMdacop32.exeMkklljmg.exepid Process 2568 Ilncom32.exe 2856 Iompkh32.exe 2620 Ijbdha32.exe 2596 Ioolqh32.exe 2508 Iamimc32.exe 1748 Ijdqna32.exe 568 Ilcmjl32.exe 1580 Ioaifhid.exe 2812 Idnaoohk.exe 3060 Ileiplhn.exe 2280 Jocflgga.exe 1688 Jabbhcfe.exe 2684 Jhljdm32.exe 1892 Jofbag32.exe 2068 Jqgoiokm.exe 2272 Jkmcfhkc.exe 316 Jjpcbe32.exe 1620 Jbgkcb32.exe 2900 Jdehon32.exe 884 Jgcdki32.exe 1300 Jnmlhchd.exe 1712 Jqlhdo32.exe 940 Jdgdempa.exe 2008 Jcmafj32.exe 2184 Kiijnq32.exe 1600 Kmefooki.exe 2768 Kconkibf.exe 2496 Kilfcpqm.exe 2488 Kkjcplpa.exe 2104 Kcakaipc.exe 2724 Kbdklf32.exe 536 Kebgia32.exe 2952 Knklagmb.exe 1428 Kbfhbeek.exe 676 Keednado.exe 1948 Kgcpjmcb.exe 1800 Kbidgeci.exe 2348 Kgemplap.exe 2284 Kjdilgpc.exe 1908 Llcefjgf.exe 748 Lmebnb32.exe 1896 Lcojjmea.exe 3008 Lgjfkk32.exe 664 Lmgocb32.exe 944 Labkdack.exe 2424 Ljkomfjl.exe 1528 Lmikibio.exe 1848 Lbfdaigg.exe 2360 Liplnc32.exe 1272 Llohjo32.exe 1708 Lcfqkl32.exe 2544 Lfdmggnm.exe 2616 Libicbma.exe 2396 Mpmapm32.exe 2808 Mbkmlh32.exe 2492 Mhhfdo32.exe 1332 Mbmjah32.exe 1676 Melfncqb.exe 960 Migbnb32.exe 1916 Mkhofjoj.exe 1900 Mbpgggol.exe 1872 Mencccop.exe 1632 Mdacop32.exe 1904 Mkklljmg.exe -
Loads dropped DLL 64 IoCs
Processes:
46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exeIlncom32.exeIompkh32.exeIjbdha32.exeIoolqh32.exeIamimc32.exeIjdqna32.exeIlcmjl32.exeIoaifhid.exeIdnaoohk.exeIleiplhn.exeJocflgga.exeJabbhcfe.exeJhljdm32.exeJofbag32.exeJqgoiokm.exeJkmcfhkc.exeJjpcbe32.exeJbgkcb32.exeJdehon32.exeJgcdki32.exeJnmlhchd.exeJqlhdo32.exeJdgdempa.exeJcmafj32.exeKiijnq32.exeKmefooki.exeKconkibf.exeKilfcpqm.exeKkjcplpa.exeKcakaipc.exeKbdklf32.exepid Process 2792 46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe 2792 46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe 2568 Ilncom32.exe 2568 Ilncom32.exe 2856 Iompkh32.exe 2856 Iompkh32.exe 2620 Ijbdha32.exe 2620 Ijbdha32.exe 2596 Ioolqh32.exe 2596 Ioolqh32.exe 2508 Iamimc32.exe 2508 Iamimc32.exe 1748 Ijdqna32.exe 1748 Ijdqna32.exe 568 Ilcmjl32.exe 568 Ilcmjl32.exe 1580 Ioaifhid.exe 1580 Ioaifhid.exe 2812 Idnaoohk.exe 2812 Idnaoohk.exe 3060 Ileiplhn.exe 3060 Ileiplhn.exe 2280 Jocflgga.exe 2280 Jocflgga.exe 1688 Jabbhcfe.exe 1688 Jabbhcfe.exe 2684 Jhljdm32.exe 2684 Jhljdm32.exe 1892 Jofbag32.exe 1892 Jofbag32.exe 2068 Jqgoiokm.exe 2068 Jqgoiokm.exe 2272 Jkmcfhkc.exe 2272 Jkmcfhkc.exe 316 Jjpcbe32.exe 316 Jjpcbe32.exe 1620 Jbgkcb32.exe 1620 Jbgkcb32.exe 2900 Jdehon32.exe 2900 Jdehon32.exe 884 Jgcdki32.exe 884 Jgcdki32.exe 1300 Jnmlhchd.exe 1300 Jnmlhchd.exe 1712 Jqlhdo32.exe 1712 Jqlhdo32.exe 940 Jdgdempa.exe 940 Jdgdempa.exe 2008 Jcmafj32.exe 2008 Jcmafj32.exe 2184 Kiijnq32.exe 2184 Kiijnq32.exe 1600 Kmefooki.exe 1600 Kmefooki.exe 2768 Kconkibf.exe 2768 Kconkibf.exe 2496 Kilfcpqm.exe 2496 Kilfcpqm.exe 2488 Kkjcplpa.exe 2488 Kkjcplpa.exe 2104 Kcakaipc.exe 2104 Kcakaipc.exe 2724 Kbdklf32.exe 2724 Kbdklf32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ikefkcmo.exeDpegcq32.exeEpbpbnan.exeJbqmhnbo.exeNgfflj32.exeCmpdgf32.exeFqglggcp.exePdbahpec.exeAggpdnpj.exeHhjcic32.exeBhhpeafc.exeMdbiji32.exeFnfcel32.exeJbpdeogo.exeDdhpod32.exeKhiccj32.exeQfmafg32.exeAkeijlfq.exeIplnnd32.exeMaefamlh.exeNcbplk32.exeJhamckel.exeJdkjnl32.exeGgcaiqhj.exeDejbqb32.exeDhobddbf.exeFlhmfbim.exeJkmcfhkc.exeDciceaoe.exeKkileele.exeGdmdacnn.exeNkbalifo.exeLmbonmll.exeLahmbo32.exeDgoopkgh.exeDchmkkkj.exeJabbhcfe.exeLabkdack.exeGmgpbf32.exeHlafnbal.exeJhljdm32.exeNmhmlbkk.exeCedpbd32.exeKkjcplpa.exeNpgihn32.exeOifdbb32.exeIamimc32.exePihgic32.exeLcncpfaf.exeLdllgiek.exeGceailog.exeEpoqde32.exeFmkilb32.exedescription ioc Process File created C:\Windows\SysWOW64\Padhdm32.exe File created C:\Windows\SysWOW64\Incbgnmc.exe Ikefkcmo.exe File opened for modification C:\Windows\SysWOW64\Dohgomgf.exe Dpegcq32.exe File created C:\Windows\SysWOW64\Kcjjof32.dll Epbpbnan.exe File opened for modification C:\Windows\SysWOW64\Jfliim32.exe Jbqmhnbo.exe File opened for modification C:\Windows\SysWOW64\Omioekbo.exe File created C:\Windows\SysWOW64\Eeejnlhc.dll Ngfflj32.exe File created C:\Windows\SysWOW64\Bbclbi32.dll Cmpdgf32.exe File created C:\Windows\SysWOW64\Ciqnaaen.dll Fqglggcp.exe File created C:\Windows\SysWOW64\Plijimee.exe Pdbahpec.exe File created C:\Windows\SysWOW64\Akcldl32.exe Aggpdnpj.exe File created C:\Windows\SysWOW64\Bbpiog32.dll Hhjcic32.exe File opened for modification C:\Windows\SysWOW64\Llgjaeoj.exe File created C:\Windows\SysWOW64\Cfmhdpnc.exe File created C:\Windows\SysWOW64\Mdqfkmom.dll Bhhpeafc.exe File opened for modification C:\Windows\SysWOW64\Mfaefd32.exe Mdbiji32.exe File opened for modification C:\Windows\SysWOW64\Ffmkfifa.exe Fnfcel32.exe File created C:\Windows\SysWOW64\Jenpajfb.exe Jbpdeogo.exe File opened for modification C:\Windows\SysWOW64\Paknelgk.exe File opened for modification C:\Windows\SysWOW64\Egglkp32.exe Ddhpod32.exe File opened for modification C:\Windows\SysWOW64\Kkgopf32.exe Khiccj32.exe File opened for modification C:\Windows\SysWOW64\Qjhmfekp.exe Qfmafg32.exe File opened for modification C:\Windows\SysWOW64\Ancefgfd.exe Akeijlfq.exe File created C:\Windows\SysWOW64\Ioooiack.exe Iplnnd32.exe File opened for modification C:\Windows\SysWOW64\Meabakda.exe Maefamlh.exe File opened for modification C:\Windows\SysWOW64\Pcljmdmj.exe File created C:\Windows\SysWOW64\Hhppho32.dll Ncbplk32.exe File created C:\Windows\SysWOW64\Jpiedieo.exe Jhamckel.exe File created C:\Windows\SysWOW64\Akainj32.dll Jdkjnl32.exe File created C:\Windows\SysWOW64\Gjbmelgm.exe Ggcaiqhj.exe File opened for modification C:\Windows\SysWOW64\Difnaqih.exe Dejbqb32.exe File opened for modification C:\Windows\SysWOW64\Djqoll32.exe Dhobddbf.exe File created C:\Windows\SysWOW64\Fqdiga32.exe Flhmfbim.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jkmcfhkc.exe File created C:\Windows\SysWOW64\Dkpkfooh.exe Dciceaoe.exe File opened for modification C:\Windows\SysWOW64\Knhhaaki.exe Kkileele.exe File created C:\Windows\SysWOW64\Ggkqmoma.exe Gdmdacnn.exe File opened for modification C:\Windows\SysWOW64\Mgcchb32.dll File opened for modification C:\Windows\SysWOW64\Niebhf32.exe Nkbalifo.exe File created C:\Windows\SysWOW64\Lopkjhko.exe Lmbonmll.exe File created C:\Windows\SysWOW64\Lipecm32.exe Lahmbo32.exe File created C:\Windows\SysWOW64\Pnboam32.dll Dgoopkgh.exe File created C:\Windows\SysWOW64\Ieaiebmn.dll Dchmkkkj.exe File created C:\Windows\SysWOW64\Jhljdm32.exe Jabbhcfe.exe File created C:\Windows\SysWOW64\Ljkomfjl.exe Labkdack.exe File created C:\Windows\SysWOW64\Qmkfmdne.dll Gmgpbf32.exe File created C:\Windows\SysWOW64\Fkpejiad.dll Hlafnbal.exe File opened for modification C:\Windows\SysWOW64\Jofbag32.exe Jhljdm32.exe File created C:\Windows\SysWOW64\Npgihn32.exe Nmhmlbkk.exe File opened for modification C:\Windows\SysWOW64\Chcloo32.exe Cedpbd32.exe File opened for modification C:\Windows\SysWOW64\Pdeqfhjd.exe File created C:\Windows\SysWOW64\Kcakaipc.exe Kkjcplpa.exe File created C:\Windows\SysWOW64\Lainhkdi.dll Npgihn32.exe File created C:\Windows\SysWOW64\Oldpnn32.exe Oifdbb32.exe File created C:\Windows\SysWOW64\Oibmpl32.exe File opened for modification C:\Windows\SysWOW64\Ijdqna32.exe Iamimc32.exe File opened for modification C:\Windows\SysWOW64\Pkfceo32.exe Pihgic32.exe File opened for modification C:\Windows\SysWOW64\Lflplbpi.exe Lcncpfaf.exe File created C:\Windows\SysWOW64\Fhjboh32.dll Ldllgiek.exe File opened for modification C:\Windows\SysWOW64\Lbafdlod.exe File opened for modification C:\Windows\SysWOW64\Gbhbdi32.exe Gceailog.exe File opened for modification C:\Windows\SysWOW64\Odgamdef.exe File opened for modification C:\Windows\SysWOW64\Ecnmpa32.exe Epoqde32.exe File opened for modification C:\Windows\SysWOW64\Fqfemqod.exe Fmkilb32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process 2164 10496 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nodgel32.exeBbdallnd.exeNcfoch32.exeGoplilpf.exeEnbnkigh.exeMpamde32.exeNeplhf32.exeAcpdko32.exeFcdopc32.exePohfehdi.exeOdjdmjgo.exeIhbcmaje.exeLopkjhko.exeOcjophem.exePkjmoj32.exeAnolkh32.exeGegabegc.exeJolghndm.exeHeokmmgb.exeDlndnacm.exeIlncom32.exePkidlk32.exeAboaff32.exeMnbpjb32.exeJliaac32.exeGdboig32.exeMpbdnk32.exeAggpdnpj.exeIigpli32.exeIpeaco32.exePcibkm32.exeEfcomkcl.exeAjjfkh32.exeIfoqjo32.exeIflmjihl.exeKkgopf32.exeKnhhaaki.exeCedpbd32.exePincfpoo.exeAnneqafn.exeKebgia32.exeKeednado.exeFcbecl32.exeGcgnnlle.exeOomjlk32.exeAbfnpg32.exeFggkcl32.exeHahnac32.exeIhglhp32.exeObgkpb32.exeFmjgcipg.exeGpkpedmh.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdallnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfoch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goplilpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbnkigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpamde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neplhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcdopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohfehdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjdmjgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbcmaje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopkjhko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjophem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anolkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegabegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heokmmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlndnacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilncom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkidlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aboaff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbpjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdboig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpbdnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggpdnpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigpli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcibkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efcomkcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoqjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflmjihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgopf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhhaaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedpbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pincfpoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anneqafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebgia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keednado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgnnlle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjgcipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkpedmh.exe -
Modifies registry class 64 IoCs
Processes:
Bccjdnbi.exeDjclbl32.exeJdehon32.exeGmoqnhla.exeCpcnonob.exeNfdkoc32.exePljcllqe.exeEmagacdm.exeGhiaof32.exeLgpiij32.exeJnkakl32.exeNmcmgm32.exeJcmafj32.exeAbeemhkh.exeOdjdmjgo.exeNoogpfjh.exeAffdle32.exeNkjapglg.exeOkojkf32.exeIahkpg32.exePkfceo32.exeMbhjlbbh.exeQeohnd32.exeCheido32.exeBbgqjdce.exeHkiicmdh.exeAmelne32.exeDkiefp32.exePahogc32.exePmdmmalf.exeJgaiobjn.exePhfmllbd.exeAqhhanig.exeKddmdk32.exeKbgjkn32.exeAopahjll.exeNeplhf32.exeQbplbi32.exeEknmhk32.exeCiqcmiei.exeAeidgbaf.exeGljpncgc.exeOiljam32.exeKbfhbeek.exeMhhfdo32.exeIdadnd32.exeLabkdack.exeMbkmlh32.exeNocpkf32.exeChkmkacq.exeDaqamj32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bccjdnbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djclbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdehon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmoqnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqggnndf.dll" Nfdkoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pljcllqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emagacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnebokc.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghiaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqfnjifg.dll" Lgpiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnkakl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmcmgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcmafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" Abeemhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopjqipp.dll" Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noogpfjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Affdle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkjapglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okojkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgahbgk.dll" Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaoacgen.dll" Mbhjlbbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njifbl32.dll" Cheido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picion32.dll" Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmloc32.dll" Dkiefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pahogc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmdmmalf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgaiobjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phfmllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqhhanig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kddmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feafacjb.dll" Kbgjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aopahjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neplhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbplbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciqcmiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeidgbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcemimp.dll" Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiljam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbddikd.dll" Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjplgd32.dll" Idadnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogikcfnb.dll" Labkdack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nocpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chkmkacq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daqamj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exeIlncom32.exeIompkh32.exeIjbdha32.exeIoolqh32.exeIamimc32.exeIjdqna32.exeIlcmjl32.exeIoaifhid.exeIdnaoohk.exeIleiplhn.exeJocflgga.exeJabbhcfe.exeJhljdm32.exeJofbag32.exeJqgoiokm.exedescription pid Process procid_target PID 2792 wrote to memory of 2568 2792 46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe 28 PID 2792 wrote to memory of 2568 2792 46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe 28 PID 2792 wrote to memory of 2568 2792 46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe 28 PID 2792 wrote to memory of 2568 2792 46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe 28 PID 2568 wrote to memory of 2856 2568 Ilncom32.exe 29 PID 2568 wrote to memory of 2856 2568 Ilncom32.exe 29 PID 2568 wrote to memory of 2856 2568 Ilncom32.exe 29 PID 2568 wrote to memory of 2856 2568 Ilncom32.exe 29 PID 2856 wrote to memory of 2620 2856 Iompkh32.exe 30 PID 2856 wrote to memory of 2620 2856 Iompkh32.exe 30 PID 2856 wrote to memory of 2620 2856 Iompkh32.exe 30 PID 2856 wrote to memory of 2620 2856 Iompkh32.exe 30 PID 2620 wrote to memory of 2596 2620 Ijbdha32.exe 31 PID 2620 wrote to memory of 2596 2620 Ijbdha32.exe 31 PID 2620 wrote to memory of 2596 2620 Ijbdha32.exe 31 PID 2620 wrote to memory of 2596 2620 Ijbdha32.exe 31 PID 2596 wrote to memory of 2508 2596 Ioolqh32.exe 32 PID 2596 wrote to memory of 2508 2596 Ioolqh32.exe 32 PID 2596 wrote to memory of 2508 2596 Ioolqh32.exe 32 PID 2596 wrote to memory of 2508 2596 Ioolqh32.exe 32 PID 2508 wrote to memory of 1748 2508 Iamimc32.exe 33 PID 2508 wrote to memory of 1748 2508 Iamimc32.exe 33 PID 2508 wrote to memory of 1748 2508 Iamimc32.exe 33 PID 2508 wrote to memory of 1748 2508 Iamimc32.exe 33 PID 1748 wrote to memory of 568 1748 Ijdqna32.exe 34 PID 1748 wrote to memory of 568 1748 Ijdqna32.exe 34 PID 1748 wrote to memory of 568 1748 Ijdqna32.exe 34 PID 1748 wrote to memory of 568 1748 Ijdqna32.exe 34 PID 568 wrote to memory of 1580 568 Ilcmjl32.exe 35 PID 568 wrote to memory of 1580 568 Ilcmjl32.exe 35 PID 568 wrote to memory of 1580 568 Ilcmjl32.exe 35 PID 568 wrote to memory of 1580 568 Ilcmjl32.exe 35 PID 1580 wrote to memory of 2812 1580 Ioaifhid.exe 36 PID 1580 wrote to memory of 2812 1580 Ioaifhid.exe 36 PID 1580 wrote to memory of 2812 1580 Ioaifhid.exe 36 PID 1580 wrote to memory of 2812 1580 Ioaifhid.exe 36 PID 2812 wrote to memory of 3060 2812 Idnaoohk.exe 37 PID 2812 wrote to memory of 3060 2812 Idnaoohk.exe 37 PID 2812 wrote to memory of 3060 2812 Idnaoohk.exe 37 PID 2812 wrote to memory of 3060 2812 Idnaoohk.exe 37 PID 3060 wrote to memory of 2280 3060 Ileiplhn.exe 38 PID 3060 wrote to memory of 2280 3060 Ileiplhn.exe 38 PID 3060 wrote to memory of 2280 3060 Ileiplhn.exe 38 PID 3060 wrote to memory of 2280 3060 Ileiplhn.exe 38 PID 2280 wrote to memory of 1688 2280 Jocflgga.exe 39 PID 2280 wrote to memory of 1688 2280 Jocflgga.exe 39 PID 2280 wrote to memory of 1688 2280 Jocflgga.exe 39 PID 2280 wrote to memory of 1688 2280 Jocflgga.exe 39 PID 1688 wrote to memory of 2684 1688 Jabbhcfe.exe 40 PID 1688 wrote to memory of 2684 1688 Jabbhcfe.exe 40 PID 1688 wrote to memory of 2684 1688 Jabbhcfe.exe 40 PID 1688 wrote to memory of 2684 1688 Jabbhcfe.exe 40 PID 2684 wrote to memory of 1892 2684 Jhljdm32.exe 41 PID 2684 wrote to memory of 1892 2684 Jhljdm32.exe 41 PID 2684 wrote to memory of 1892 2684 Jhljdm32.exe 41 PID 2684 wrote to memory of 1892 2684 Jhljdm32.exe 41 PID 1892 wrote to memory of 2068 1892 Jofbag32.exe 42 PID 1892 wrote to memory of 2068 1892 Jofbag32.exe 42 PID 1892 wrote to memory of 2068 1892 Jofbag32.exe 42 PID 1892 wrote to memory of 2068 1892 Jofbag32.exe 42 PID 2068 wrote to memory of 2272 2068 Jqgoiokm.exe 43 PID 2068 wrote to memory of 2272 2068 Jqgoiokm.exe 43 PID 2068 wrote to memory of 2272 2068 Jqgoiokm.exe 43 PID 2068 wrote to memory of 2272 2068 Jqgoiokm.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe"C:\Users\Admin\AppData\Local\Temp\46cdfeaab9ca638c63029eec886b8d5285d9802f73c5c48397586b0054e66e19.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Jbgkcb32.exeC:\Windows\system32\Jbgkcb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe34⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:676 -
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe37⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe38⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe39⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe40⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe41⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe42⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe43⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe44⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe45⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe48⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe49⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe50⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe51⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe52⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe53⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe54⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe55⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe58⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe59⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe60⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe61⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe62⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe63⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe64⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe65⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe66⤵PID:2316
-
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe67⤵PID:1692
-
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe68⤵PID:2168
-
C:\Windows\SysWOW64\Mgalqkbk.exeC:\Windows\system32\Mgalqkbk.exe69⤵PID:1736
-
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe70⤵PID:1608
-
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe71⤵PID:1308
-
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe72⤵PID:2988
-
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe73⤵PID:2576
-
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe74⤵PID:1584
-
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe75⤵PID:2652
-
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe76⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe77⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe78⤵PID:1416
-
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe79⤵PID:2188
-
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe80⤵PID:2580
-
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe81⤵PID:1944
-
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe82⤵PID:2160
-
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe83⤵PID:816
-
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe85⤵PID:2340
-
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe86⤵PID:2108
-
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe88⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe90⤵PID:2648
-
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe91⤵PID:2608
-
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe92⤵PID:2612
-
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe93⤵PID:2484
-
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:272 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe95⤵PID:992
-
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe96⤵PID:2824
-
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Okanklik.exeC:\Windows\system32\Okanklik.exe98⤵PID:2140
-
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe99⤵
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe100⤵PID:1364
-
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe101⤵PID:904
-
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe102⤵PID:2388
-
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe103⤵PID:1596
-
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe104⤵PID:2780
-
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe105⤵PID:2592
-
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe106⤵PID:2848
-
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe107⤵PID:2672
-
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe108⤵PID:2716
-
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe110⤵PID:2024
-
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe111⤵PID:1860
-
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe112⤵PID:2368
-
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe113⤵PID:2636
-
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe114⤵PID:544
-
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe115⤵PID:2060
-
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe116⤵PID:2176
-
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe117⤵PID:2400
-
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe119⤵PID:2560
-
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe120⤵PID:2776
-
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe121⤵PID:1996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-