Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc427088d227fe509c25695e13e20998f4a6840235363b83d03efb031f86922dN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
dc427088d227fe509c25695e13e20998f4a6840235363b83d03efb031f86922dN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
dc427088d227fe509c25695e13e20998f4a6840235363b83d03efb031f86922dN.exe
-
Size
74KB
-
MD5
522139bea7c0a2453b253af92bb17140
-
SHA1
8e6e24828e15dce74e06134661226a21593e7e7a
-
SHA256
dc427088d227fe509c25695e13e20998f4a6840235363b83d03efb031f86922d
-
SHA512
889b4545975cc7e059f2e0044cb1dcc0e203279677441381222a168d8e470661ad641a01ac523ac45631da7f826311eb961a297413c266b484ebed7f76c19d05
-
SSDEEP
1536:R43kxdnVxuCLYO2u5r/3vqY78vOWf9xxOLvWrjg:RZnVMCULuF/3vFgvOW1xxOjW4
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ffqhcq32.exePpolhcnm.exeAaenbd32.exeKocgbend.exeOklkdi32.exeKnooej32.exeLjeafb32.exeLlhikacp.exeFbhpch32.exeKggcnoic.exeBhkmec32.exeAhdpjn32.exeCobkhb32.exeJohggfha.exeAhenokjf.exeCndeii32.exeFihnomjp.exePeieba32.exeBomkcm32.exeDoagjc32.exeEkjded32.exeMljmhflh.exeHcmbee32.exeNabfjpak.exeCkclhn32.exeDickplko.exeBheplb32.exeAlpbecod.exeCnindhpg.exeFbbicl32.exeFnkfmm32.exeOjqcnhkl.exeAehgnied.exeGimqajgh.exeKpanan32.exeNqaiecjd.exeDokgdkeh.exeQpbnhl32.exeBfpdin32.exeOhhnbhok.exePkgcea32.exeOpclldhj.exeFqikob32.exePlbmokop.exeFfaong32.exeLqbncb32.exeEqdpgk32.exeKplmliko.exePfhmjf32.exeEaceghcg.exeKmieae32.exeGkaclqkk.exeKolabf32.exeGjficg32.exeEiieicml.exeBigbmpco.exeIdkkpf32.exeHipmfjee.exeAdkqoohc.exeKhbiello.exeMcoljagj.exeDcphdqmj.exeLejgch32.exeDjhimica.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaenbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocgbend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oklkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljeafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kggcnoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkmec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cobkhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johggfha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahenokjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fihnomjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peieba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bomkcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doagjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjded32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljmhflh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dickplko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnindhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbicl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aehgnied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqaiecjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dokgdkeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbnhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpdin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhnbhok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkgcea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqikob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffaong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqdpgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kplmliko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhmjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaceghcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkaclqkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolabf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjficg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiieicml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bigbmpco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmfjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khbiello.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcoljagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcphdqmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejgch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djhimica.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Leenhhdn.exeLkofdbkj.exeLnnbqnjn.exeLalnmiia.exeLgffic32.exeLnpofnhk.exeLejgch32.exeLjgpkonp.exeLbngllob.exeLihpif32.exeLjilqnlm.exeLeopnglc.exeLlhikacp.exeMbbagk32.exeMilidebi.exeMlkepaam.exeMbenmk32.exeMiofjepg.exeMnlnbl32.exeMajjng32.exeMhdckaeo.exeMalgcg32.exeMlbkap32.exeMblcnj32.exeMejpje32.exeMhilfa32.exeNobdbkhf.exeNihipdhl.exeNhkikq32.exeNjiegl32.exeNacmdf32.exeNijeec32.exeNhmeapmd.exeNklbmllg.exeNafjjf32.exeNimbkc32.exeNojjcj32.exeNeccpd32.exeNlnkmnah.exeNajceeoo.exeNhdlao32.exeObjpoh32.exeOidhlb32.exeOkedcjcm.exeOblmdhdo.exeOifeab32.exeOkgaijaj.exeOihagaji.exeObafpg32.exeOklkdi32.exeOeaoab32.exePojcjh32.exePedlgbkh.exePhbhcmjl.exePchlpfjb.exePhedhmhi.exePkcadhgm.exePeieba32.exePlbmokop.exePekbga32.exePkhjph32.exePabblb32.exeQofcff32.exeQcaofebg.exepid Process 3200 Leenhhdn.exe 1136 Lkofdbkj.exe 1728 Lnnbqnjn.exe 912 Lalnmiia.exe 824 Lgffic32.exe 4252 Lnpofnhk.exe 4800 Lejgch32.exe 4072 Ljgpkonp.exe 1736 Lbngllob.exe 3312 Lihpif32.exe 4236 Ljilqnlm.exe 3284 Leopnglc.exe 620 Llhikacp.exe 1348 Mbbagk32.exe 1440 Milidebi.exe 184 Mlkepaam.exe 4772 Mbenmk32.exe 4912 Miofjepg.exe 3804 Mnlnbl32.exe 4888 Majjng32.exe 3180 Mhdckaeo.exe 4840 Malgcg32.exe 4228 Mlbkap32.exe 1856 Mblcnj32.exe 2248 Mejpje32.exe 4404 Mhilfa32.exe 1536 Nobdbkhf.exe 1772 Nihipdhl.exe 4816 Nhkikq32.exe 3468 Njiegl32.exe 2376 Nacmdf32.exe 1696 Nijeec32.exe 372 Nhmeapmd.exe 3552 Nklbmllg.exe 4972 Nafjjf32.exe 4992 Nimbkc32.exe 2956 Nojjcj32.exe 2112 Neccpd32.exe 2396 Nlnkmnah.exe 1252 Najceeoo.exe 4268 Nhdlao32.exe 1012 Objpoh32.exe 1424 Oidhlb32.exe 1368 Okedcjcm.exe 1828 Oblmdhdo.exe 4020 Oifeab32.exe 4084 Okgaijaj.exe 5088 Oihagaji.exe 4372 Obafpg32.exe 3792 Oklkdi32.exe 800 Oeaoab32.exe 3600 Pojcjh32.exe 1568 Pedlgbkh.exe 3576 Phbhcmjl.exe 1984 Pchlpfjb.exe 4360 Phedhmhi.exe 2004 Pkcadhgm.exe 2704 Peieba32.exe 1084 Plbmokop.exe 3764 Pekbga32.exe 4260 Pkhjph32.exe 1988 Pabblb32.exe 4676 Qofcff32.exe 3280 Qcaofebg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Aakebqbj.exeBkdcbd32.exeLnjnqh32.exeMcgiefen.exePjpfjl32.exeCncnob32.exeAhqddk32.exeGipdap32.exePahilmoc.exeMonjjgkb.exeDqbcbkab.exeEhpadhll.exeIbgdlg32.exeGcjdam32.exeEidlnd32.exeIlcldb32.exeLcdciiec.exeCkebcg32.exeHajkqfoe.exeAmnebo32.exeNhkikq32.exeKdmqmc32.exeJleijb32.exeAokkahlo.exeFnkfmm32.exeIlfennic.exeDdhomdje.exeLjgpkonp.exeCcpdoqgd.exeHcmbee32.exeDbpjaeoc.exeCacckp32.exeGpdennml.exeOmfekbdh.exePiocecgj.exeBkafmd32.exeApnndj32.exePplhhm32.exeFjeplijj.exeCnahdi32.exeHgfapd32.exeNcqlkemc.exeBdagpnbk.exeAjggomog.exePefabkej.exeCbbnpg32.exeMmpmnl32.exeLoofnccf.exeCgiohbfi.exeNmlddqem.exeGaqhjggp.exeFggdpnkf.exeLeenhhdn.exeIkkpgafg.exeLjfhqh32.exeLlmhaold.exeGeoapenf.exeLakfeodm.exeOmopjcjp.exeCfldelik.exeBnoknihb.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Afgacokc.exe Aakebqbj.exe File created C:\Windows\SysWOW64\Bbnkonbd.exe Bkdcbd32.exe File opened for modification C:\Windows\SysWOW64\Lddgmbpb.exe Lnjnqh32.exe File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe Mcgiefen.exe File opened for modification C:\Windows\SysWOW64\Pplobcpp.exe Pjpfjl32.exe File opened for modification C:\Windows\SysWOW64\Cdmfllhn.exe Cncnob32.exe File created C:\Windows\SysWOW64\Klobfk32.dll Ahqddk32.exe File created C:\Windows\SysWOW64\Hdehni32.exe Gipdap32.exe File created C:\Windows\SysWOW64\Ngbjmd32.dll Pahilmoc.exe File created C:\Windows\SysWOW64\Hilpobpd.dll Monjjgkb.exe File created C:\Windows\SysWOW64\Dglkoeio.exe Dqbcbkab.exe File created C:\Windows\SysWOW64\Ekonpckp.exe Ehpadhll.exe File created C:\Windows\SysWOW64\Iefphb32.exe Ibgdlg32.exe File created C:\Windows\SysWOW64\Paifdeda.dll Gcjdam32.exe File opened for modification C:\Windows\SysWOW64\Eblpgjha.exe Eidlnd32.exe File created C:\Windows\SysWOW64\Jcmdaljn.exe Ilcldb32.exe File created C:\Windows\SysWOW64\Lnjgfb32.exe Lcdciiec.exe File opened for modification C:\Windows\SysWOW64\Cncnob32.exe Ckebcg32.exe File created C:\Windows\SysWOW64\Hhdcmp32.exe Hajkqfoe.exe File opened for modification C:\Windows\SysWOW64\Affikdfn.exe Amnebo32.exe File created C:\Windows\SysWOW64\Njiegl32.exe Nhkikq32.exe File created C:\Windows\SysWOW64\Knfeeimj.exe Kdmqmc32.exe File created C:\Windows\SysWOW64\Bdimkqnb.dll Jleijb32.exe File created C:\Windows\SysWOW64\Aajhndkb.exe Aokkahlo.exe File opened for modification C:\Windows\SysWOW64\Feenjgfq.exe Fnkfmm32.exe File created C:\Windows\SysWOW64\Inebjihf.exe Ilfennic.exe File created C:\Windows\SysWOW64\Bopnkd32.dll Ddhomdje.exe File opened for modification C:\Windows\SysWOW64\Lbngllob.exe Ljgpkonp.exe File created C:\Windows\SysWOW64\Cfnqklgh.exe Ccpdoqgd.exe File opened for modification C:\Windows\SysWOW64\Hkdjfb32.exe Hcmbee32.exe File opened for modification C:\Windows\SysWOW64\Dijbno32.exe Dbpjaeoc.exe File created C:\Windows\SysWOW64\Cdbpgl32.exe Cacckp32.exe File opened for modification C:\Windows\SysWOW64\Geanfelc.exe Gpdennml.exe File created C:\Windows\SysWOW64\Pqbala32.exe Omfekbdh.exe File created C:\Windows\SysWOW64\Ppikbm32.exe Piocecgj.exe File created C:\Windows\SysWOW64\Bcinna32.exe Bkafmd32.exe File created C:\Windows\SysWOW64\Abmjqe32.exe Apnndj32.exe File created C:\Windows\SysWOW64\Affikdfn.exe Amnebo32.exe File created C:\Windows\SysWOW64\Pbjddh32.exe Pplhhm32.exe File created C:\Windows\SysWOW64\Famhmfkl.exe Fjeplijj.exe File opened for modification C:\Windows\SysWOW64\Cfipef32.exe Cnahdi32.exe File opened for modification C:\Windows\SysWOW64\Hienlpel.exe Hgfapd32.exe File created C:\Windows\SysWOW64\Njjdho32.exe Ncqlkemc.exe File opened for modification C:\Windows\SysWOW64\Bhmbqm32.exe Bdagpnbk.exe File created C:\Windows\SysWOW64\Mgnddp32.dll Cncnob32.exe File created C:\Windows\SysWOW64\Mkellk32.dll Ajggomog.exe File created C:\Windows\SysWOW64\Cqichhmn.dll Pefabkej.exe File created C:\Windows\SysWOW64\Cdpjlb32.exe Cbbnpg32.exe File created C:\Windows\SysWOW64\Monjjgkb.exe Mmpmnl32.exe File created C:\Windows\SysWOW64\Ljdkll32.exe Loofnccf.exe File opened for modification C:\Windows\SysWOW64\Ckdkhq32.exe Cgiohbfi.exe File opened for modification C:\Windows\SysWOW64\Nhahaiec.exe Nmlddqem.exe File created C:\Windows\SysWOW64\Gihpkd32.exe Gaqhjggp.exe File opened for modification C:\Windows\SysWOW64\Fjeplijj.exe Fggdpnkf.exe File created C:\Windows\SysWOW64\Meebmkdh.dll Leenhhdn.exe File opened for modification C:\Windows\SysWOW64\Ilmmni32.exe Ikkpgafg.exe File opened for modification C:\Windows\SysWOW64\Lmdemd32.exe Ljfhqh32.exe File opened for modification C:\Windows\SysWOW64\Lcgpni32.exe Llmhaold.exe File opened for modification C:\Windows\SysWOW64\Mfhbga32.exe Monjjgkb.exe File created C:\Windows\SysWOW64\Pncepolj.dll Geoapenf.exe File created C:\Windows\SysWOW64\Glllagck.dll Lakfeodm.exe File created C:\Windows\SysWOW64\Ocihgnam.exe Omopjcjp.exe File created C:\Windows\SysWOW64\Ckilmcgb.exe Cfldelik.exe File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe Bnoknihb.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 15884 5372 WerFault.exe 999 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bebjdgmj.exeIpeeobbe.exeAojlaeei.exeIdkkpf32.exeJdaaaeqg.exeBochmn32.exeHibafp32.exeApjdikqd.exeBgelgi32.exeDnonkq32.exeMofmobmo.exeAjohfcpj.exeQhngolpo.exeIdfaefkd.exeMqafhl32.exeBhmbqm32.exeEgbken32.exeMilidebi.exeNijeec32.exeOkedcjcm.exeGeoapenf.exeBigbmpco.exeCpogkhnl.exeQmepam32.exeDnmaea32.exeEnhpao32.exeEjccgi32.exeGlgcbf32.exeHehkajig.exeFnffhgon.exeGkoplk32.exePddhbipj.exeGidnkkpc.exeCnaaib32.exeEhndnh32.exeAokkahlo.exeGeanfelc.exeIkpjbq32.exeLdgccb32.exeFfqhcq32.exeLgdidgjg.exeDpdaepai.exeLggejg32.exeCgiohbfi.exeCgklmacf.exeOjigdcll.exeBnhenj32.exeDpkmal32.exeGihpkd32.exeFbgihaji.exeNcqlkemc.exeIialhaad.exePcbkml32.exeMljmhflh.exeAfcmfe32.exeDggkipii.exeCncnob32.exeEidlnd32.exeFfobhg32.exeMkadfj32.exeMeiioonj.exeLalnmiia.exeJedccfqg.exeKolabf32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeeobbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojlaeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaaaeqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bochmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjdikqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgelgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnonkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofmobmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajohfcpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhngolpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfaefkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqafhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milidebi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okedcjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geoapenf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigbmpco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpogkhnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmaea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhpao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejccgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehkajig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnffhgon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddhbipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidnkkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnaaib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehndnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geanfelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpjbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdidgjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdaepai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgiohbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgklmacf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojigdcll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihpkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncqlkemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iialhaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljmhflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcmfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggkipii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncnob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidlnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffobhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiioonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalnmiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedccfqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolabf32.exe -
Modifies registry class 64 IoCs
Processes:
Hajkqfoe.exeJojdlfeo.exeMokfja32.exePmbegqjk.exeFncibg32.exeQhngolpo.exeBbnkonbd.exeHcmbee32.exeBnoknihb.exeLgdidgjg.exeOfkgcobj.exeNimbkc32.exeCoknoaic.exeIfmqfm32.exePhajna32.exeChkobkod.exeCmhigf32.exeKgipcogp.exeJikoopij.exeDgbanq32.exeHfjdqmng.exeDgcihgaj.exeJlbejloe.exeLojmcdgl.exeModpib32.exeCcpdoqgd.exeHehkajig.exeMfchlbfd.exePmblagmf.exePciqnk32.exeBcinna32.exeLknojl32.exeLgjijmin.exeFflohaij.exeImgicgca.exeBahkih32.exeNijqcf32.exeNihipdhl.exeOjbacd32.exeEfpomccg.exeKgkfnh32.exeEkonpckp.exeIgigla32.exeAknifq32.exeGbkdod32.exeMcgiefen.exeAdcjop32.exePhbhcmjl.exeHgfapd32.exeKqbdldnq.exePhaahggp.exeAkglloai.exeEiloco32.exeLalnmiia.exeMhilfa32.exeElpkep32.exeJdaaaeqg.exeMalpia32.exeEmoadlfo.exeEdionhpn.exeMcdeeq32.exeOkedcjcm.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inclga32.dll" Hajkqfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojpmiij.dll" Jojdlfeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjoiip32.dll" Mokfja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmbegqjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fncibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnqig32.dll" Qhngolpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbnkonbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbokg32.dll" Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphblj32.dll" Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgdidgjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofkgcobj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coknoaic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phajna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jikoopij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgbanq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll" Dgcihgaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqedp32.dll" Lojmcdgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Modpib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccpdoqgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfchlbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pciqnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcinna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmhigf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lknojl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fflohaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imgicgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bahkih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nijqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbhmhpf.dll" Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcmbee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojbacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmgob32.dll" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgkfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekonpckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhqgik32.dll" Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmfklog.dll" Aknifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbkdod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adcjop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phbhcmjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgfapd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqbdldnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akglloai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnigobn.dll" Lalnmiia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhilfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplbfcmi.dll" Elpkep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdaaaeqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Malpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emamkgpg.dll" Edionhpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcdeeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okedcjcm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dc427088d227fe509c25695e13e20998f4a6840235363b83d03efb031f86922dN.exeLeenhhdn.exeLkofdbkj.exeLnnbqnjn.exeLalnmiia.exeLgffic32.exeLnpofnhk.exeLejgch32.exeLjgpkonp.exeLbngllob.exeLihpif32.exeLjilqnlm.exeLeopnglc.exeLlhikacp.exeMbbagk32.exeMilidebi.exeMlkepaam.exeMbenmk32.exeMiofjepg.exeMnlnbl32.exeMajjng32.exeMhdckaeo.exedescription pid Process procid_target PID 4744 wrote to memory of 3200 4744 dc427088d227fe509c25695e13e20998f4a6840235363b83d03efb031f86922dN.exe 83 PID 4744 wrote to memory of 3200 4744 dc427088d227fe509c25695e13e20998f4a6840235363b83d03efb031f86922dN.exe 83 PID 4744 wrote to memory of 3200 4744 dc427088d227fe509c25695e13e20998f4a6840235363b83d03efb031f86922dN.exe 83 PID 3200 wrote to memory of 1136 3200 Leenhhdn.exe 84 PID 3200 wrote to memory of 1136 3200 Leenhhdn.exe 84 PID 3200 wrote to memory of 1136 3200 Leenhhdn.exe 84 PID 1136 wrote to memory of 1728 1136 Lkofdbkj.exe 85 PID 1136 wrote to memory of 1728 1136 Lkofdbkj.exe 85 PID 1136 wrote to memory of 1728 1136 Lkofdbkj.exe 85 PID 1728 wrote to memory of 912 1728 Lnnbqnjn.exe 86 PID 1728 wrote to memory of 912 1728 Lnnbqnjn.exe 86 PID 1728 wrote to memory of 912 1728 Lnnbqnjn.exe 86 PID 912 wrote to memory of 824 912 Lalnmiia.exe 87 PID 912 wrote to memory of 824 912 Lalnmiia.exe 87 PID 912 wrote to memory of 824 912 Lalnmiia.exe 87 PID 824 wrote to memory of 4252 824 Lgffic32.exe 88 PID 824 wrote to memory of 4252 824 Lgffic32.exe 88 PID 824 wrote to memory of 4252 824 Lgffic32.exe 88 PID 4252 wrote to memory of 4800 4252 Lnpofnhk.exe 89 PID 4252 wrote to memory of 4800 4252 Lnpofnhk.exe 89 PID 4252 wrote to memory of 4800 4252 Lnpofnhk.exe 89 PID 4800 wrote to memory of 4072 4800 Lejgch32.exe 90 PID 4800 wrote to memory of 4072 4800 Lejgch32.exe 90 PID 4800 wrote to memory of 4072 4800 Lejgch32.exe 90 PID 4072 wrote to memory of 1736 4072 Ljgpkonp.exe 91 PID 4072 wrote to memory of 1736 4072 Ljgpkonp.exe 91 PID 4072 wrote to memory of 1736 4072 Ljgpkonp.exe 91 PID 1736 wrote to memory of 3312 1736 Lbngllob.exe 92 PID 1736 wrote to memory of 3312 1736 Lbngllob.exe 92 PID 1736 wrote to memory of 3312 1736 Lbngllob.exe 92 PID 3312 wrote to memory of 4236 3312 Lihpif32.exe 93 PID 3312 wrote to memory of 4236 3312 Lihpif32.exe 93 PID 3312 wrote to memory of 4236 3312 Lihpif32.exe 93 PID 4236 wrote to memory of 3284 4236 Ljilqnlm.exe 94 PID 4236 wrote to memory of 3284 4236 Ljilqnlm.exe 94 PID 4236 wrote to memory of 3284 4236 Ljilqnlm.exe 94 PID 3284 wrote to memory of 620 3284 Leopnglc.exe 95 PID 3284 wrote to memory of 620 3284 Leopnglc.exe 95 PID 3284 wrote to memory of 620 3284 Leopnglc.exe 95 PID 620 wrote to memory of 1348 620 Llhikacp.exe 96 PID 620 wrote to memory of 1348 620 Llhikacp.exe 96 PID 620 wrote to memory of 1348 620 Llhikacp.exe 96 PID 1348 wrote to memory of 1440 1348 Mbbagk32.exe 97 PID 1348 wrote to memory of 1440 1348 Mbbagk32.exe 97 PID 1348 wrote to memory of 1440 1348 Mbbagk32.exe 97 PID 1440 wrote to memory of 184 1440 Milidebi.exe 98 PID 1440 wrote to memory of 184 1440 Milidebi.exe 98 PID 1440 wrote to memory of 184 1440 Milidebi.exe 98 PID 184 wrote to memory of 4772 184 Mlkepaam.exe 99 PID 184 wrote to memory of 4772 184 Mlkepaam.exe 99 PID 184 wrote to memory of 4772 184 Mlkepaam.exe 99 PID 4772 wrote to memory of 4912 4772 Mbenmk32.exe 100 PID 4772 wrote to memory of 4912 4772 Mbenmk32.exe 100 PID 4772 wrote to memory of 4912 4772 Mbenmk32.exe 100 PID 4912 wrote to memory of 3804 4912 Miofjepg.exe 101 PID 4912 wrote to memory of 3804 4912 Miofjepg.exe 101 PID 4912 wrote to memory of 3804 4912 Miofjepg.exe 101 PID 3804 wrote to memory of 4888 3804 Mnlnbl32.exe 102 PID 3804 wrote to memory of 4888 3804 Mnlnbl32.exe 102 PID 3804 wrote to memory of 4888 3804 Mnlnbl32.exe 102 PID 4888 wrote to memory of 3180 4888 Majjng32.exe 103 PID 4888 wrote to memory of 3180 4888 Majjng32.exe 103 PID 4888 wrote to memory of 3180 4888 Majjng32.exe 103 PID 3180 wrote to memory of 4840 3180 Mhdckaeo.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc427088d227fe509c25695e13e20998f4a6840235363b83d03efb031f86922dN.exe"C:\Users\Admin\AppData\Local\Temp\dc427088d227fe509c25695e13e20998f4a6840235363b83d03efb031f86922dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe23⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe24⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe25⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe26⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4404 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe28⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4816 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe31⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe32⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe34⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe35⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe36⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe38⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe39⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe40⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe41⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe42⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe43⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe44⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe46⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe47⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe48⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe49⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe50⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe52⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe53⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe54⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3576 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe56⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe57⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe58⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe61⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe62⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe63⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe64⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe65⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe66⤵PID:3908
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe68⤵PID:5100
-
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe69⤵PID:2292
-
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe70⤵
- Drops file in System32 directory
PID:412 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe71⤵
- System Location Discovery: System Language Discovery
PID:4144 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe72⤵PID:1908
-
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe73⤵PID:3504
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe74⤵PID:4212
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe75⤵
- Drops file in System32 directory
PID:5064 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe76⤵PID:2584
-
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe78⤵PID:4052
-
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe79⤵PID:696
-
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe80⤵PID:2996
-
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe81⤵PID:1276
-
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe82⤵
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe83⤵PID:3532
-
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe84⤵PID:3540
-
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4936 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe86⤵PID:4392
-
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe87⤵PID:2732
-
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe88⤵PID:1928
-
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe89⤵
- Drops file in System32 directory
PID:3916 -
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe90⤵
- Modifies registry class
PID:4780 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe91⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe92⤵
- Modifies registry class
PID:4000 -
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe93⤵PID:4076
-
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3240 -
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe95⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe96⤵PID:3152
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe98⤵PID:4496
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe99⤵PID:3788
-
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe100⤵
- Modifies registry class
PID:4988 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe101⤵PID:4224
-
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe102⤵PID:712
-
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe103⤵PID:1672
-
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe104⤵PID:5124
-
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe105⤵PID:5160
-
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe106⤵PID:5216
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe107⤵PID:5264
-
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe108⤵PID:5312
-
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe109⤵PID:5356
-
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe110⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe111⤵PID:5460
-
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe112⤵PID:5508
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe113⤵PID:5552
-
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe114⤵PID:5592
-
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe115⤵PID:5636
-
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe116⤵PID:5684
-
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe117⤵PID:5728
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe119⤵PID:5816
-
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe120⤵
- System Location Discovery: System Language Discovery
PID:5860 -
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe121⤵PID:5904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-