Overview
overview
10Static
static
10Dropper/Berbew.exe
windows7-x64
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows7-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows7-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows7-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows7-x64
7RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows7-x64
10Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows7-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows7-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows7-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows7-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows7-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows7-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows7-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows7-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows7-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02-09-2024 19:51
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win7-20240704-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral4
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win7-20240704-en
agenttesladanabotdharmaformbookgoziqakbotraccoon86920224spx1291590734339i0qiw9zagilenetbankercryptonedefense_evasiondiscoveryexecutionimpactkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan
windows7-x64
43 signatures
150 seconds
Behavioral task
behavioral6
Sample
RAT/31.exe
Resource
win10v2004-20240802-en
agenttesladanabotdharmaformbookgoziraccoon86920224w9zagilenetbankerbotnetcredential_accesscryptonedefense_evasiondiscoveryevasionexecutionimpactkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan
windows10-2004-x64
38 signatures
150 seconds
Behavioral task
behavioral7
Sample
RAT/XClient.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral8
Sample
RAT/XClient.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral9
Sample
RAT/file.exe
Resource
win7-20240708-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral10
Sample
RAT/file.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral11
Sample
Ransomware/Client-2.exe
Resource
win7-20240704-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral12
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
150 seconds
Behavioral task
behavioral13
Sample
Ransomware/criticalupdate01.exe
Resource
win7-20240729-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral14
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
11 signatures
150 seconds
Behavioral task
behavioral15
Sample
Ransomware/default.exe
Resource
win7-20240705-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral16
Sample
Ransomware/default.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
18 signatures
150 seconds
Behavioral task
behavioral17
Sample
Stealers/Azorult.exe
Resource
win7-20240704-en
azorultrmsaspackv2defense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationrattrojanupx
windows7-x64
54 signatures
150 seconds
Behavioral task
behavioral18
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240802-en
azorultrmsaspackv2defense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationrattrojanupx
windows10-2004-x64
55 signatures
150 seconds
Behavioral task
behavioral19
Sample
Stealers/BlackMoon.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral20
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral21
Sample
Stealers/Dridex.dll
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral22
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral23
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win7-20240704-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral24
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
22 signatures
150 seconds
Behavioral task
behavioral25
Sample
Stealers/lumma.exe
Resource
win7-20240729-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral26
Sample
Stealers/lumma.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral27
Sample
Trojan/BetaBot.exe
Resource
win7-20240729-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral28
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
23 signatures
150 seconds
Behavioral task
behavioral29
Sample
Trojan/SmokeLoader.exe
Resource
win7-20240708-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral30
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
Dropper/Berbew.exe
-
Size
109KB
-
MD5
331d4664aaa1e426075838bac0ba0e80
-
SHA1
b5825947ed101a498fadd55ed128172773f014e3
-
SHA256
90a4b2cba38cde1495721ebc965e888440e212585cb565acf18b6216631d13d1
-
SHA512
9da4eb7b4fee5956f9ad0444c362fb884295d0a8e087ee7f6ed5d3f9e54422730f8c75553edf6ebf57435f2588e9045573f23879d2d8ec1d3843d80c75cd91ec
-
SSDEEP
3072:vZYeP+XEYkuuHbJ9GLCqwzBu1DjHLMVDqqkSpR:vPUk3J9Cwtu1DjrFqhz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnglnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncnmane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flclam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndjmifj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblbnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfebnmcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acicla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmlbjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfgnnhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkifaen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehhdkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alihaioe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpggei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dafoikjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkhndca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmeeepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkknac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmflee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdgdji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqolji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdpgph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocgfhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioeclg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgionie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bacihmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidddj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekdchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqkmplen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijkje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objjnkie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkcil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgciff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaecod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhonjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghgfekpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhcag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcedad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oniebmda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boemlbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fijbco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehiioaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfalqpm.exe -
Executes dropped EXE 64 IoCs
pid Process 808 Pdbdqh32.exe 2388 Pohhna32.exe 2720 Pebpkk32.exe 3036 Pidfdofi.exe 2372 Pcljmdmj.exe 2888 Pnbojmmp.exe 2624 Qgjccb32.exe 2320 Qndkpmkm.exe 320 Qeppdo32.exe 1584 Alihaioe.exe 2420 Agolnbok.exe 1080 Ahpifj32.exe 2952 Afdiondb.exe 2708 Alnalh32.exe 1072 Afffenbp.exe 948 Alqnah32.exe 448 Anbkipok.exe 944 Agjobffl.exe 1156 Akfkbd32.exe 2696 Adnpkjde.exe 2500 Bkjdndjo.exe 1876 Bniajoic.exe 2428 Bnknoogp.exe 2536 Bchfhfeh.exe 2572 Bjbndpmd.exe 2088 Boogmgkl.exe 2740 Bmbgfkje.exe 2900 Coacbfii.exe 2932 Cenljmgq.exe 2776 Cmedlk32.exe 2168 Cileqlmg.exe 1908 Ckjamgmk.exe 2032 Cbdiia32.exe 1704 Cnkjnb32.exe 2504 Cgcnghpl.exe 1776 Ccjoli32.exe 2968 Cfhkhd32.exe 2240 Danpemej.exe 2988 Dfkhndca.exe 2816 Dpcmgi32.exe 1220 Dbaice32.exe 1036 Dilapopb.exe 1560 Dpeiligo.exe 1924 Dbdehdfc.exe 2480 Debadpeg.exe 2316 Dlljaj32.exe 2328 Deenjpcd.exe 1044 Dhckfkbh.exe 2768 Dpjbgh32.exe 2992 Eibgpnjk.exe 2984 Ekdchf32.exe 1728 Eanldqgf.exe 1640 Elcpbigl.exe 1936 Eoblnd32.exe 1204 Eeldkonl.exe 2996 Ehjqgjmp.exe 2936 Ekhmcelc.exe 1952 Eabepp32.exe 552 Edaalk32.exe 2104 Ekkjheja.exe 3052 Eaebeoan.exe 2364 Edcnakpa.exe 2540 Egajnfoe.exe 2272 Fmlbjq32.exe -
Loads dropped DLL 64 IoCs
pid Process 3060 Berbew.exe 3060 Berbew.exe 808 Pdbdqh32.exe 808 Pdbdqh32.exe 2388 Pohhna32.exe 2388 Pohhna32.exe 2720 Pebpkk32.exe 2720 Pebpkk32.exe 3036 Pidfdofi.exe 3036 Pidfdofi.exe 2372 Pcljmdmj.exe 2372 Pcljmdmj.exe 2888 Pnbojmmp.exe 2888 Pnbojmmp.exe 2624 Qgjccb32.exe 2624 Qgjccb32.exe 2320 Qndkpmkm.exe 2320 Qndkpmkm.exe 320 Qeppdo32.exe 320 Qeppdo32.exe 1584 Alihaioe.exe 1584 Alihaioe.exe 2420 Agolnbok.exe 2420 Agolnbok.exe 1080 Ahpifj32.exe 1080 Ahpifj32.exe 2952 Afdiondb.exe 2952 Afdiondb.exe 2708 Alnalh32.exe 2708 Alnalh32.exe 1072 Afffenbp.exe 1072 Afffenbp.exe 948 Alqnah32.exe 948 Alqnah32.exe 448 Anbkipok.exe 448 Anbkipok.exe 944 Agjobffl.exe 944 Agjobffl.exe 1156 Akfkbd32.exe 1156 Akfkbd32.exe 2696 Adnpkjde.exe 2696 Adnpkjde.exe 2500 Bkjdndjo.exe 2500 Bkjdndjo.exe 1876 Bniajoic.exe 1876 Bniajoic.exe 2428 Bnknoogp.exe 2428 Bnknoogp.exe 2536 Bchfhfeh.exe 2536 Bchfhfeh.exe 2572 Bjbndpmd.exe 2572 Bjbndpmd.exe 2088 Boogmgkl.exe 2088 Boogmgkl.exe 2740 Bmbgfkje.exe 2740 Bmbgfkje.exe 2900 Coacbfii.exe 2900 Coacbfii.exe 2932 Cenljmgq.exe 2932 Cenljmgq.exe 2776 Cmedlk32.exe 2776 Cmedlk32.exe 2168 Cileqlmg.exe 2168 Cileqlmg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Igebkiof.exe Icifjk32.exe File opened for modification C:\Windows\SysWOW64\Jikhnaao.exe Jjhgbd32.exe File created C:\Windows\SysWOW64\Ccmkid32.dll Jcqlkjae.exe File opened for modification C:\Windows\SysWOW64\Apkgpf32.exe Aahfdihn.exe File opened for modification C:\Windows\SysWOW64\Bkpglbaj.exe Bgdkkc32.exe File created C:\Windows\SysWOW64\Iodcmd32.dll Eldiehbk.exe File created C:\Windows\SysWOW64\Fkgfqf32.dll Elkofg32.exe File opened for modification C:\Windows\SysWOW64\Ghgfekpn.exe Gdkjdl32.exe File created C:\Windows\SysWOW64\Anafme32.dll Igceej32.exe File created C:\Windows\SysWOW64\Ghcmae32.dll Hjcaha32.exe File created C:\Windows\SysWOW64\Hfjbmb32.exe Hbofmcij.exe File opened for modification C:\Windows\SysWOW64\Ibcphc32.exe Ioeclg32.exe File opened for modification C:\Windows\SysWOW64\Jggoqimd.exe Iclbpj32.exe File created C:\Windows\SysWOW64\Lgngbmjp.exe Lpcoeb32.exe File created C:\Windows\SysWOW64\Aemgfj32.dll Adaiee32.exe File opened for modification C:\Windows\SysWOW64\Dfhdnn32.exe Dblhmoio.exe File opened for modification C:\Windows\SysWOW64\Fakdcnhh.exe Folhgbid.exe File opened for modification C:\Windows\SysWOW64\Fleifl32.exe Figmjq32.exe File created C:\Windows\SysWOW64\Dadbdkld.exe Dnefhpma.exe File created C:\Windows\SysWOW64\Ilalae32.dll Fahhnn32.exe File created C:\Windows\SysWOW64\Gpggei32.exe Gmhkin32.exe File created C:\Windows\SysWOW64\Gckobc32.dll Hdpcokdo.exe File created C:\Windows\SysWOW64\Gmeeepjp.exe Gjgiidkl.exe File created C:\Windows\SysWOW64\Jieaofmp.exe Jfgebjnm.exe File created C:\Windows\SysWOW64\Apoahgqd.dll Plmbkd32.exe File opened for modification C:\Windows\SysWOW64\Cjedgmpi.dll Pehcij32.exe File created C:\Windows\SysWOW64\Fmaeho32.exe Fooembgb.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Bniajoic.exe File created C:\Windows\SysWOW64\Jhenjmbb.exe Jibnop32.exe File created C:\Windows\SysWOW64\Qkddnqcm.dll Objjnkie.exe File created C:\Windows\SysWOW64\Dnqlmq32.exe Dpnladjl.exe File opened for modification C:\Windows\SysWOW64\Qbnphngk.exe Qkghgpfi.exe File opened for modification C:\Windows\SysWOW64\Afdiondb.exe Ahpifj32.exe File opened for modification C:\Windows\SysWOW64\Mhhgpc32.exe Mfjkdh32.exe File opened for modification C:\Windows\SysWOW64\Ngpqfp32.exe Mimpkcdn.exe File created C:\Windows\SysWOW64\Jefndikl.dll Ckeqga32.exe File created C:\Windows\SysWOW64\Cileqlmg.exe Cmedlk32.exe File created C:\Windows\SysWOW64\Dhbccb32.dll Boifga32.exe File created C:\Windows\SysWOW64\Imbjcpnn.exe Inojhc32.exe File opened for modification C:\Windows\SysWOW64\Aahfdihn.exe Anljck32.exe File created C:\Windows\SysWOW64\Injqmdki.exe Iogpag32.exe File created C:\Windows\SysWOW64\Kekkiq32.exe Kbmome32.exe File opened for modification C:\Windows\SysWOW64\Ggagmjbq.exe Gdcjpncm.exe File opened for modification C:\Windows\SysWOW64\Igoomk32.exe Iaegpaao.exe File created C:\Windows\SysWOW64\Bbjmif32.dll Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Ooffgmde.dll Peefcjlg.exe File created C:\Windows\SysWOW64\Bcbonpco.dll Jfmkbebl.exe File created C:\Windows\SysWOW64\Padqpaec.dll Ggagmjbq.exe File opened for modification C:\Windows\SysWOW64\Oehgjfhi.exe Oalkih32.exe File opened for modification C:\Windows\SysWOW64\Coicfd32.exe Cmkfji32.exe File opened for modification C:\Windows\SysWOW64\Dadbdkld.exe Dnefhpma.exe File opened for modification C:\Windows\SysWOW64\Mobomnoq.exe Mkfclo32.exe File created C:\Windows\SysWOW64\Pehcij32.exe Pfebnmcj.exe File created C:\Windows\SysWOW64\Bolcma32.exe Bkpglbaj.exe File created C:\Windows\SysWOW64\Fkhbgbkc.exe Fglfgd32.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Boogmgkl.exe File opened for modification C:\Windows\SysWOW64\Omckoi32.exe Ojeobm32.exe File opened for modification C:\Windows\SysWOW64\Jfjolf32.exe Jggoqimd.exe File opened for modification C:\Windows\SysWOW64\Ggdcbi32.exe Gdegfn32.exe File created C:\Windows\SysWOW64\Hjnmkplj.dll Gmeeepjp.exe File opened for modification C:\Windows\SysWOW64\Mbchni32.exe Mnglnj32.exe File created C:\Windows\SysWOW64\Leoebflm.dll Icifjk32.exe File created C:\Windows\SysWOW64\Iahghfmb.dll Hjlbdc32.exe -
Program crash 1 IoCs
pid pid_target Process 7108 6400 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlbdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmlhbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeeepjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadojlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenljmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgppnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblbnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpopddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnkdmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbdqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppofado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdlhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emaijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdcbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenbjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpafapbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbllnlfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjldnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkhjgeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlljaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldhkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqolji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haqnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqehjecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oniebmda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkghgpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldiehbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlbjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjcffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfebnmcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplllkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofngkga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndjmifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlddeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjpggkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmabjfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejlnmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidddj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnibcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbogqoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpglbaj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccgklc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdnfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iocgfhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlqjkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fleifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknocpdc.dll" Feddombd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olpbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkielpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnochnpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fefqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpdcfoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioeclg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fplllkdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodcmd32.dll" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqkmplen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmeeepjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njgpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfnmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egldgl32.dll" Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqehjecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahmefdcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blfapfpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncpdbohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deondj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhimbk32.dll" Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijjkf32.dll" Oioipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eafkhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll" Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngbmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igejec32.dll" Apmcefmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hadcipbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll" Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnglnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifibfn.dll" Fmdbnnlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmaebf32.dll" Jaecod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anjnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heloek32.dll" Cjljnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll" Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aacmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpdkpiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifjic32.dll" Ibipmiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbchni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfcodkcb.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2628 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2628 AUDIODG.EXE Token: 33 2628 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2628 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 808 3060 Berbew.exe 31 PID 3060 wrote to memory of 808 3060 Berbew.exe 31 PID 3060 wrote to memory of 808 3060 Berbew.exe 31 PID 3060 wrote to memory of 808 3060 Berbew.exe 31 PID 808 wrote to memory of 2388 808 Pdbdqh32.exe 32 PID 808 wrote to memory of 2388 808 Pdbdqh32.exe 32 PID 808 wrote to memory of 2388 808 Pdbdqh32.exe 32 PID 808 wrote to memory of 2388 808 Pdbdqh32.exe 32 PID 2388 wrote to memory of 2720 2388 Pohhna32.exe 33 PID 2388 wrote to memory of 2720 2388 Pohhna32.exe 33 PID 2388 wrote to memory of 2720 2388 Pohhna32.exe 33 PID 2388 wrote to memory of 2720 2388 Pohhna32.exe 33 PID 2720 wrote to memory of 3036 2720 Pebpkk32.exe 34 PID 2720 wrote to memory of 3036 2720 Pebpkk32.exe 34 PID 2720 wrote to memory of 3036 2720 Pebpkk32.exe 34 PID 2720 wrote to memory of 3036 2720 Pebpkk32.exe 34 PID 3036 wrote to memory of 2372 3036 Pidfdofi.exe 35 PID 3036 wrote to memory of 2372 3036 Pidfdofi.exe 35 PID 3036 wrote to memory of 2372 3036 Pidfdofi.exe 35 PID 3036 wrote to memory of 2372 3036 Pidfdofi.exe 35 PID 2372 wrote to memory of 2888 2372 Pcljmdmj.exe 36 PID 2372 wrote to memory of 2888 2372 Pcljmdmj.exe 36 PID 2372 wrote to memory of 2888 2372 Pcljmdmj.exe 36 PID 2372 wrote to memory of 2888 2372 Pcljmdmj.exe 36 PID 2888 wrote to memory of 2624 2888 Pnbojmmp.exe 37 PID 2888 wrote to memory of 2624 2888 Pnbojmmp.exe 37 PID 2888 wrote to memory of 2624 2888 Pnbojmmp.exe 37 PID 2888 wrote to memory of 2624 2888 Pnbojmmp.exe 37 PID 2624 wrote to memory of 2320 2624 Qgjccb32.exe 38 PID 2624 wrote to memory of 2320 2624 Qgjccb32.exe 38 PID 2624 wrote to memory of 2320 2624 Qgjccb32.exe 38 PID 2624 wrote to memory of 2320 2624 Qgjccb32.exe 38 PID 2320 wrote to memory of 320 2320 Qndkpmkm.exe 39 PID 2320 wrote to memory of 320 2320 Qndkpmkm.exe 39 PID 2320 wrote to memory of 320 2320 Qndkpmkm.exe 39 PID 2320 wrote to memory of 320 2320 Qndkpmkm.exe 39 PID 320 wrote to memory of 1584 320 Qeppdo32.exe 40 PID 320 wrote to memory of 1584 320 Qeppdo32.exe 40 PID 320 wrote to memory of 1584 320 Qeppdo32.exe 40 PID 320 wrote to memory of 1584 320 Qeppdo32.exe 40 PID 1584 wrote to memory of 2420 1584 Alihaioe.exe 41 PID 1584 wrote to memory of 2420 1584 Alihaioe.exe 41 PID 1584 wrote to memory of 2420 1584 Alihaioe.exe 41 PID 1584 wrote to memory of 2420 1584 Alihaioe.exe 41 PID 2420 wrote to memory of 1080 2420 Agolnbok.exe 42 PID 2420 wrote to memory of 1080 2420 Agolnbok.exe 42 PID 2420 wrote to memory of 1080 2420 Agolnbok.exe 42 PID 2420 wrote to memory of 1080 2420 Agolnbok.exe 42 PID 1080 wrote to memory of 2952 1080 Ahpifj32.exe 43 PID 1080 wrote to memory of 2952 1080 Ahpifj32.exe 43 PID 1080 wrote to memory of 2952 1080 Ahpifj32.exe 43 PID 1080 wrote to memory of 2952 1080 Ahpifj32.exe 43 PID 2952 wrote to memory of 2708 2952 Afdiondb.exe 44 PID 2952 wrote to memory of 2708 2952 Afdiondb.exe 44 PID 2952 wrote to memory of 2708 2952 Afdiondb.exe 44 PID 2952 wrote to memory of 2708 2952 Afdiondb.exe 44 PID 2708 wrote to memory of 1072 2708 Alnalh32.exe 45 PID 2708 wrote to memory of 1072 2708 Alnalh32.exe 45 PID 2708 wrote to memory of 1072 2708 Alnalh32.exe 45 PID 2708 wrote to memory of 1072 2708 Alnalh32.exe 45 PID 1072 wrote to memory of 948 1072 Afffenbp.exe 46 PID 1072 wrote to memory of 948 1072 Afffenbp.exe 46 PID 1072 wrote to memory of 948 1072 Afffenbp.exe 46 PID 1072 wrote to memory of 948 1072 Afffenbp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dropper\Berbew.exe"C:\Users\Admin\AppData\Local\Temp\Dropper\Berbew.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe33⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe34⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe35⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe36⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Ccjoli32.exeC:\Windows\system32\Ccjoli32.exe37⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe38⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe39⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe41⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe42⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe43⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe45⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe46⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe48⤵PID:2060
-
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe49⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe50⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe51⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe54⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe55⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe56⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe58⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe59⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe60⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe61⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe62⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe63⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe65⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe67⤵PID:2716
-
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe68⤵PID:2764
-
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe69⤵PID:2748
-
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe71⤵PID:2188
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe72⤵PID:2440
-
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1192 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe75⤵PID:2292
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe76⤵PID:2976
-
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe77⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe78⤵
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe79⤵PID:1480
-
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe80⤵PID:2692
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe81⤵PID:2124
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe82⤵PID:2944
-
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe84⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe85⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe86⤵PID:2196
-
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe87⤵PID:1512
-
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe88⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe90⤵PID:2832
-
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe91⤵PID:1744
-
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe92⤵PID:1468
-
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe93⤵PID:2228
-
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe94⤵PID:2392
-
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe95⤵PID:2648
-
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe96⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe98⤵PID:2348
-
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe99⤵PID:2064
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe100⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe101⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe103⤵PID:1416
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe104⤵PID:1580
-
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe105⤵PID:584
-
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe106⤵PID:3012
-
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe108⤵PID:1892
-
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe109⤵PID:560
-
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe110⤵PID:2024
-
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe111⤵PID:764
-
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe112⤵PID:604
-
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe113⤵PID:1796
-
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe114⤵PID:1928
-
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe115⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe116⤵PID:2892
-
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe117⤵PID:2620
-
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe118⤵PID:2288
-
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe119⤵PID:1976
-
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe120⤵PID:2680
-
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe121⤵PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-