Analysis
-
max time kernel
76s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:50
Static task
static1
Behavioral task
behavioral1
Sample
cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe
Resource
win10v2004-20241007-en
General
-
Target
cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe
-
Size
98KB
-
MD5
fe0d9f7c182425a18484bc7ba42271d0
-
SHA1
3a7e8688fa97e6172e4be5e1b03994a806d3455e
-
SHA256
cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88a
-
SHA512
282ad46da49897f89abec164322ce30ceeaaa05660d81211fa1f374105776672035f36727a7004cba2439d23d1bc96c7cfe188e3e71952adaba34d5341cb3fa8
-
SSDEEP
3072:Mj+GzHcZ4JS/HFfYV5WvQuVZ0f9a3vK3NANxjgRJl3EDeFKPD375lHzpa1P:y+Gzo4JS/O8buEDeYr75lHzpaF
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pddlggin.exeMdnffpif.exeKfcmcckn.exeFfndghdj.exeMkmlbc32.exeOjjnioae.exeEmlkoknp.exeGloppi32.exeNefncd32.exeBjehlldb.exeIfmbilhq.exeJadlgjjq.exeEmlhfb32.exeKjeblf32.exeOodhca32.exeAjbdpblo.exeFhcehngk.exeJijqeg32.exeCkjnfobi.exeGmnkqcem.exeOnmgeb32.exeJkgfgl32.exeApjpglfn.exeNchiao32.exeOdpljf32.exeFbbfmqdm.exeGeckno32.exeJijbnppi.exeAnigaeoh.exeFdbibjok.exeCefbfa32.exeHpincd32.exeOkhgaqfj.exeIjcmipjh.exeQnjbmh32.exeMfmekd32.exeFcodhl32.exeHqmmja32.exeDicmlpje.exeOfqonp32.exeDnjeoa32.exeLooahi32.exeMibeofaf.exeDpenkgfq.exeMnbbpkjg.exeFkgemh32.exeNqdjge32.exeOcjfgo32.exeGajlcp32.exeIlpohecc.exeJpkgggnh.exePpkahi32.exeCidklp32.exeHkfgnldd.exeDmhfpmee.exeClgpckcb.exeKmedck32.exeAndnff32.exeLfehpobj.exeQjnajl32.exeFogkhf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pddlggin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdnffpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfcmcckn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffndghdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkmlbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjnioae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emlkoknp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gloppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjehlldb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmbilhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jadlgjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emlhfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeblf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajbdpblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcehngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjnfobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmnkqcem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkgfgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emlkoknp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjpglfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odpljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbbfmqdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geckno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jijbnppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjeblf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anigaeoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbibjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cefbfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpincd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhgaqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijcmipjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnjbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmekd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcodhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqmmja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dicmlpje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqonp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Looahi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mibeofaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpenkgfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnbbpkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkgemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocjfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geckno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gajlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilpohecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpkgggnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppkahi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfgnldd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhfpmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgpckcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmedck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfehpobj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnajl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogkhf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Iadphghe.exeImkqmh32.exeJidngh32.exeJadlgjjq.exeJafilj32.exeKdgane32.exeKidjfl32.exeKemgqm32.exeKeodflee.exeLhpmhgbf.exeLednal32.exeLdikbhfh.exeLkccob32.exeMnfhfmhc.exeMjmiknng.exeMkqbhf32.exeMdigakic.exeMoahdd32.exeNqbdllld.exeNkjeod32.exeNgafdepl.exeNpngng32.exeOiglfm32.exeObamebfc.exeOpennf32.exeOinbglkm.exeOnmgeb32.exePjchjcmf.exePhhhchlp.exePfmeddag.exePebbeq32.exeQakppa32.exeAapikqel.exeAdcobk32.exeApjpglfn.exeAjbdpblo.exeBfieec32.exeBlejgm32.exeBfnnpbnn.exeBbdoec32.exeBdehgnqc.exeCqlhlo32.exeCcjehkek.exeCmbiap32.exeCjfjjd32.exeCgjjdijo.exeCofohkgi.exeCincaq32.exeCbfhjfdk.exeDpjhcj32.exeDicmlpje.exeDnpedghl.exeDieiap32.exeDndoof32.exeDfpcdh32.exeEmilqb32.exeEmlhfb32.exeEbhani32.exeEdhmhl32.exeEiefqc32.exeEoanij32.exeEhjbaooe.exeFijolbfh.exeFbbcdh32.exepid process 3012 Iadphghe.exe 2868 Imkqmh32.exe 2844 Jidngh32.exe 2740 Jadlgjjq.exe 2756 Jafilj32.exe 2832 Kdgane32.exe 2416 Kidjfl32.exe 1580 Kemgqm32.exe 2960 Keodflee.exe 2064 Lhpmhgbf.exe 1296 Lednal32.exe 1448 Ldikbhfh.exe 2232 Lkccob32.exe 592 Mnfhfmhc.exe 2684 Mjmiknng.exe 2216 Mkqbhf32.exe 1076 Mdigakic.exe 2420 Moahdd32.exe 1056 Nqbdllld.exe 1668 Nkjeod32.exe 1372 Ngafdepl.exe 2460 Npngng32.exe 2132 Oiglfm32.exe 2292 Obamebfc.exe 2308 Opennf32.exe 1596 Oinbglkm.exe 2804 Onmgeb32.exe 2984 Pjchjcmf.exe 2408 Phhhchlp.exe 2976 Pfmeddag.exe 2776 Pebbeq32.exe 2772 Qakppa32.exe 2264 Aapikqel.exe 1584 Adcobk32.exe 2888 Apjpglfn.exe 2200 Ajbdpblo.exe 2700 Bfieec32.exe 2896 Blejgm32.exe 1616 Bfnnpbnn.exe 2244 Bbdoec32.exe 2096 Bdehgnqc.exe 848 Cqlhlo32.exe 2652 Ccjehkek.exe 2584 Cmbiap32.exe 1932 Cjfjjd32.exe 2688 Cgjjdijo.exe 1992 Cofohkgi.exe 1528 Cincaq32.exe 2280 Cbfhjfdk.exe 1692 Dpjhcj32.exe 1608 Dicmlpje.exe 2840 Dnpedghl.exe 2864 Dieiap32.exe 2936 Dndoof32.exe 2380 Dfpcdh32.exe 2508 Emilqb32.exe 2092 Emlhfb32.exe 3044 Ebhani32.exe 540 Edhmhl32.exe 584 Eiefqc32.exe 2504 Eoanij32.exe 2480 Ehjbaooe.exe 1408 Fijolbfh.exe 2604 Fbbcdh32.exe -
Loads dropped DLL 64 IoCs
Processes:
cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exeIadphghe.exeImkqmh32.exeJidngh32.exeJadlgjjq.exeJafilj32.exeKdgane32.exeKidjfl32.exeKemgqm32.exeKeodflee.exeLhpmhgbf.exeLednal32.exeLdikbhfh.exeLkccob32.exeMnfhfmhc.exeMjmiknng.exeMkqbhf32.exeMdigakic.exeMoahdd32.exeNqbdllld.exeNkjeod32.exeNgafdepl.exeNpngng32.exeOiglfm32.exeObamebfc.exeOpennf32.exeOinbglkm.exeOnmgeb32.exePjchjcmf.exePhhhchlp.exePfmeddag.exePebbeq32.exepid process 2792 cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe 2792 cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe 3012 Iadphghe.exe 3012 Iadphghe.exe 2868 Imkqmh32.exe 2868 Imkqmh32.exe 2844 Jidngh32.exe 2844 Jidngh32.exe 2740 Jadlgjjq.exe 2740 Jadlgjjq.exe 2756 Jafilj32.exe 2756 Jafilj32.exe 2832 Kdgane32.exe 2832 Kdgane32.exe 2416 Kidjfl32.exe 2416 Kidjfl32.exe 1580 Kemgqm32.exe 1580 Kemgqm32.exe 2960 Keodflee.exe 2960 Keodflee.exe 2064 Lhpmhgbf.exe 2064 Lhpmhgbf.exe 1296 Lednal32.exe 1296 Lednal32.exe 1448 Ldikbhfh.exe 1448 Ldikbhfh.exe 2232 Lkccob32.exe 2232 Lkccob32.exe 592 Mnfhfmhc.exe 592 Mnfhfmhc.exe 2684 Mjmiknng.exe 2684 Mjmiknng.exe 2216 Mkqbhf32.exe 2216 Mkqbhf32.exe 1076 Mdigakic.exe 1076 Mdigakic.exe 2420 Moahdd32.exe 2420 Moahdd32.exe 1056 Nqbdllld.exe 1056 Nqbdllld.exe 1668 Nkjeod32.exe 1668 Nkjeod32.exe 1372 Ngafdepl.exe 1372 Ngafdepl.exe 2460 Npngng32.exe 2460 Npngng32.exe 2132 Oiglfm32.exe 2132 Oiglfm32.exe 2292 Obamebfc.exe 2292 Obamebfc.exe 2308 Opennf32.exe 2308 Opennf32.exe 1596 Oinbglkm.exe 1596 Oinbglkm.exe 2804 Onmgeb32.exe 2804 Onmgeb32.exe 2984 Pjchjcmf.exe 2984 Pjchjcmf.exe 2408 Phhhchlp.exe 2408 Phhhchlp.exe 2976 Pfmeddag.exe 2976 Pfmeddag.exe 2776 Pebbeq32.exe 2776 Pebbeq32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hnbgdh32.exePphilb32.exeAikine32.exeJkdanngk.exeAqfiqjgb.exeIggdmkmn.exeClehoiam.exeKigkmmql.exeAooaej32.exeHfnmdo32.exeGenmab32.exeEmmljodk.exeOkmceiii.exeNjeikpij.exeOpennf32.exeEoanij32.exeIflhjh32.exeCdbqflae.exeBbkkbpjc.exeMomckfid.exeAeajcf32.exeDlbanfbo.exeCpafhpaj.exeKqomai32.exeNieffgok.exeGohjnf32.exeLpiqel32.exeDpggnfap.exeDcjleq32.exePghmeikh.exeQiclcp32.exeFbbfmqdm.exeMeonlkcm.exeOkjoec32.exeBokfaflj.exeBaeepm32.exeDieiap32.exeFblpnepn.exeMoomgmpm.exeIogkaf32.exeCcjehkek.exeNpgppdpc.exeGajlcp32.exeOggkklnk.exeEhfmkmqj.exeOejfelin.exeFhmblljb.exeOiglfm32.exeIaqnbb32.exeAfbpph32.exeFdohme32.exeFcodhl32.exeFokaoh32.exeNfcoel32.exeOdkkdqmd.exeKmedck32.exeBpdgolml.exeDcpagg32.exeCbagdq32.exeDjnbdlla.exeJpkgggnh.exeFoidii32.exedescription ioc process File created C:\Windows\SysWOW64\Hkfgnldd.exe Hnbgdh32.exe File created C:\Windows\SysWOW64\Qfbahldf.exe Pphilb32.exe File created C:\Windows\SysWOW64\Aeajcf32.exe Aikine32.exe File created C:\Windows\SysWOW64\Jdlefd32.exe Jkdanngk.exe File created C:\Windows\SysWOW64\Agpamd32.exe Aqfiqjgb.exe File opened for modification C:\Windows\SysWOW64\Inaliedk.exe Iggdmkmn.exe File created C:\Windows\SysWOW64\Nmgbmq32.dll Clehoiam.exe File created C:\Windows\SysWOW64\Ffllbi32.dll Kigkmmql.exe File opened for modification C:\Windows\SysWOW64\Andnff32.exe Aooaej32.exe File created C:\Windows\SysWOW64\Hhmioa32.exe Hfnmdo32.exe File opened for modification C:\Windows\SysWOW64\Gnfajgbg.exe Genmab32.exe File created C:\Windows\SysWOW64\Egepce32.exe Emmljodk.exe File created C:\Windows\SysWOW64\Gpiogbmb.dll Okmceiii.exe File created C:\Windows\SysWOW64\Cahnhhpq.dll Njeikpij.exe File created C:\Windows\SysWOW64\Opqjjalh.dll Opennf32.exe File created C:\Windows\SysWOW64\Kafopn32.dll Eoanij32.exe File created C:\Windows\SysWOW64\Qlnamo32.dll Iflhjh32.exe File opened for modification C:\Windows\SysWOW64\Dnjeoa32.exe Cdbqflae.exe File created C:\Windows\SysWOW64\Odqqbmpp.dll Bbkkbpjc.exe File opened for modification C:\Windows\SysWOW64\Mpmpeiqg.exe Momckfid.exe File created C:\Windows\SysWOW64\Fedgnqao.dll Aeajcf32.exe File created C:\Windows\SysWOW64\Dfjegl32.exe Dlbanfbo.exe File created C:\Windows\SysWOW64\Cijkaehj.exe Cpafhpaj.exe File created C:\Windows\SysWOW64\Kncmknkg.exe Kqomai32.exe File opened for modification C:\Windows\SysWOW64\Naqkki32.exe Nieffgok.exe File opened for modification C:\Windows\SysWOW64\Ggcnbh32.exe Gohjnf32.exe File opened for modification C:\Windows\SysWOW64\Ljnebe32.exe Lpiqel32.exe File created C:\Windows\SysWOW64\Ggniapdj.dll Dpggnfap.exe File opened for modification C:\Windows\SysWOW64\Dlbanfbo.exe Dcjleq32.exe File opened for modification C:\Windows\SysWOW64\Pnbeacbd.exe Pghmeikh.exe File created C:\Windows\SysWOW64\Ilnamhfg.dll Qiclcp32.exe File opened for modification C:\Windows\SysWOW64\Fnifbaja.exe Fbbfmqdm.exe File opened for modification C:\Windows\SysWOW64\Mjlgdaad.exe Meonlkcm.exe File created C:\Windows\SysWOW64\Abcfkfkn.dll Okjoec32.exe File created C:\Windows\SysWOW64\Bfeonq32.exe Bokfaflj.exe File created C:\Windows\SysWOW64\Cjnjhcqo.exe Baeepm32.exe File opened for modification C:\Windows\SysWOW64\Dndoof32.exe Dieiap32.exe File created C:\Windows\SysWOW64\Gkgdbh32.exe Fblpnepn.exe File opened for modification C:\Windows\SysWOW64\Meiedg32.exe Moomgmpm.exe File opened for modification C:\Windows\SysWOW64\Jknlfg32.exe Iogkaf32.exe File created C:\Windows\SysWOW64\Ehhejkik.dll Ccjehkek.exe File opened for modification C:\Windows\SysWOW64\Nchiao32.exe Npgppdpc.exe File created C:\Windows\SysWOW64\Gloppi32.exe Gajlcp32.exe File created C:\Windows\SysWOW64\Odkkdqmd.exe Oggkklnk.exe File opened for modification C:\Windows\SysWOW64\Apgnpo32.exe Aeajcf32.exe File opened for modification C:\Windows\SysWOW64\Eaoadb32.exe Ehfmkmqj.exe File opened for modification C:\Windows\SysWOW64\Oficoo32.exe Oejfelin.exe File opened for modification C:\Windows\SysWOW64\Fogkhf32.exe Fhmblljb.exe File opened for modification C:\Windows\SysWOW64\Obamebfc.exe Oiglfm32.exe File opened for modification C:\Windows\SysWOW64\Iodolf32.exe Iaqnbb32.exe File created C:\Windows\SysWOW64\Abkqle32.exe Qiclcp32.exe File opened for modification C:\Windows\SysWOW64\Anigaeoh.exe Afbpph32.exe File opened for modification C:\Windows\SysWOW64\Fnglekch.exe Fdohme32.exe File created C:\Windows\SysWOW64\Fdnabo32.exe Fcodhl32.exe File created C:\Windows\SysWOW64\Lmpgopjh.dll Fokaoh32.exe File created C:\Windows\SysWOW64\Imbdocbi.dll Nfcoel32.exe File created C:\Windows\SysWOW64\Mipanmej.dll Odkkdqmd.exe File created C:\Windows\SysWOW64\Ihengqff.dll Kmedck32.exe File opened for modification C:\Windows\SysWOW64\Bjnhpj32.exe Bpdgolml.exe File created C:\Windows\SysWOW64\Icgphnbc.dll Dcpagg32.exe File created C:\Windows\SysWOW64\Chkpakla.exe Cbagdq32.exe File opened for modification C:\Windows\SysWOW64\Dokjlcjh.exe Djnbdlla.exe File created C:\Windows\SysWOW64\Jajcaj32.exe Jpkgggnh.exe File created C:\Windows\SysWOW64\Fagqed32.exe Foidii32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4152 4116 WerFault.exe Iifnpagn.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Lbgkhoml.exeKcgdgnmc.exePfhghgie.exeOpbnbj32.exePphilb32.exeBfliqmjg.exeQcfdji32.exeMafoal32.exeIalpfeno.exeDkihli32.exeFfcbce32.exeEcdffe32.exeAopcnbfj.exeAnepooja.exeFdohme32.exePefmkpbl.exeAdcobk32.exeGbbbld32.exeBhdpjaga.exeCpigeblb.exeDkohanoc.exeBmaaha32.exeGaokhdja.exeFkphcg32.execfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exeEmlhfb32.exeInaliedk.exeMchmblji.exeJndgfqlh.exeLeebcm32.exePhhhchlp.exeKaaeegkc.exeAhbqliap.exeAqpgblqh.exeGmnkqcem.exeJmigke32.exeQiclcp32.exeFdadbd32.exePfmeddag.exeLiibigjq.exeBcbabodk.exeMkihfi32.exeIjmibn32.exeKjbnlqld.exeIfecen32.exeNdadld32.exeBihdfkoe.exeFgibijkb.exeFibqhibd.exeIlpohecc.exeJdklcebk.exeEllfmm32.exeGnfajgbg.exeCkmfbf32.exeFknlmggc.exeImccab32.exeKdoaackf.exeEibbqmhd.exePkbcjn32.exeFjmdgmnl.exeNaqkki32.exeChickknc.exeDlgjie32.exeMpeidjfo.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgkhoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcgdgnmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhghgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbnbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfliqmjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcfdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mafoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ialpfeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkihli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecdffe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopcnbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anepooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdohme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefmkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcobk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdpjaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpigeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkohanoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmaaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaokhdja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkphcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlhfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inaliedk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchmblji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndgfqlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leebcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhhchlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaaeegkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbqliap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqpgblqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmnkqcem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmigke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiclcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdadbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmeddag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liibigjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbabodk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkihfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbnlqld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifecen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndadld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihdfkoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgibijkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibqhibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpohecc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdklcebk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ellfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfajgbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmfbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknlmggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imccab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdoaackf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibbqmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbcjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmdgmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naqkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chickknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeidjfo.exe -
Modifies registry class 64 IoCs
Processes:
Boqbcbeh.exeCjiiim32.exeHpckee32.exeJdnpck32.exeOqajqi32.exeAnlkakqa.exeBjehlldb.exeImmqeq32.exeIomhkgkb.exeClehoiam.exeJajcaj32.exeKfabfldd.exePjqdjn32.exeNchiao32.exePgjgapaa.exeLmhhcaik.exeGhqqpd32.exeEpinhg32.exeFbhhlo32.exeOkmceiii.exePhcpdm32.exeBbnlia32.exeAofhcmig.exeOhajic32.exeBfdlehlc.exeGcbaop32.exeDkihli32.exeAbehcbci.exeLeebcm32.exeNqdjge32.exePkbcjn32.exeHbajjiml.exeCckhlhcj.exeCcmdbg32.exeFhfdffll.exeLlooad32.exeKkmhej32.exeOdkkdqmd.exeGmipmlan.exeDoipoldo.exeEfjklh32.exeIfecen32.exeAdcobk32.exeOficoo32.exeEickdlcd.exeNldgdpjf.exeBciohe32.exeCajokmfi.exeNkfnln32.exeJbmdig32.exeKbmahjbk.exeLfehpobj.exeEkcpdi32.exeOlfkge32.exeIkembicd.exeNgiiip32.exeOfqonp32.exeHiieqd32.exeApjpglfn.exeHpplfm32.exeFmffhi32.exeNkmffegm.exeIopgjp32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakoae32.dll" Boqbcbeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjiiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpckee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiacqhfi.dll" Jdnpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbgmg32.dll" Oqajqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahiimj32.dll" Anlkakqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjehlldb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Immqeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iomhkgkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clehoiam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jajcaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfabfldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjqdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojhefn.dll" Nchiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgjgapaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmhhcaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpimpqf.dll" Ghqqpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngdfa32.dll" Epinhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meecojqp.dll" Fbhhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpiogbmb.dll" Okmceiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biodkpfp.dll" Phcpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdmoj32.dll" Bbnlia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aofhcmig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkihaqji.dll" Iomhkgkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohajic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfdlehlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcbaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkihli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abehcbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leebcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnicmpm.dll" Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhjkpi.dll" Pkbcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmdmcpk.dll" Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cckhlhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niohnd32.dll" Ccmdbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhfdffll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llooad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkmhej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odkkdqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkafoflh.dll" Gmipmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doipoldo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efjklh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifecen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adcobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oficoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlhgmlg.dll" Eickdlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefhfe32.dll" Nldgdpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bciohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cajokmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdqqmjp.dll" Nkfnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbmdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqkdcib.dll" Kbmahjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmokcpjc.dll" Lfehpobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekcpdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olfkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikembicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngiiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofqonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpligk32.dll" Hiieqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apjpglfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epblob32.dll" Hpplfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggokji.dll" Nkmffegm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iopgjp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exeIadphghe.exeImkqmh32.exeJidngh32.exeJadlgjjq.exeJafilj32.exeKdgane32.exeKidjfl32.exeKemgqm32.exeKeodflee.exeLhpmhgbf.exeLednal32.exeLdikbhfh.exeLkccob32.exeMnfhfmhc.exeMjmiknng.exedescription pid process target process PID 2792 wrote to memory of 3012 2792 cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe Iadphghe.exe PID 2792 wrote to memory of 3012 2792 cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe Iadphghe.exe PID 2792 wrote to memory of 3012 2792 cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe Iadphghe.exe PID 2792 wrote to memory of 3012 2792 cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe Iadphghe.exe PID 3012 wrote to memory of 2868 3012 Iadphghe.exe Imkqmh32.exe PID 3012 wrote to memory of 2868 3012 Iadphghe.exe Imkqmh32.exe PID 3012 wrote to memory of 2868 3012 Iadphghe.exe Imkqmh32.exe PID 3012 wrote to memory of 2868 3012 Iadphghe.exe Imkqmh32.exe PID 2868 wrote to memory of 2844 2868 Imkqmh32.exe Jidngh32.exe PID 2868 wrote to memory of 2844 2868 Imkqmh32.exe Jidngh32.exe PID 2868 wrote to memory of 2844 2868 Imkqmh32.exe Jidngh32.exe PID 2868 wrote to memory of 2844 2868 Imkqmh32.exe Jidngh32.exe PID 2844 wrote to memory of 2740 2844 Jidngh32.exe Jadlgjjq.exe PID 2844 wrote to memory of 2740 2844 Jidngh32.exe Jadlgjjq.exe PID 2844 wrote to memory of 2740 2844 Jidngh32.exe Jadlgjjq.exe PID 2844 wrote to memory of 2740 2844 Jidngh32.exe Jadlgjjq.exe PID 2740 wrote to memory of 2756 2740 Jadlgjjq.exe Jafilj32.exe PID 2740 wrote to memory of 2756 2740 Jadlgjjq.exe Jafilj32.exe PID 2740 wrote to memory of 2756 2740 Jadlgjjq.exe Jafilj32.exe PID 2740 wrote to memory of 2756 2740 Jadlgjjq.exe Jafilj32.exe PID 2756 wrote to memory of 2832 2756 Jafilj32.exe Kdgane32.exe PID 2756 wrote to memory of 2832 2756 Jafilj32.exe Kdgane32.exe PID 2756 wrote to memory of 2832 2756 Jafilj32.exe Kdgane32.exe PID 2756 wrote to memory of 2832 2756 Jafilj32.exe Kdgane32.exe PID 2832 wrote to memory of 2416 2832 Kdgane32.exe Kidjfl32.exe PID 2832 wrote to memory of 2416 2832 Kdgane32.exe Kidjfl32.exe PID 2832 wrote to memory of 2416 2832 Kdgane32.exe Kidjfl32.exe PID 2832 wrote to memory of 2416 2832 Kdgane32.exe Kidjfl32.exe PID 2416 wrote to memory of 1580 2416 Kidjfl32.exe Kemgqm32.exe PID 2416 wrote to memory of 1580 2416 Kidjfl32.exe Kemgqm32.exe PID 2416 wrote to memory of 1580 2416 Kidjfl32.exe Kemgqm32.exe PID 2416 wrote to memory of 1580 2416 Kidjfl32.exe Kemgqm32.exe PID 1580 wrote to memory of 2960 1580 Kemgqm32.exe Keodflee.exe PID 1580 wrote to memory of 2960 1580 Kemgqm32.exe Keodflee.exe PID 1580 wrote to memory of 2960 1580 Kemgqm32.exe Keodflee.exe PID 1580 wrote to memory of 2960 1580 Kemgqm32.exe Keodflee.exe PID 2960 wrote to memory of 2064 2960 Keodflee.exe Lhpmhgbf.exe PID 2960 wrote to memory of 2064 2960 Keodflee.exe Lhpmhgbf.exe PID 2960 wrote to memory of 2064 2960 Keodflee.exe Lhpmhgbf.exe PID 2960 wrote to memory of 2064 2960 Keodflee.exe Lhpmhgbf.exe PID 2064 wrote to memory of 1296 2064 Lhpmhgbf.exe Lednal32.exe PID 2064 wrote to memory of 1296 2064 Lhpmhgbf.exe Lednal32.exe PID 2064 wrote to memory of 1296 2064 Lhpmhgbf.exe Lednal32.exe PID 2064 wrote to memory of 1296 2064 Lhpmhgbf.exe Lednal32.exe PID 1296 wrote to memory of 1448 1296 Lednal32.exe Ldikbhfh.exe PID 1296 wrote to memory of 1448 1296 Lednal32.exe Ldikbhfh.exe PID 1296 wrote to memory of 1448 1296 Lednal32.exe Ldikbhfh.exe PID 1296 wrote to memory of 1448 1296 Lednal32.exe Ldikbhfh.exe PID 1448 wrote to memory of 2232 1448 Ldikbhfh.exe Lkccob32.exe PID 1448 wrote to memory of 2232 1448 Ldikbhfh.exe Lkccob32.exe PID 1448 wrote to memory of 2232 1448 Ldikbhfh.exe Lkccob32.exe PID 1448 wrote to memory of 2232 1448 Ldikbhfh.exe Lkccob32.exe PID 2232 wrote to memory of 592 2232 Lkccob32.exe Mnfhfmhc.exe PID 2232 wrote to memory of 592 2232 Lkccob32.exe Mnfhfmhc.exe PID 2232 wrote to memory of 592 2232 Lkccob32.exe Mnfhfmhc.exe PID 2232 wrote to memory of 592 2232 Lkccob32.exe Mnfhfmhc.exe PID 592 wrote to memory of 2684 592 Mnfhfmhc.exe Mjmiknng.exe PID 592 wrote to memory of 2684 592 Mnfhfmhc.exe Mjmiknng.exe PID 592 wrote to memory of 2684 592 Mnfhfmhc.exe Mjmiknng.exe PID 592 wrote to memory of 2684 592 Mnfhfmhc.exe Mjmiknng.exe PID 2684 wrote to memory of 2216 2684 Mjmiknng.exe Mkqbhf32.exe PID 2684 wrote to memory of 2216 2684 Mjmiknng.exe Mkqbhf32.exe PID 2684 wrote to memory of 2216 2684 Mjmiknng.exe Mkqbhf32.exe PID 2684 wrote to memory of 2216 2684 Mjmiknng.exe Mkqbhf32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe"C:\Users\Admin\AppData\Local\Temp\cfa2cd1f7abdf387c13ba867cd0587720ecb08b1d85567fe9a59d62b124ae88aN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Iadphghe.exeC:\Windows\system32\Iadphghe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Jidngh32.exeC:\Windows\system32\Jidngh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Jafilj32.exeC:\Windows\system32\Jafilj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Kdgane32.exeC:\Windows\system32\Kdgane32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Kidjfl32.exeC:\Windows\system32\Kidjfl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Keodflee.exeC:\Windows\system32\Keodflee.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Lhpmhgbf.exeC:\Windows\system32\Lhpmhgbf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Lednal32.exeC:\Windows\system32\Lednal32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Ldikbhfh.exeC:\Windows\system32\Ldikbhfh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Lkccob32.exeC:\Windows\system32\Lkccob32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Mnfhfmhc.exeC:\Windows\system32\Mnfhfmhc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Mjmiknng.exeC:\Windows\system32\Mjmiknng.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Nqbdllld.exeC:\Windows\system32\Nqbdllld.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Ngafdepl.exeC:\Windows\system32\Ngafdepl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Oiglfm32.exeC:\Windows\system32\Oiglfm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Oinbglkm.exeC:\Windows\system32\Oinbglkm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Pebbeq32.exeC:\Windows\system32\Pebbeq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Qakppa32.exeC:\Windows\system32\Qakppa32.exe33⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe34⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Adcobk32.exeC:\Windows\system32\Adcobk32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Apjpglfn.exeC:\Windows\system32\Apjpglfn.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe38⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe39⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe40⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Bbdoec32.exeC:\Windows\system32\Bbdoec32.exe41⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe42⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe43⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Ccjehkek.exeC:\Windows\system32\Ccjehkek.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe45⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe46⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe47⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe48⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe49⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe50⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Dpjhcj32.exeC:\Windows\system32\Dpjhcj32.exe51⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Dicmlpje.exeC:\Windows\system32\Dicmlpje.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe53⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe55⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe56⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe57⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe59⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe60⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Eiefqc32.exeC:\Windows\system32\Eiefqc32.exe61⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe63⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Fijolbfh.exeC:\Windows\system32\Fijolbfh.exe64⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe65⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe66⤵
- Drops file in System32 directory
PID:388 -
C:\Windows\SysWOW64\Fagqed32.exeC:\Windows\system32\Fagqed32.exe67⤵PID:2476
-
C:\Windows\SysWOW64\Fokaoh32.exeC:\Windows\system32\Fokaoh32.exe68⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Fmpnpe32.exeC:\Windows\system32\Fmpnpe32.exe70⤵PID:3008
-
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe71⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe72⤵PID:3000
-
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe73⤵PID:2148
-
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe74⤵PID:2608
-
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe75⤵PID:2532
-
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe76⤵PID:2596
-
C:\Windows\SysWOW64\Gokmnlcf.exeC:\Windows\system32\Gokmnlcf.exe77⤵PID:1688
-
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe78⤵PID:3036
-
C:\Windows\SysWOW64\Gegbpe32.exeC:\Windows\system32\Gegbpe32.exe79⤵PID:2568
-
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe80⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Hkfgnldd.exeC:\Windows\system32\Hkfgnldd.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Hhjhgpcn.exeC:\Windows\system32\Hhjhgpcn.exe82⤵PID:976
-
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe83⤵PID:952
-
C:\Windows\SysWOW64\Hkkaik32.exeC:\Windows\system32\Hkkaik32.exe84⤵PID:2444
-
C:\Windows\SysWOW64\Hnimeg32.exeC:\Windows\system32\Hnimeg32.exe85⤵PID:1672
-
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe86⤵PID:1656
-
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe87⤵PID:1752
-
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe88⤵PID:2256
-
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe89⤵PID:2836
-
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe90⤵PID:2876
-
C:\Windows\SysWOW64\Imccab32.exeC:\Windows\system32\Imccab32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Iflhjh32.exeC:\Windows\system32\Iflhjh32.exe92⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Igoagpja.exeC:\Windows\system32\Igoagpja.exe93⤵PID:1020
-
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe94⤵PID:1144
-
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1148 -
C:\Windows\SysWOW64\Jmhile32.exeC:\Windows\system32\Jmhile32.exe96⤵PID:2428
-
C:\Windows\SysWOW64\Jbdadl32.exeC:\Windows\system32\Jbdadl32.exe97⤵PID:2072
-
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe98⤵PID:1220
-
C:\Windows\SysWOW64\Knkbimbg.exeC:\Windows\system32\Knkbimbg.exe99⤵PID:288
-
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe100⤵PID:2376
-
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe101⤵PID:2384
-
C:\Windows\SysWOW64\Kehgkgha.exeC:\Windows\system32\Kehgkgha.exe102⤵PID:2892
-
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe103⤵PID:1600
-
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe104⤵PID:2884
-
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe105⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe106⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe107⤵PID:3020
-
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe108⤵PID:1840
-
C:\Windows\SysWOW64\Laenqg32.exeC:\Windows\system32\Laenqg32.exe109⤵PID:2140
-
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe110⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe111⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe112⤵PID:1488
-
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe113⤵PID:1464
-
C:\Windows\SysWOW64\Lophcpam.exeC:\Windows\system32\Lophcpam.exe114⤵PID:2324
-
C:\Windows\SysWOW64\Lielphqc.exeC:\Windows\system32\Lielphqc.exe115⤵PID:2860
-
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe116⤵PID:2456
-
C:\Windows\SysWOW64\Lhkiae32.exeC:\Windows\system32\Lhkiae32.exe117⤵PID:3016
-
C:\Windows\SysWOW64\Mcpmonea.exeC:\Windows\system32\Mcpmonea.exe118⤵PID:2880
-
C:\Windows\SysWOW64\Mdajff32.exeC:\Windows\system32\Mdajff32.exe119⤵PID:2956
-
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe120⤵PID:1984
-
C:\Windows\SysWOW64\Moikinib.exeC:\Windows\system32\Moikinib.exe121⤵PID:1812
-
C:\Windows\SysWOW64\Mpjgag32.exeC:\Windows\system32\Mpjgag32.exe122⤵PID:2236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-