Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 03:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe
-
Size
448KB
-
MD5
eb94054b23c9278fd362896a0866d1a8
-
SHA1
7f50b7f77a57de1276b67ab395683a75789719aa
-
SHA256
ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88
-
SHA512
e91a2721d806962488b75aa1baae8cdbdc4ff3cf77c5d2fbb2552e9c518d09d165ebf585cfcc017723c48e2e129f48d30a3a87eda5a9e15a165cdb9169d63463
-
SSDEEP
6144:xS5I8ftce6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMJSZO5f7wj7vK/uk:xuvkY660fIaDZkY660f8jTK/h
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Abgaeddg.exeMoccnoni.exeBgmolb32.exeHkkaik32.exeIijfoh32.exeEhdnkh32.exeOiglfm32.exeOhmalgeb.exeJjilde32.exeQpmiahlp.exeDjhldahb.exeIciaim32.exePglclk32.exeDadcppbp.exeNfpnnk32.exeLhpkoo32.exeEfolib32.exeCfhlbe32.exeOppbjn32.exeIncgfl32.exeLkafib32.exeLckdcn32.exeIpfkabpg.exeLqgjkbop.exeGnoocq32.exeGmkjjbhg.exeAfndjdpe.exeGhpkbn32.exeHjmolp32.exeIokhcodo.exeAjdego32.exeLklmoccl.exePejejkhl.exeKgghgg32.exeNglmifca.exeEjadibmh.exeLgphke32.exeLbnbfb32.exeMpaoojjb.exeNhookh32.exeQpocno32.exeEojoelcm.exeMkbhco32.exeJcodcp32.exeGlfjgaih.exeMaocekoo.exeDhibakmb.exeEcjibgdh.exeFfhkcpal.exeOlokighn.exeAflkiapg.exeFfaeneno.exeBomhnb32.exeJfpmifoa.exeNbbegl32.exeJfkbqcam.exeMqjehngm.exeGbeaip32.exeBkddjkej.exeKidjfl32.exeGjpakdbl.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moccnoni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iijfoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehdnkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiglfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohmalgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjilde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmiahlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djhldahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pglclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadcppbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhpkoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efolib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfhlbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oppbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Incgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkafib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckdcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipfkabpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqgjkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnoocq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkjjbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afndjdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpkbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iokhcodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajdego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lklmoccl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejejkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgghgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nglmifca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokhcodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejadibmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgphke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbnbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaoojjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhookh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejadibmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpocno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojoelcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkbhco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcodcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfjgaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipfkabpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maocekoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhibakmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjibgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffhkcpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olokighn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflkiapg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaeneno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfpmifoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkbqcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqjehngm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbeaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkddjkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kidjfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpakdbl.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Qjdgpcmd.exeQghgigkn.exeAfndjdpe.exeAfpapcnc.exeAbgaeddg.exeAalofa32.exeBjfpdf32.exeBjiljf32.exeBkkioeig.exeBbfnchfb.exeBdfjnkne.exeBpmkbl32.exeCcnddg32.exeCcpqjfnh.exeCofaog32.exeCnlnpd32.exeDpmgao32.exeDcmpcjcf.exeDcpmijqc.exeDcbjni32.exeDoijcjde.exeEbicee32.exeEblpke32.exeEqamla32.exeEcbfmm32.exeFphgbn32.exeFbipdi32.exeFfghjg32.exeFfiepg32.exeFijnabef.exeGhpkbn32.exeGfdhck32.exeGieaef32.exeGlfjgaih.exeHajhpgag.exeHginnmml.exeIijfoh32.exeIpfkabpg.exeIokhcodo.exeIciaim32.exeJdmjfe32.exeJgnchplb.exeJnjhjj32.exeKmoekf32.exeKbqgolpf.exeKkilgb32.exeKfaljjdj.exeLajmkhai.exeLehfafgp.exeLaogfg32.exeLjgkom32.exeLimhpihl.exeMlmaad32.exeMiaaki32.exeMbjfcnkg.exeMaocekoo.exeMoccnoni.exeMlgdhcmb.exeNmjmekan.exeNknnnoph.exeNcloha32.exeNpppaejj.exeOlgpff32.exeOhmalgeb.exepid Process 1396 Qjdgpcmd.exe 2920 Qghgigkn.exe 2712 Afndjdpe.exe 2840 Afpapcnc.exe 2428 Abgaeddg.exe 2656 Aalofa32.exe 2624 Bjfpdf32.exe 2940 Bjiljf32.exe 2992 Bkkioeig.exe 2988 Bbfnchfb.exe 2176 Bdfjnkne.exe 572 Bpmkbl32.exe 2484 Ccnddg32.exe 2184 Ccpqjfnh.exe 980 Cofaog32.exe 700 Cnlnpd32.exe 772 Dpmgao32.exe 1252 Dcmpcjcf.exe 1948 Dcpmijqc.exe 1044 Dcbjni32.exe 2280 Doijcjde.exe 2288 Ebicee32.exe 1776 Eblpke32.exe 1792 Eqamla32.exe 2492 Ecbfmm32.exe 2876 Fphgbn32.exe 2836 Fbipdi32.exe 1240 Ffghjg32.exe 3048 Ffiepg32.exe 432 Fijnabef.exe 2680 Ghpkbn32.exe 2344 Gfdhck32.exe 2192 Gieaef32.exe 2588 Glfjgaih.exe 2068 Hajhpgag.exe 2744 Hginnmml.exe 2516 Iijfoh32.exe 1732 Ipfkabpg.exe 2092 Iokhcodo.exe 1048 Iciaim32.exe 2096 Jdmjfe32.exe 1572 Jgnchplb.exe 2080 Jnjhjj32.exe 1688 Kmoekf32.exe 1144 Kbqgolpf.exe 2420 Kkilgb32.exe 1412 Kfaljjdj.exe 920 Lajmkhai.exe 332 Lehfafgp.exe 1896 Laogfg32.exe 2432 Ljgkom32.exe 1476 Limhpihl.exe 2024 Mlmaad32.exe 1656 Miaaki32.exe 1076 Mbjfcnkg.exe 2364 Maocekoo.exe 2664 Moccnoni.exe 1300 Mlgdhcmb.exe 1664 Nmjmekan.exe 2120 Nknnnoph.exe 2252 Ncloha32.exe 1724 Npppaejj.exe 1172 Olgpff32.exe 2896 Ohmalgeb.exe -
Loads dropped DLL 64 IoCs
Processes:
ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exeQjdgpcmd.exeQghgigkn.exeAfndjdpe.exeAfpapcnc.exeAbgaeddg.exeAalofa32.exeBjfpdf32.exeBjiljf32.exeBkkioeig.exeBbfnchfb.exeBdfjnkne.exeBpmkbl32.exeCcnddg32.exeCcpqjfnh.exeCofaog32.exeCnlnpd32.exeDpmgao32.exeDcmpcjcf.exeDcpmijqc.exeDcbjni32.exeDoijcjde.exeEbicee32.exeEblpke32.exeEqamla32.exeEcbfmm32.exeFphgbn32.exeFbipdi32.exeFfghjg32.exeFfiepg32.exeFijnabef.exeGhpkbn32.exepid Process 564 ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe 564 ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe 1396 Qjdgpcmd.exe 1396 Qjdgpcmd.exe 2920 Qghgigkn.exe 2920 Qghgigkn.exe 2712 Afndjdpe.exe 2712 Afndjdpe.exe 2840 Afpapcnc.exe 2840 Afpapcnc.exe 2428 Abgaeddg.exe 2428 Abgaeddg.exe 2656 Aalofa32.exe 2656 Aalofa32.exe 2624 Bjfpdf32.exe 2624 Bjfpdf32.exe 2940 Bjiljf32.exe 2940 Bjiljf32.exe 2992 Bkkioeig.exe 2992 Bkkioeig.exe 2988 Bbfnchfb.exe 2988 Bbfnchfb.exe 2176 Bdfjnkne.exe 2176 Bdfjnkne.exe 572 Bpmkbl32.exe 572 Bpmkbl32.exe 2484 Ccnddg32.exe 2484 Ccnddg32.exe 2184 Ccpqjfnh.exe 2184 Ccpqjfnh.exe 980 Cofaog32.exe 980 Cofaog32.exe 700 Cnlnpd32.exe 700 Cnlnpd32.exe 772 Dpmgao32.exe 772 Dpmgao32.exe 1252 Dcmpcjcf.exe 1252 Dcmpcjcf.exe 1948 Dcpmijqc.exe 1948 Dcpmijqc.exe 1044 Dcbjni32.exe 1044 Dcbjni32.exe 2280 Doijcjde.exe 2280 Doijcjde.exe 2288 Ebicee32.exe 2288 Ebicee32.exe 1776 Eblpke32.exe 1776 Eblpke32.exe 1792 Eqamla32.exe 1792 Eqamla32.exe 2492 Ecbfmm32.exe 2492 Ecbfmm32.exe 2876 Fphgbn32.exe 2876 Fphgbn32.exe 2836 Fbipdi32.exe 2836 Fbipdi32.exe 1240 Ffghjg32.exe 1240 Ffghjg32.exe 3048 Ffiepg32.exe 3048 Ffiepg32.exe 432 Fijnabef.exe 432 Fijnabef.exe 2680 Ghpkbn32.exe 2680 Ghpkbn32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ekmjanpd.exeBgmolb32.exeHefginae.exeHehconob.exeKgghgg32.exeOhncdp32.exeKmmiaknb.exeOcbbbd32.exeLqgjkbop.exeMncfgh32.exeAnkabh32.exeKgmkef32.exeEmfbgg32.exeGcapckod.exeCeacoqfi.exeAgebam32.exeFjdpgnee.exeKopikdgn.exeMjgclcjh.exeDcbjni32.exeFfiepg32.exeKnmghb32.exeFofekp32.exeJeblgodb.exeEelfedpa.exeGegbpe32.exeLddjmb32.exeOmeini32.exeDdkbqfcp.exeEhfkphnd.exePllhib32.exeJljgni32.exePejejkhl.exeBhfjgh32.exeMoccnoni.exeJnbkodci.exeNhfdqb32.exeNbaomf32.exeIecaad32.exeLaogfg32.exeAioodg32.exeFfenmp32.exeMkbhco32.exeBncboo32.exeNpppaejj.exeCapmemci.exeOimpnc32.exeCghmni32.exeKblooa32.exeHmlmacfn.exeBkkioeig.exeIokhcodo.exeOhbjgg32.exeBaiingae.exeHgaoec32.exeEdmkei32.exeCpcpjbah.exeIfkfap32.exeJblbpnhk.exeOllncgjq.exeLjgkom32.exeMiaaki32.exedescription ioc Process File created C:\Windows\SysWOW64\Hilakcna.dll Ekmjanpd.exe File created C:\Windows\SysWOW64\Lgcpif32.dll Bgmolb32.exe File created C:\Windows\SysWOW64\Hehconob.exe Hefginae.exe File created C:\Windows\SysWOW64\Iaoddodf.exe Hehconob.exe File opened for modification C:\Windows\SysWOW64\Koejqi32.exe Kgghgg32.exe File created C:\Windows\SysWOW64\Gnldnbno.dll Ohncdp32.exe File created C:\Windows\SysWOW64\Kidjfl32.exe Kmmiaknb.exe File created C:\Windows\SysWOW64\Ogpkhb32.exe Ocbbbd32.exe File created C:\Windows\SysWOW64\Lfdbcing.exe Lqgjkbop.exe File created C:\Windows\SysWOW64\Nbaomf32.exe Mncfgh32.exe File created C:\Windows\SysWOW64\Aqljdclg.exe Ankabh32.exe File created C:\Windows\SysWOW64\Ajcmqj32.dll Kgmkef32.exe File created C:\Windows\SysWOW64\Gakqdpmg.dll Emfbgg32.exe File created C:\Windows\SysWOW64\Gpoghg32.dll Gcapckod.exe File opened for modification C:\Windows\SysWOW64\Cpgglifo.exe Ceacoqfi.exe File opened for modification C:\Windows\SysWOW64\Bqngjcje.exe Agebam32.exe File created C:\Windows\SysWOW64\Fcmdpcle.exe Fjdpgnee.exe File opened for modification C:\Windows\SysWOW64\Kobfqc32.exe Kopikdgn.exe File created C:\Windows\SysWOW64\Nfncad32.exe Mjgclcjh.exe File opened for modification C:\Windows\SysWOW64\Doijcjde.exe Dcbjni32.exe File created C:\Windows\SysWOW64\Bbjlbi32.dll Ffiepg32.exe File opened for modification C:\Windows\SysWOW64\Kgelahmn.exe Knmghb32.exe File created C:\Windows\SysWOW64\Fdekigip.exe Fofekp32.exe File opened for modification C:\Windows\SysWOW64\Keehmobp.exe Jeblgodb.exe File created C:\Windows\SysWOW64\Ebpgoh32.exe Eelfedpa.exe File created C:\Windows\SysWOW64\Hfiofefm.exe Gegbpe32.exe File opened for modification C:\Windows\SysWOW64\Lmlofhmb.exe Lddjmb32.exe File created C:\Windows\SysWOW64\Pkgjak32.dll Omeini32.exe File created C:\Windows\SysWOW64\Mohkpn32.dll Ddkbqfcp.exe File opened for modification C:\Windows\SysWOW64\Edmkei32.exe Ehfkphnd.exe File created C:\Windows\SysWOW64\Moljfnpo.dll Pllhib32.exe File created C:\Windows\SysWOW64\Jeblgodb.exe Jljgni32.exe File created C:\Windows\SysWOW64\Okgiokkl.dll Pejejkhl.exe File opened for modification C:\Windows\SysWOW64\Bncboo32.exe Bhfjgh32.exe File created C:\Windows\SysWOW64\Faqkji32.dll Moccnoni.exe File opened for modification C:\Windows\SysWOW64\Jjilde32.exe Jnbkodci.exe File created C:\Windows\SysWOW64\Nejdjf32.exe Nhfdqb32.exe File created C:\Windows\SysWOW64\Njlcah32.exe Nbaomf32.exe File opened for modification C:\Windows\SysWOW64\Ijpjik32.exe Iecaad32.exe File opened for modification C:\Windows\SysWOW64\Ljgkom32.exe Laogfg32.exe File created C:\Windows\SysWOW64\Aeepjh32.exe Aioodg32.exe File created C:\Windows\SysWOW64\Ffhkcpal.exe Ffenmp32.exe File created C:\Windows\SysWOW64\Qoobod32.dll Mkbhco32.exe File created C:\Windows\SysWOW64\Bnfodojp.exe Bncboo32.exe File opened for modification C:\Windows\SysWOW64\Olgpff32.exe Npppaejj.exe File opened for modification C:\Windows\SysWOW64\Cikbjpqd.exe Capmemci.exe File created C:\Windows\SysWOW64\Kgelahmn.exe Knmghb32.exe File opened for modification C:\Windows\SysWOW64\Olnipn32.exe Oimpnc32.exe File created C:\Windows\SysWOW64\Cfmjoe32.exe Cghmni32.exe File created C:\Windows\SysWOW64\Lhjcendg.dll Kblooa32.exe File created C:\Windows\SysWOW64\Ajqmqmfm.dll Hmlmacfn.exe File created C:\Windows\SysWOW64\Flffpf32.dll Bkkioeig.exe File created C:\Windows\SysWOW64\Qnekmihd.dll Iokhcodo.exe File created C:\Windows\SysWOW64\Oajopl32.exe Ohbjgg32.exe File opened for modification C:\Windows\SysWOW64\Cakfcfoc.exe Baiingae.exe File opened for modification C:\Windows\SysWOW64\Hchpjddc.exe Hgaoec32.exe File created C:\Windows\SysWOW64\Jomadboo.dll Ceacoqfi.exe File opened for modification C:\Windows\SysWOW64\Enepnoji.exe Edmkei32.exe File opened for modification C:\Windows\SysWOW64\Cpemob32.exe Cpcpjbah.exe File created C:\Windows\SysWOW64\Infjfblm.exe Ifkfap32.exe File opened for modification C:\Windows\SysWOW64\Jifkmh32.exe Jblbpnhk.exe File created C:\Windows\SysWOW64\Heenafpn.dll Ollncgjq.exe File created C:\Windows\SysWOW64\Ekbglc32.dll Ljgkom32.exe File opened for modification C:\Windows\SysWOW64\Mbjfcnkg.exe Miaaki32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3608 4008 WerFault.exe 559 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jaffca32.exeIbeeeijg.exeMnnhjk32.exeKdilkllh.exeCedbmi32.exeLbnbfb32.exeOiglfm32.exePhhhchlp.exeEqamla32.exeIlhlan32.exeCpcpjbah.exeDmalmdcg.exeHmlmacfn.exeKkilgb32.exeCikbjpqd.exeIlpkel32.exeJeblgodb.exeOikeal32.exeDenknngk.exeJpcfih32.exeFialggcl.exeDcpmijqc.exeKopikdgn.exeMoflkfca.exeLehfafgp.exeFfpkob32.exeHgaoec32.exeJdmjfe32.exeIfkfap32.exeEhopnk32.exeLfdbcing.exeKidjfl32.exeLqgjkbop.exeBnekcm32.exeJhfljm32.exeGmjbchnq.exeJblbpnhk.exeKccian32.exeIocdmccp.exeIfoljn32.exeLkafib32.exeFpijgk32.exeFfhkcpal.exeKegebn32.exeJhgnbehe.exePojgnf32.exeEjadibmh.exeIfniaeqk.exeCkgmon32.exeJfadoaih.exeGjpakdbl.exeNcbdjhnf.exeOfbikf32.exeGggclfkj.exeKeehmobp.exeOkdahbmm.exeKgmkef32.exePdamhocm.exeKihcakpa.exeDieiap32.exeIkkmho32.exeCqlhlo32.exeBbfnchfb.exeIockhigl.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaffca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeeeijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnhjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdilkllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedbmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiglfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhhchlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqamla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhlan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcpjbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmalmdcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlmacfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkilgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikbjpqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeblgodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Denknngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcfih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fialggcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpmijqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopikdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moflkfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehfafgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgaoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmjfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkfap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehopnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdbcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqgjkbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnekcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfljm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjbchnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblbpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kccian32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocdmccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkafib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpijgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhkcpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kegebn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgnbehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejadibmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifniaeqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfadoaih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpakdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbdjhnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gggclfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keehmobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okdahbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdamhocm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihcakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dieiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkmho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqlhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbfnchfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iockhigl.exe -
Modifies registry class 64 IoCs
Processes:
Nqijmkfm.exeIkkmho32.exeKbqgolpf.exeHefginae.exeDnlolhoo.exeEojoelcm.exeHmheol32.exeQckcdj32.exeMbkkepio.exeLddjmb32.exeDcmpcjcf.exeGbkaneao.exeIockhigl.exeMjbghkfi.exeIfkfap32.exeIihgadhl.exeOgpkhb32.exeEfllcf32.exeDoijcjde.exeFfenmp32.exeDlqgob32.exeIcjmpd32.exeBpfhfjgq.exeBjomoo32.exeIijfoh32.exeMoccnoni.exeMjmnmk32.exeLhpkoo32.exeIjpjik32.exeAajedn32.exeBnhncclq.exeNeekogkm.exeHbccklmj.exeMhbflj32.exeGmkjjbhg.exeOllcee32.exeMpaoojjb.exeBqambacb.exeEmqaaabg.exeCmapna32.exeGjcekj32.exeCqlhlo32.exece67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exeChgimh32.exeEjadibmh.exeIlhlan32.exeAqljdclg.exeAbgaeddg.exeOomlfpdi.exeAocgll32.exeQakmghbm.exeMnneabff.exeJcodcp32.exeCcnddg32.exeNmjmekan.exeEcjibgdh.exeNhfdqb32.exeGbeaip32.exeJacjna32.exeLkafib32.exeCmjoaofc.exeFijnabef.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqijmkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikkmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbqgolpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hefginae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnlolhoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eojoelcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakeeob.dll" Hmheol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qckcdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbkkepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lddjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcmpcjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbkaneao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgckc32.dll" Iockhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfidah32.dll" Mjbghkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifkfap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iihgadhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmlqd32.dll" Ogpkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efllcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doijcjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffenmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlqgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icjmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpfhfjgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhld32.dll" Bjomoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iijfoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moccnoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfmhdpb.dll" Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmjcc32.dll" Lhpkoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpjpc32.dll" Ijpjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgopbe32.dll" Aajedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmbclmp.dll" Bnhncclq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neekogkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhnpob32.dll" Hbccklmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhbflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll" Gmkjjbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdfng32.dll" Ollcee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qndhopgo.dll" Mpaoojjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqambacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emqaaabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cqlhlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chgimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egknpp32.dll" Ejadibmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijcmo32.dll" Ilhlan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqljdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekqpj32.dll" Eojoelcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjbghkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oomlfpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aocgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haakdn32.dll" Qakmghbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnneabff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqbii32.dll" Ccnddg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmjmekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecjibgdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbhgphd.dll" Gbeaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jacjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkafib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmjoaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fijnabef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exeQjdgpcmd.exeQghgigkn.exeAfndjdpe.exeAfpapcnc.exeAbgaeddg.exeAalofa32.exeBjfpdf32.exeBjiljf32.exeBkkioeig.exeBbfnchfb.exeBdfjnkne.exeBpmkbl32.exeCcnddg32.exeCcpqjfnh.exeCofaog32.exedescription pid Process procid_target PID 564 wrote to memory of 1396 564 ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe 30 PID 564 wrote to memory of 1396 564 ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe 30 PID 564 wrote to memory of 1396 564 ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe 30 PID 564 wrote to memory of 1396 564 ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe 30 PID 1396 wrote to memory of 2920 1396 Qjdgpcmd.exe 31 PID 1396 wrote to memory of 2920 1396 Qjdgpcmd.exe 31 PID 1396 wrote to memory of 2920 1396 Qjdgpcmd.exe 31 PID 1396 wrote to memory of 2920 1396 Qjdgpcmd.exe 31 PID 2920 wrote to memory of 2712 2920 Qghgigkn.exe 32 PID 2920 wrote to memory of 2712 2920 Qghgigkn.exe 32 PID 2920 wrote to memory of 2712 2920 Qghgigkn.exe 32 PID 2920 wrote to memory of 2712 2920 Qghgigkn.exe 32 PID 2712 wrote to memory of 2840 2712 Afndjdpe.exe 33 PID 2712 wrote to memory of 2840 2712 Afndjdpe.exe 33 PID 2712 wrote to memory of 2840 2712 Afndjdpe.exe 33 PID 2712 wrote to memory of 2840 2712 Afndjdpe.exe 33 PID 2840 wrote to memory of 2428 2840 Afpapcnc.exe 34 PID 2840 wrote to memory of 2428 2840 Afpapcnc.exe 34 PID 2840 wrote to memory of 2428 2840 Afpapcnc.exe 34 PID 2840 wrote to memory of 2428 2840 Afpapcnc.exe 34 PID 2428 wrote to memory of 2656 2428 Abgaeddg.exe 35 PID 2428 wrote to memory of 2656 2428 Abgaeddg.exe 35 PID 2428 wrote to memory of 2656 2428 Abgaeddg.exe 35 PID 2428 wrote to memory of 2656 2428 Abgaeddg.exe 35 PID 2656 wrote to memory of 2624 2656 Aalofa32.exe 36 PID 2656 wrote to memory of 2624 2656 Aalofa32.exe 36 PID 2656 wrote to memory of 2624 2656 Aalofa32.exe 36 PID 2656 wrote to memory of 2624 2656 Aalofa32.exe 36 PID 2624 wrote to memory of 2940 2624 Bjfpdf32.exe 37 PID 2624 wrote to memory of 2940 2624 Bjfpdf32.exe 37 PID 2624 wrote to memory of 2940 2624 Bjfpdf32.exe 37 PID 2624 wrote to memory of 2940 2624 Bjfpdf32.exe 37 PID 2940 wrote to memory of 2992 2940 Bjiljf32.exe 38 PID 2940 wrote to memory of 2992 2940 Bjiljf32.exe 38 PID 2940 wrote to memory of 2992 2940 Bjiljf32.exe 38 PID 2940 wrote to memory of 2992 2940 Bjiljf32.exe 38 PID 2992 wrote to memory of 2988 2992 Bkkioeig.exe 39 PID 2992 wrote to memory of 2988 2992 Bkkioeig.exe 39 PID 2992 wrote to memory of 2988 2992 Bkkioeig.exe 39 PID 2992 wrote to memory of 2988 2992 Bkkioeig.exe 39 PID 2988 wrote to memory of 2176 2988 Bbfnchfb.exe 40 PID 2988 wrote to memory of 2176 2988 Bbfnchfb.exe 40 PID 2988 wrote to memory of 2176 2988 Bbfnchfb.exe 40 PID 2988 wrote to memory of 2176 2988 Bbfnchfb.exe 40 PID 2176 wrote to memory of 572 2176 Bdfjnkne.exe 41 PID 2176 wrote to memory of 572 2176 Bdfjnkne.exe 41 PID 2176 wrote to memory of 572 2176 Bdfjnkne.exe 41 PID 2176 wrote to memory of 572 2176 Bdfjnkne.exe 41 PID 572 wrote to memory of 2484 572 Bpmkbl32.exe 42 PID 572 wrote to memory of 2484 572 Bpmkbl32.exe 42 PID 572 wrote to memory of 2484 572 Bpmkbl32.exe 42 PID 572 wrote to memory of 2484 572 Bpmkbl32.exe 42 PID 2484 wrote to memory of 2184 2484 Ccnddg32.exe 43 PID 2484 wrote to memory of 2184 2484 Ccnddg32.exe 43 PID 2484 wrote to memory of 2184 2484 Ccnddg32.exe 43 PID 2484 wrote to memory of 2184 2484 Ccnddg32.exe 43 PID 2184 wrote to memory of 980 2184 Ccpqjfnh.exe 44 PID 2184 wrote to memory of 980 2184 Ccpqjfnh.exe 44 PID 2184 wrote to memory of 980 2184 Ccpqjfnh.exe 44 PID 2184 wrote to memory of 980 2184 Ccpqjfnh.exe 44 PID 980 wrote to memory of 700 980 Cofaog32.exe 45 PID 980 wrote to memory of 700 980 Cofaog32.exe 45 PID 980 wrote to memory of 700 980 Cofaog32.exe 45 PID 980 wrote to memory of 700 980 Cofaog32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe"C:\Users\Admin\AppData\Local\Temp\ce67b5f707304def83e91404e8d6129557114fced66929d26da13ff46a34ec88.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Qjdgpcmd.exeC:\Windows\system32\Qjdgpcmd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Qghgigkn.exeC:\Windows\system32\Qghgigkn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Afpapcnc.exeC:\Windows\system32\Afpapcnc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Aalofa32.exeC:\Windows\system32\Aalofa32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Bjiljf32.exeC:\Windows\system32\Bjiljf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Ccnddg32.exeC:\Windows\system32\Ccnddg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Cofaog32.exeC:\Windows\system32\Cofaog32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Dpmgao32.exeC:\Windows\system32\Dpmgao32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Dcbjni32.exeC:\Windows\system32\Dcbjni32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Doijcjde.exeC:\Windows\system32\Doijcjde.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Ebicee32.exeC:\Windows\system32\Ebicee32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Eblpke32.exeC:\Windows\system32\Eblpke32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Eqamla32.exeC:\Windows\system32\Eqamla32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Ecbfmm32.exeC:\Windows\system32\Ecbfmm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Fphgbn32.exeC:\Windows\system32\Fphgbn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Ffghjg32.exeC:\Windows\system32\Ffghjg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Ffiepg32.exeC:\Windows\system32\Ffiepg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Ghpkbn32.exeC:\Windows\system32\Ghpkbn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Gfdhck32.exeC:\Windows\system32\Gfdhck32.exe33⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe34⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Glfjgaih.exeC:\Windows\system32\Glfjgaih.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hajhpgag.exeC:\Windows\system32\Hajhpgag.exe36⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Hginnmml.exeC:\Windows\system32\Hginnmml.exe37⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Iijfoh32.exeC:\Windows\system32\Iijfoh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Ipfkabpg.exeC:\Windows\system32\Ipfkabpg.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Jdmjfe32.exeC:\Windows\system32\Jdmjfe32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Jgnchplb.exeC:\Windows\system32\Jgnchplb.exe43⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Jnjhjj32.exeC:\Windows\system32\Jnjhjj32.exe44⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Kmoekf32.exeC:\Windows\system32\Kmoekf32.exe45⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Kbqgolpf.exeC:\Windows\system32\Kbqgolpf.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Kkilgb32.exeC:\Windows\system32\Kkilgb32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Kfaljjdj.exeC:\Windows\system32\Kfaljjdj.exe48⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Lajmkhai.exeC:\Windows\system32\Lajmkhai.exe49⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Lehfafgp.exeC:\Windows\system32\Lehfafgp.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:332 -
C:\Windows\SysWOW64\Laogfg32.exeC:\Windows\system32\Laogfg32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Ljgkom32.exeC:\Windows\system32\Ljgkom32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe53⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Mlmaad32.exeC:\Windows\system32\Mlmaad32.exe54⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Miaaki32.exeC:\Windows\system32\Miaaki32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Mbjfcnkg.exeC:\Windows\system32\Mbjfcnkg.exe56⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Moccnoni.exeC:\Windows\system32\Moccnoni.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Mlgdhcmb.exeC:\Windows\system32\Mlgdhcmb.exe59⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Nmjmekan.exeC:\Windows\system32\Nmjmekan.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Nknnnoph.exeC:\Windows\system32\Nknnnoph.exe61⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ncloha32.exeC:\Windows\system32\Ncloha32.exe62⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Npppaejj.exeC:\Windows\system32\Npppaejj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Olgpff32.exeC:\Windows\system32\Olgpff32.exe64⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Ohmalgeb.exeC:\Windows\system32\Ohmalgeb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Oojfnakl.exeC:\Windows\system32\Oojfnakl.exe66⤵PID:2496
-
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe67⤵
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Oajopl32.exeC:\Windows\system32\Oajopl32.exe68⤵PID:1924
-
C:\Windows\SysWOW64\Ojfcdo32.exeC:\Windows\system32\Ojfcdo32.exe69⤵PID:1872
-
C:\Windows\SysWOW64\Pcnhmdli.exeC:\Windows\system32\Pcnhmdli.exe70⤵PID:2520
-
C:\Windows\SysWOW64\Pdndggcl.exeC:\Windows\system32\Pdndggcl.exe71⤵PID:1920
-
C:\Windows\SysWOW64\Pgnnhbpm.exeC:\Windows\system32\Pgnnhbpm.exe72⤵PID:2512
-
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe73⤵PID:2872
-
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe74⤵PID:908
-
C:\Windows\SysWOW64\Pbjkop32.exeC:\Windows\system32\Pbjkop32.exe75⤵PID:2084
-
C:\Windows\SysWOW64\Qfhddn32.exeC:\Windows\system32\Qfhddn32.exe76⤵PID:1744
-
C:\Windows\SysWOW64\Ajociq32.exeC:\Windows\system32\Ajociq32.exe77⤵PID:1784
-
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe78⤵PID:2076
-
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe79⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Bedcembk.exeC:\Windows\system32\Bedcembk.exe80⤵PID:1508
-
C:\Windows\SysWOW64\Bomhnb32.exeC:\Windows\system32\Bomhnb32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe83⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Capmemci.exeC:\Windows\system32\Capmemci.exe84⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Cikbjpqd.exeC:\Windows\system32\Cikbjpqd.exe85⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe86⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Cpgglifo.exeC:\Windows\system32\Cpgglifo.exe87⤵PID:1956
-
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe88⤵PID:1676
-
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe89⤵PID:1224
-
C:\Windows\SysWOW64\Ddliklgk.exeC:\Windows\system32\Ddliklgk.exe90⤵PID:1692
-
C:\Windows\SysWOW64\Dhibakmb.exeC:\Windows\system32\Dhibakmb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Ddpbfl32.exeC:\Windows\system32\Ddpbfl32.exe92⤵PID:1608
-
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Dgalhgpg.exeC:\Windows\system32\Dgalhgpg.exe94⤵PID:2380
-
C:\Windows\SysWOW64\Edelakoq.exeC:\Windows\system32\Edelakoq.exe95⤵PID:368
-
C:\Windows\SysWOW64\Ejadibmh.exeC:\Windows\system32\Ejadibmh.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Ecjibgdh.exeC:\Windows\system32\Ecjibgdh.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:524 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe98⤵PID:1376
-
C:\Windows\SysWOW64\Eocfmh32.exeC:\Windows\system32\Eocfmh32.exe99⤵PID:1880
-
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe100⤵PID:1328
-
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe102⤵PID:3056
-
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe103⤵PID:1748
-
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe104⤵PID:2996
-
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe105⤵PID:2232
-
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe106⤵PID:2260
-
C:\Windows\SysWOW64\Fgjkmijh.exeC:\Windows\system32\Fgjkmijh.exe107⤵PID:2532
-
C:\Windows\SysWOW64\Gllpflng.exeC:\Windows\system32\Gllpflng.exe108⤵PID:2924
-
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe109⤵PID:2608
-
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe110⤵PID:1944
-
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe111⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe112⤵PID:592
-
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe113⤵PID:2600
-
C:\Windows\SysWOW64\Hfodmhbk.exeC:\Windows\system32\Hfodmhbk.exe114⤵PID:632
-
C:\Windows\SysWOW64\Hadhjaaa.exeC:\Windows\system32\Hadhjaaa.exe115⤵PID:1964
-
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe116⤵PID:1736
-
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe117⤵PID:2796
-
C:\Windows\SysWOW64\Hidfjckg.exeC:\Windows\system32\Hidfjckg.exe118⤵PID:896
-
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe119⤵PID:1436
-
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-