Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe
Resource
win10v2004-20241007-en
General
-
Target
9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe
-
Size
249KB
-
MD5
f5804954d083bd23e9749ff7088ba83f
-
SHA1
4a910120f16ae1b2170f5057e162a72397f06111
-
SHA256
9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881
-
SHA512
786556853a91caa2463df7331bcb2ffa25aa4e2ea7fb3e85d1467834784c44947ba473aafbaba599ed55a1326656bc8c22ea9580963ef93650d7ea632afe64c3
-
SSDEEP
3072:U2c/nAWn+Ijti1i00n3f39e3UEdmjRrz3TIUV4BKxAcL5CY2VePI8C3U/XYMJ2or:Y/nMd1iJf3AkEdGTBki5CYtI8TAokZ
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ilkpac32.exeMekanbol.exeImepgbnc.exeKjdpcnfi.exeAkpkok32.exeHjhofj32.exeAadbfp32.exeLddjmb32.exeEjfnfn32.exeCniajdkg.exeBdiaqj32.exeHlgmkn32.exeLhiodnob.exeCgcoal32.exeIlihij32.exeAiqjao32.exeMjmnmk32.exeEgljjmkp.exeEgobfdpi.exeNbgakd32.exeDiqabd32.exeCfmceomm.exeLcdmekne.exeDocjpa32.exeOgiqffhl.exeEkjgbi32.exeHjnaehgj.exeAhoamplo.exeFmholgpj.exeJemkai32.exeKmpfgklo.exeLjfckodo.exePfando32.exeCalgoken.exeGmmihk32.exeBhjpnj32.exeBhelghol.exeHenjnica.exeIlfadg32.exeKcahjqfa.exeDgphpi32.exeIciaim32.exeKjnanhhc.exeHfnmbbnp.exeIcmlnmgb.exeJmplqp32.exeCpcaeghc.exeChmlfj32.exeHbjjfl32.exeMejoei32.exeGcakbjpl.exeManljd32.exeEmncci32.exePhelnhnb.exeAnkckagj.exeNmjmekan.exeFokofpif.exeMmpobi32.exeOmddmkhl.exeIbeeeijg.exeHdqhambg.exeKgghgg32.exeCbfeam32.exeAikine32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilkpac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekanbol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imepgbnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdpcnfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aadbfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddjmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfnfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cniajdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdiaqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhiodnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgcoal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilihij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiqjao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egljjmkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egobfdpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgakd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diqabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfmceomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcdmekne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Docjpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogiqffhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekjgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjnaehgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahoamplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmholgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jemkai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmpfgklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljfckodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfando32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calgoken.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhjpnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhelghol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henjnica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilfadg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgphpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iciaim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnanhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnmbbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icmlnmgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmplqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpcaeghc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmlfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbjjfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejoei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcakbjpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emncci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phelnhnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankckagj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjmekan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokofpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmpobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omddmkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibeeeijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdqhambg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgghgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aikine32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ocfiif32.exeOqjibkek.exePcmoie32.exePbdipa32.exePajeanhf.exeQpaohjkk.exeQaqlbmbn.exeAiqjao32.exeAnpooe32.exeBhjpnj32.exeBdaabk32.exeBlaobmkq.exeCeickb32.exeCniajdkg.exeCgdciiod.exeDodahk32.exeDfpfke32.exeEokgij32.exeEhclbpic.exeEdmilpld.exeEmhnqbjo.exeEngjkeab.exeFjnkpf32.exeFpmpnmck.exeGddobpbe.exeGhbhhnhk.exeGhddnnfi.exeGfiaojkq.exeHijjpeha.exeHbekojlp.exeHlmphp32.exeHkbmil32.exeHginnmml.exeIhijhpdo.exeIlkpac32.exeIciaim32.exeJkdfmoha.exeJldbgb32.exeJhkclc32.exeJbcgeilh.exeJkllnn32.exeJqhdfe32.exeJjqiok32.exeKnoaeimg.exeKckjmpko.exeKobkbaac.exeKikokf32.exeKbcddlnd.exeKkkhmadd.exeKecmfg32.exeLnlaomae.exeLlpaha32.exeLnqkjl32.exeLcncbc32.exeLhklha32.exeLmhdph32.exeMioeeifi.exeMiaaki32.exeMehbpjjk.exeMoqgiopk.exeMejoei32.exeMkggnp32.exeMdplfflp.exeNoepdo32.exepid process 2844 Ocfiif32.exe 2808 Oqjibkek.exe 2656 Pcmoie32.exe 2816 Pbdipa32.exe 2708 Pajeanhf.exe 2824 Qpaohjkk.exe 2560 Qaqlbmbn.exe 2584 Aiqjao32.exe 2956 Anpooe32.exe 1148 Bhjpnj32.exe 1664 Bdaabk32.exe 264 Blaobmkq.exe 2076 Ceickb32.exe 2124 Cniajdkg.exe 1732 Cgdciiod.exe 2984 Dodahk32.exe 1584 Dfpfke32.exe 1060 Eokgij32.exe 2484 Ehclbpic.exe 1080 Edmilpld.exe 2092 Emhnqbjo.exe 1628 Engjkeab.exe 1952 Fjnkpf32.exe 928 Fpmpnmck.exe 1040 Gddobpbe.exe 2028 Ghbhhnhk.exe 1588 Ghddnnfi.exe 2928 Gfiaojkq.exe 2432 Hijjpeha.exe 2836 Hbekojlp.exe 2668 Hlmphp32.exe 1780 Hkbmil32.exe 2544 Hginnmml.exe 1524 Ihijhpdo.exe 3020 Ilkpac32.exe 2740 Iciaim32.exe 2720 Jkdfmoha.exe 1740 Jldbgb32.exe 2412 Jhkclc32.exe 604 Jbcgeilh.exe 2436 Jkllnn32.exe 680 Jqhdfe32.exe 1456 Jjqiok32.exe 2100 Knoaeimg.exe 1200 Kckjmpko.exe 1048 Kobkbaac.exe 1548 Kikokf32.exe 1672 Kbcddlnd.exe 2940 Kkkhmadd.exe 1600 Kecmfg32.exe 1704 Lnlaomae.exe 2852 Llpaha32.exe 2644 Lnqkjl32.exe 2348 Lcncbc32.exe 2228 Lhklha32.exe 2600 Lmhdph32.exe 2912 Mioeeifi.exe 988 Miaaki32.exe 584 Mehbpjjk.exe 1360 Moqgiopk.exe 2564 Mejoei32.exe 996 Mkggnp32.exe 660 Mdplfflp.exe 1580 Noepdo32.exe -
Loads dropped DLL 64 IoCs
Processes:
9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exeOcfiif32.exeOqjibkek.exePcmoie32.exePbdipa32.exePajeanhf.exeQpaohjkk.exeQaqlbmbn.exeAiqjao32.exeAnpooe32.exeBhjpnj32.exeBdaabk32.exeBlaobmkq.exeCeickb32.exeCniajdkg.exeCgdciiod.exeDodahk32.exeDfpfke32.exeEokgij32.exeEhclbpic.exeEdmilpld.exeEmhnqbjo.exeEngjkeab.exeFjnkpf32.exeFpmpnmck.exeGddobpbe.exeGhbhhnhk.exeGhddnnfi.exeGfiaojkq.exeHijjpeha.exeHbekojlp.exeHlmphp32.exepid process 2208 9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe 2208 9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe 2844 Ocfiif32.exe 2844 Ocfiif32.exe 2808 Oqjibkek.exe 2808 Oqjibkek.exe 2656 Pcmoie32.exe 2656 Pcmoie32.exe 2816 Pbdipa32.exe 2816 Pbdipa32.exe 2708 Pajeanhf.exe 2708 Pajeanhf.exe 2824 Qpaohjkk.exe 2824 Qpaohjkk.exe 2560 Qaqlbmbn.exe 2560 Qaqlbmbn.exe 2584 Aiqjao32.exe 2584 Aiqjao32.exe 2956 Anpooe32.exe 2956 Anpooe32.exe 1148 Bhjpnj32.exe 1148 Bhjpnj32.exe 1664 Bdaabk32.exe 1664 Bdaabk32.exe 264 Blaobmkq.exe 264 Blaobmkq.exe 2076 Ceickb32.exe 2076 Ceickb32.exe 2124 Cniajdkg.exe 2124 Cniajdkg.exe 1732 Cgdciiod.exe 1732 Cgdciiod.exe 2984 Dodahk32.exe 2984 Dodahk32.exe 1584 Dfpfke32.exe 1584 Dfpfke32.exe 1060 Eokgij32.exe 1060 Eokgij32.exe 2484 Ehclbpic.exe 2484 Ehclbpic.exe 1080 Edmilpld.exe 1080 Edmilpld.exe 2092 Emhnqbjo.exe 2092 Emhnqbjo.exe 1628 Engjkeab.exe 1628 Engjkeab.exe 1952 Fjnkpf32.exe 1952 Fjnkpf32.exe 928 Fpmpnmck.exe 928 Fpmpnmck.exe 1040 Gddobpbe.exe 1040 Gddobpbe.exe 2028 Ghbhhnhk.exe 2028 Ghbhhnhk.exe 1588 Ghddnnfi.exe 1588 Ghddnnfi.exe 2928 Gfiaojkq.exe 2928 Gfiaojkq.exe 2432 Hijjpeha.exe 2432 Hijjpeha.exe 2836 Hbekojlp.exe 2836 Hbekojlp.exe 2668 Hlmphp32.exe 2668 Hlmphp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fcjqpm32.exeFobodn32.exeBhjpnj32.exeKpcbhlki.exeFmpnpe32.exeFdpmljan.exeOgfagmck.exeHijjpeha.exeKecmfg32.exeAbiqcm32.exeGemhpq32.exeDejnme32.exeBpkqfdmp.exeDdcadd32.exeBpahad32.exeKicednho.exeOgigpllh.exeOagkac32.exeHbekojlp.exeJkllnn32.exeDooqceid.exeMecbjd32.exeKbjbibli.exeJabajc32.exeKgaejeoc.exeCihedpcg.exeKpiihgoh.exeLjfckodo.exeCmgblphf.exeMmjqhd32.exeCoiqmp32.exeHfnmbbnp.exeKaieai32.exeEbemnc32.exeIdgmch32.exeJpgaohej.exeDhdddnep.exeHgbhibio.exeAekelo32.exeChghodgj.exeIniebmfg.exeJbcgeilh.exeJfkbqcam.exeKaihjbno.exeLhgeao32.exeGddobpbe.exePnfipm32.exeGknhjn32.exeHappkf32.exeKgqcam32.exeHhhmki32.exeHdqhambg.exeMgjpcf32.exeNqgngk32.exeDfbdje32.exeFgffck32.exeHomfboco.exeIogbllfc.exeMpeidjfo.exeKkhdml32.exeNalldh32.exeDpflqfeo.exedescription ioc process File created C:\Windows\SysWOW64\Dabfkg32.dll Fcjqpm32.exe File opened for modification C:\Windows\SysWOW64\Fhjcmcep.exe Fobodn32.exe File created C:\Windows\SysWOW64\Bijpeihq.dll Bhjpnj32.exe File created C:\Windows\SysWOW64\Kabobo32.exe Kpcbhlki.exe File created C:\Windows\SysWOW64\Fmbkfd32.exe Fmpnpe32.exe File opened for modification C:\Windows\SysWOW64\Fdbibjok.exe Fdpmljan.exe File created C:\Windows\SysWOW64\Ofkoijhc.exe Ogfagmck.exe File created C:\Windows\SysWOW64\Hbekojlp.exe Hijjpeha.exe File created C:\Windows\SysWOW64\Lnlaomae.exe Kecmfg32.exe File created C:\Windows\SysWOW64\Aaondi32.exe Abiqcm32.exe File opened for modification C:\Windows\SysWOW64\Goemhfco.exe Gemhpq32.exe File opened for modification C:\Windows\SysWOW64\Dnecag32.exe Dejnme32.exe File created C:\Windows\SysWOW64\Cpmmkdkn.exe Bpkqfdmp.exe File created C:\Windows\SysWOW64\Fkbqmqbj.dll Ddcadd32.exe File opened for modification C:\Windows\SysWOW64\Bepmokco.exe Bpahad32.exe File opened for modification C:\Windows\SysWOW64\Kcmfeldm.exe Kicednho.exe File created C:\Windows\SysWOW64\Okgpfjbo.exe Ogigpllh.exe File created C:\Windows\SysWOW64\Pgdcjjom.exe Oagkac32.exe File opened for modification C:\Windows\SysWOW64\Hlmphp32.exe Hbekojlp.exe File opened for modification C:\Windows\SysWOW64\Jqhdfe32.exe Jkllnn32.exe File created C:\Windows\SysWOW64\Dlbaljhn.exe Dooqceid.exe File created C:\Windows\SysWOW64\Mjpkbk32.exe Mecbjd32.exe File created C:\Windows\SysWOW64\Kmpfgklo.exe Kbjbibli.exe File opened for modification C:\Windows\SysWOW64\Jadnoc32.exe Jabajc32.exe File opened for modification C:\Windows\SysWOW64\Kmnnblmj.exe Kgaejeoc.exe File created C:\Windows\SysWOW64\Cmfnjnin.exe Cihedpcg.exe File created C:\Windows\SysWOW64\Hblhqf32.dll Kpiihgoh.exe File created C:\Windows\SysWOW64\Mqlenpag.dll Ljfckodo.exe File created C:\Windows\SysWOW64\Omdkhjjg.dll Cmgblphf.exe File created C:\Windows\SysWOW64\Mknaahhn.exe Mmjqhd32.exe File created C:\Windows\SysWOW64\Cpkmehol.exe Coiqmp32.exe File opened for modification C:\Windows\SysWOW64\Hbengc32.exe Hfnmbbnp.exe File created C:\Windows\SysWOW64\Hoakai32.dll Kaieai32.exe File created C:\Windows\SysWOW64\Jkjigh32.dll Ebemnc32.exe File created C:\Windows\SysWOW64\Lhogompl.dll Idgmch32.exe File opened for modification C:\Windows\SysWOW64\Jlnadiko.exe Jpgaohej.exe File opened for modification C:\Windows\SysWOW64\Dmalmdcg.exe Dhdddnep.exe File opened for modification C:\Windows\SysWOW64\Hqkmahpp.exe Hgbhibio.exe File created C:\Windows\SysWOW64\Ahjahk32.exe Aekelo32.exe File opened for modification C:\Windows\SysWOW64\Cdnicemo.exe Chghodgj.exe File created C:\Windows\SysWOW64\Mjdicq32.dll Iniebmfg.exe File created C:\Windows\SysWOW64\Bmcoed32.dll Jbcgeilh.exe File created C:\Windows\SysWOW64\Jiinmnaa.exe Jfkbqcam.exe File created C:\Windows\SysWOW64\Kfhmhi32.exe Kaihjbno.exe File created C:\Windows\SysWOW64\Lmdnjf32.exe Lhgeao32.exe File created C:\Windows\SysWOW64\Ghbhhnhk.exe Gddobpbe.exe File created C:\Windows\SysWOW64\Bgoneo32.dll Pnfipm32.exe File opened for modification C:\Windows\SysWOW64\Gqkqbe32.exe Gknhjn32.exe File opened for modification C:\Windows\SysWOW64\Hdolga32.exe Happkf32.exe File created C:\Windows\SysWOW64\Kaihjbno.exe Kgqcam32.exe File created C:\Windows\SysWOW64\Pdedejnm.dll Hhhmki32.exe File created C:\Windows\SysWOW64\Fhjcmcep.exe Fobodn32.exe File created C:\Windows\SysWOW64\Dehccpae.dll Ogfagmck.exe File opened for modification C:\Windows\SysWOW64\Hnflnfbm.exe Hdqhambg.exe File created C:\Windows\SysWOW64\Ceahlg32.dll Mgjpcf32.exe File opened for modification C:\Windows\SysWOW64\Nmnoll32.exe Nqgngk32.exe File created C:\Windows\SysWOW64\Klfbmd32.dll Dfbdje32.exe File opened for modification C:\Windows\SysWOW64\Fmpnpe32.exe Fgffck32.exe File opened for modification C:\Windows\SysWOW64\Igdndl32.exe Homfboco.exe File created C:\Windows\SysWOW64\Bffamejl.dll Iogbllfc.exe File opened for modification C:\Windows\SysWOW64\Mphfji32.exe Mpeidjfo.exe File opened for modification C:\Windows\SysWOW64\Kdqifajl.exe Kkhdml32.exe File opened for modification C:\Windows\SysWOW64\Nmbmii32.exe Nalldh32.exe File opened for modification C:\Windows\SysWOW64\Elmmegkb.exe Dpflqfeo.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2220 3800 WerFault.exe Hblgkkfa.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pjhaec32.exeEdhmhl32.exeLikbpceb.exeAnpooe32.exeKdgoelnk.exeDjibogkn.exeJcekbk32.exePdngpp32.exeMinldf32.exeGaghcjhd.exeMpmpeiqg.exeHijjpeha.exeMemncbmj.exeKmpfgklo.exeKblooa32.exeEnlncdio.exeGpknjp32.exeMgigpgkd.exeBnicddki.exePebbeq32.exeQjofljho.exeAgkfil32.exeHqpahkmj.exeNcbfcq32.exeJfkphnmj.exeKqcqpc32.exeQfimhmlo.exeDkihli32.exeGemhpq32.exeGodhgedg.exeBhqdgm32.exeDpnmoe32.exeQegpbaqb.exeHhbfpj32.exeFeppqc32.exeAdcakdhn.exeCniajdkg.exeOddbqhkf.exeJplinckj.exeJchhhjjg.exeHddgkj32.exeIniebmfg.exeLdokhn32.exeEajhgg32.exeAooaej32.exeQakkncmi.exeOaciom32.exeGoodpb32.exeLpmhgc32.exeAbehcbci.exeFbbfmqdm.exeDdbbod32.exeAiimfi32.exeKkhdml32.exeGkaljdaf.exeJhahcjcf.exeIihgadhl.exeMkpppmko.exeNfnfjmgp.exeEgobfdpi.exeOpekenmh.exeGmloigln.exeAogmdk32.exeCcoplcii.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhmhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likbpceb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgoelnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djibogkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcekbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdngpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaghcjhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmpeiqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijjpeha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memncbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmpfgklo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlncdio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpknjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgigpgkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnicddki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebbeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjofljho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkfil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqpahkmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbfcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkphnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqcqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfimhmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkihli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemhpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Godhgedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqdgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnmoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qegpbaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbfpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feppqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcakdhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cniajdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddbqhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplinckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchhhjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniebmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldokhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aooaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qakkncmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaciom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goodpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmhgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abehcbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbfmqdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbbod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiimfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaljdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahcjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihgadhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkpppmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnfjmgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egobfdpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opekenmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmloigln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogmdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccoplcii.exe -
Modifies registry class 64 IoCs
Processes:
Pjhaec32.exeQpmiahlp.exeJadnoc32.exeKjnanhhc.exePdngpp32.exeEghdanac.exeFffabman.exeJogjgf32.exeGjkfglom.exeLpfagd32.exeBgcbja32.exeCqlhlo32.exeDnkggjpj.exeLcncbc32.exeCghkepdm.exeCjfjjd32.exeNefncd32.exeBhjpnj32.exeNianjl32.exeDddmkkpb.exeJflfbdqe.exeNliqoofa.exeAiimfi32.exeJocalffk.exeFmpnpe32.exeJdjioh32.exeDhdddnep.exeKpiihgoh.exeAadbfp32.exeChghodgj.exeBhelghol.exeAaondi32.exeHijmin32.exeKlgbfo32.exePqlfjfni.exeDjnbdlla.exeJjefmc32.exeMjfdfcjj.exeEajhgg32.exeDkihli32.exeEeffpn32.exeFmholgpj.exeEhopnk32.exeDfpfke32.exeQfimhmlo.exeGmgenh32.exeHmdohj32.exeGfjcgc32.exeIhkifi32.exeOikeal32.exePcgnfl32.exeBfdlehlc.exeMhpigk32.exeEbpgoh32.exePlbaafak.exeAgkfil32.exeCdmbiojc.exeBdaabk32.exePnfipm32.exeQcfdji32.exeKckjmpko.exeJojnglco.exeIbeeeijg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjhaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qpmiahlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jadnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjnanhhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdngpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbopcm32.dll" Eghdanac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fffabman.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jogjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckahlgg.dll" Gjkfglom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpfagd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgcbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofonpnk.dll" Cqlhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpgbcf.dll" Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcncbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cghkepdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khfnln32.dll" Cjfjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbghmegj.dll" Nefncd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhjpnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmdqkbq.dll" Nianjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dddmkkpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmoade32.dll" Jflfbdqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nliqoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aiimfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jocalffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmpnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipllldmi.dll" Jdjioh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhdddnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpiihgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nheabh32.dll" Chghodgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhelghol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beboid32.dll" Aaondi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hijmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjdoo32.dll" Klgbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhqbmehb.dll" Pqlfjfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djnbdlla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfphhb32.dll" Jjefmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgapqgcb.dll" Mjfdfcjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pficnc32.dll" Eajhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkihli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmfag32.dll" Eeffpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmholgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgdkphm.dll" Ehopnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfpfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qfimhmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnkqlae.dll" Gmgenh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmdohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfjcgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihkifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oikeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcgnfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfdlehlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klilah32.dll" Mhpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdqnp32.dll" Ebpgoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plbaafak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agkfil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdmbiojc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdaabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgoneo32.dll" Pnfipm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qcfdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jadnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kckjmpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibeeeijg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exeOcfiif32.exeOqjibkek.exePcmoie32.exePbdipa32.exePajeanhf.exeQpaohjkk.exeQaqlbmbn.exeAiqjao32.exeAnpooe32.exeBhjpnj32.exeBdaabk32.exeBlaobmkq.exeCeickb32.exeCniajdkg.exeCgdciiod.exedescription pid process target process PID 2208 wrote to memory of 2844 2208 9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe Ocfiif32.exe PID 2208 wrote to memory of 2844 2208 9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe Ocfiif32.exe PID 2208 wrote to memory of 2844 2208 9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe Ocfiif32.exe PID 2208 wrote to memory of 2844 2208 9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe Ocfiif32.exe PID 2844 wrote to memory of 2808 2844 Ocfiif32.exe Oqjibkek.exe PID 2844 wrote to memory of 2808 2844 Ocfiif32.exe Oqjibkek.exe PID 2844 wrote to memory of 2808 2844 Ocfiif32.exe Oqjibkek.exe PID 2844 wrote to memory of 2808 2844 Ocfiif32.exe Oqjibkek.exe PID 2808 wrote to memory of 2656 2808 Oqjibkek.exe Pcmoie32.exe PID 2808 wrote to memory of 2656 2808 Oqjibkek.exe Pcmoie32.exe PID 2808 wrote to memory of 2656 2808 Oqjibkek.exe Pcmoie32.exe PID 2808 wrote to memory of 2656 2808 Oqjibkek.exe Pcmoie32.exe PID 2656 wrote to memory of 2816 2656 Pcmoie32.exe Pbdipa32.exe PID 2656 wrote to memory of 2816 2656 Pcmoie32.exe Pbdipa32.exe PID 2656 wrote to memory of 2816 2656 Pcmoie32.exe Pbdipa32.exe PID 2656 wrote to memory of 2816 2656 Pcmoie32.exe Pbdipa32.exe PID 2816 wrote to memory of 2708 2816 Pbdipa32.exe Pajeanhf.exe PID 2816 wrote to memory of 2708 2816 Pbdipa32.exe Pajeanhf.exe PID 2816 wrote to memory of 2708 2816 Pbdipa32.exe Pajeanhf.exe PID 2816 wrote to memory of 2708 2816 Pbdipa32.exe Pajeanhf.exe PID 2708 wrote to memory of 2824 2708 Pajeanhf.exe Qpaohjkk.exe PID 2708 wrote to memory of 2824 2708 Pajeanhf.exe Qpaohjkk.exe PID 2708 wrote to memory of 2824 2708 Pajeanhf.exe Qpaohjkk.exe PID 2708 wrote to memory of 2824 2708 Pajeanhf.exe Qpaohjkk.exe PID 2824 wrote to memory of 2560 2824 Qpaohjkk.exe Qaqlbmbn.exe PID 2824 wrote to memory of 2560 2824 Qpaohjkk.exe Qaqlbmbn.exe PID 2824 wrote to memory of 2560 2824 Qpaohjkk.exe Qaqlbmbn.exe PID 2824 wrote to memory of 2560 2824 Qpaohjkk.exe Qaqlbmbn.exe PID 2560 wrote to memory of 2584 2560 Qaqlbmbn.exe Aiqjao32.exe PID 2560 wrote to memory of 2584 2560 Qaqlbmbn.exe Aiqjao32.exe PID 2560 wrote to memory of 2584 2560 Qaqlbmbn.exe Aiqjao32.exe PID 2560 wrote to memory of 2584 2560 Qaqlbmbn.exe Aiqjao32.exe PID 2584 wrote to memory of 2956 2584 Aiqjao32.exe Anpooe32.exe PID 2584 wrote to memory of 2956 2584 Aiqjao32.exe Anpooe32.exe PID 2584 wrote to memory of 2956 2584 Aiqjao32.exe Anpooe32.exe PID 2584 wrote to memory of 2956 2584 Aiqjao32.exe Anpooe32.exe PID 2956 wrote to memory of 1148 2956 Anpooe32.exe Bhjpnj32.exe PID 2956 wrote to memory of 1148 2956 Anpooe32.exe Bhjpnj32.exe PID 2956 wrote to memory of 1148 2956 Anpooe32.exe Bhjpnj32.exe PID 2956 wrote to memory of 1148 2956 Anpooe32.exe Bhjpnj32.exe PID 1148 wrote to memory of 1664 1148 Bhjpnj32.exe Bdaabk32.exe PID 1148 wrote to memory of 1664 1148 Bhjpnj32.exe Bdaabk32.exe PID 1148 wrote to memory of 1664 1148 Bhjpnj32.exe Bdaabk32.exe PID 1148 wrote to memory of 1664 1148 Bhjpnj32.exe Bdaabk32.exe PID 1664 wrote to memory of 264 1664 Bdaabk32.exe Blaobmkq.exe PID 1664 wrote to memory of 264 1664 Bdaabk32.exe Blaobmkq.exe PID 1664 wrote to memory of 264 1664 Bdaabk32.exe Blaobmkq.exe PID 1664 wrote to memory of 264 1664 Bdaabk32.exe Blaobmkq.exe PID 264 wrote to memory of 2076 264 Blaobmkq.exe Ceickb32.exe PID 264 wrote to memory of 2076 264 Blaobmkq.exe Ceickb32.exe PID 264 wrote to memory of 2076 264 Blaobmkq.exe Ceickb32.exe PID 264 wrote to memory of 2076 264 Blaobmkq.exe Ceickb32.exe PID 2076 wrote to memory of 2124 2076 Ceickb32.exe Cniajdkg.exe PID 2076 wrote to memory of 2124 2076 Ceickb32.exe Cniajdkg.exe PID 2076 wrote to memory of 2124 2076 Ceickb32.exe Cniajdkg.exe PID 2076 wrote to memory of 2124 2076 Ceickb32.exe Cniajdkg.exe PID 2124 wrote to memory of 1732 2124 Cniajdkg.exe Cgdciiod.exe PID 2124 wrote to memory of 1732 2124 Cniajdkg.exe Cgdciiod.exe PID 2124 wrote to memory of 1732 2124 Cniajdkg.exe Cgdciiod.exe PID 2124 wrote to memory of 1732 2124 Cniajdkg.exe Cgdciiod.exe PID 1732 wrote to memory of 2984 1732 Cgdciiod.exe Dodahk32.exe PID 1732 wrote to memory of 2984 1732 Cgdciiod.exe Dodahk32.exe PID 1732 wrote to memory of 2984 1732 Cgdciiod.exe Dodahk32.exe PID 1732 wrote to memory of 2984 1732 Cgdciiod.exe Dodahk32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe"C:\Users\Admin\AppData\Local\Temp\9ca9f45eadce907beb13a7217a695c4ec75dbbc7e8e369ec3e959ce21707d881.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Oqjibkek.exeC:\Windows\system32\Oqjibkek.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Pbdipa32.exeC:\Windows\system32\Pbdipa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Qaqlbmbn.exeC:\Windows\system32\Qaqlbmbn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Anpooe32.exeC:\Windows\system32\Anpooe32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Bhjpnj32.exeC:\Windows\system32\Bhjpnj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Bdaabk32.exeC:\Windows\system32\Bdaabk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Ceickb32.exeC:\Windows\system32\Ceickb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Dodahk32.exeC:\Windows\system32\Dodahk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Engjkeab.exeC:\Windows\system32\Engjkeab.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Fpmpnmck.exeC:\Windows\system32\Fpmpnmck.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Ghbhhnhk.exeC:\Windows\system32\Ghbhhnhk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Gfiaojkq.exeC:\Windows\system32\Gfiaojkq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Hijjpeha.exeC:\Windows\system32\Hijjpeha.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Hbekojlp.exeC:\Windows\system32\Hbekojlp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Hlmphp32.exeC:\Windows\system32\Hlmphp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Hkbmil32.exeC:\Windows\system32\Hkbmil32.exe33⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Hginnmml.exeC:\Windows\system32\Hginnmml.exe34⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ihijhpdo.exeC:\Windows\system32\Ihijhpdo.exe35⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ilkpac32.exeC:\Windows\system32\Ilkpac32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jkdfmoha.exeC:\Windows\system32\Jkdfmoha.exe38⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Jldbgb32.exeC:\Windows\system32\Jldbgb32.exe39⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Jhkclc32.exeC:\Windows\system32\Jhkclc32.exe40⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jbcgeilh.exeC:\Windows\system32\Jbcgeilh.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Jqhdfe32.exeC:\Windows\system32\Jqhdfe32.exe43⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Jjqiok32.exeC:\Windows\system32\Jjqiok32.exe44⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Knoaeimg.exeC:\Windows\system32\Knoaeimg.exe45⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Kckjmpko.exeC:\Windows\system32\Kckjmpko.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Kobkbaac.exeC:\Windows\system32\Kobkbaac.exe47⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Kikokf32.exeC:\Windows\system32\Kikokf32.exe48⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Kbcddlnd.exeC:\Windows\system32\Kbcddlnd.exe49⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Kkkhmadd.exeC:\Windows\system32\Kkkhmadd.exe50⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Kecmfg32.exeC:\Windows\system32\Kecmfg32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Lnlaomae.exeC:\Windows\system32\Lnlaomae.exe52⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Llpaha32.exeC:\Windows\system32\Llpaha32.exe53⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Lnqkjl32.exeC:\Windows\system32\Lnqkjl32.exe54⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Lcncbc32.exeC:\Windows\system32\Lcncbc32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Lhklha32.exeC:\Windows\system32\Lhklha32.exe56⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Lmhdph32.exeC:\Windows\system32\Lmhdph32.exe57⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Mioeeifi.exeC:\Windows\system32\Mioeeifi.exe58⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Miaaki32.exeC:\Windows\system32\Miaaki32.exe59⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Mehbpjjk.exeC:\Windows\system32\Mehbpjjk.exe60⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Moqgiopk.exeC:\Windows\system32\Moqgiopk.exe61⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Mejoei32.exeC:\Windows\system32\Mejoei32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe63⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Mdplfflp.exeC:\Windows\system32\Mdplfflp.exe64⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe65⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe66⤵PID:1692
-
C:\Windows\SysWOW64\Nmjmekan.exeC:\Windows\system32\Nmjmekan.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Nianjl32.exeC:\Windows\system32\Nianjl32.exe68⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Npkfff32.exeC:\Windows\system32\Npkfff32.exe69⤵PID:3036
-
C:\Windows\SysWOW64\Nickoldp.exeC:\Windows\system32\Nickoldp.exe70⤵PID:2880
-
C:\Windows\SysWOW64\Ndiomdde.exeC:\Windows\system32\Ndiomdde.exe71⤵PID:2896
-
C:\Windows\SysWOW64\Nmacej32.exeC:\Windows\system32\Nmacej32.exe72⤵PID:2904
-
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Oddbqhkf.exeC:\Windows\system32\Oddbqhkf.exe74⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Oojfnakl.exeC:\Windows\system32\Oojfnakl.exe75⤵PID:3028
-
C:\Windows\SysWOW64\Pncljmko.exeC:\Windows\system32\Pncljmko.exe76⤵PID:1288
-
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Pfando32.exeC:\Windows\system32\Pfando32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Pmkfqind.exeC:\Windows\system32\Pmkfqind.exe79⤵PID:2084
-
C:\Windows\SysWOW64\Pdigkk32.exeC:\Windows\system32\Pdigkk32.exe80⤵PID:936
-
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe81⤵PID:1968
-
C:\Windows\SysWOW64\Qifpqi32.exeC:\Windows\system32\Qifpqi32.exe82⤵PID:1972
-
C:\Windows\SysWOW64\Aiimfi32.exeC:\Windows\system32\Aiimfi32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Aadakl32.exeC:\Windows\system32\Aadakl32.exe84⤵PID:2188
-
C:\Windows\SysWOW64\Ajmfca32.exeC:\Windows\system32\Ajmfca32.exe85⤵PID:2108
-
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe86⤵PID:2780
-
C:\Windows\SysWOW64\Ajociq32.exeC:\Windows\system32\Ajociq32.exe87⤵PID:1504
-
C:\Windows\SysWOW64\Agccbenc.exeC:\Windows\system32\Agccbenc.exe88⤵PID:3048
-
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe89⤵PID:2724
-
C:\Windows\SysWOW64\Aiflpm32.exeC:\Windows\system32\Aiflpm32.exe90⤵PID:884
-
C:\Windows\SysWOW64\Bfjmia32.exeC:\Windows\system32\Bfjmia32.exe91⤵PID:552
-
C:\Windows\SysWOW64\Blgeahoo.exeC:\Windows\system32\Blgeahoo.exe92⤵PID:2232
-
C:\Windows\SysWOW64\Bhnffi32.exeC:\Windows\system32\Bhnffi32.exe93⤵PID:2236
-
C:\Windows\SysWOW64\Bbcjca32.exeC:\Windows\system32\Bbcjca32.exe94⤵PID:1384
-
C:\Windows\SysWOW64\Bbfgiabg.exeC:\Windows\system32\Bbfgiabg.exe95⤵PID:1608
-
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe96⤵PID:2468
-
C:\Windows\SysWOW64\Bhelghol.exeC:\Windows\system32\Bhelghol.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Cppakj32.exeC:\Windows\system32\Cppakj32.exe98⤵PID:508
-
C:\Windows\SysWOW64\Cihedpcg.exeC:\Windows\system32\Cihedpcg.exe99⤵
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe100⤵PID:2792
-
C:\Windows\SysWOW64\Ccecheeb.exeC:\Windows\system32\Ccecheeb.exe101⤵PID:2868
-
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe102⤵PID:2136
-
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe103⤵PID:1064
-
C:\Windows\SysWOW64\Dooqceid.exeC:\Windows\system32\Dooqceid.exe104⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe105⤵PID:1532
-
C:\Windows\SysWOW64\Ddnfql32.exeC:\Windows\system32\Ddnfql32.exe106⤵PID:664
-
C:\Windows\SysWOW64\Dnfjiali.exeC:\Windows\system32\Dnfjiali.exe107⤵PID:1688
-
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe108⤵PID:2976
-
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe109⤵PID:1904
-
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe110⤵PID:1356
-
C:\Windows\SysWOW64\Enmqjq32.exeC:\Windows\system32\Enmqjq32.exe111⤵PID:2516
-
C:\Windows\SysWOW64\Egeecf32.exeC:\Windows\system32\Egeecf32.exe112⤵PID:2396
-
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe113⤵PID:2440
-
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe114⤵PID:1092
-
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe115⤵PID:2788
-
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Fohphgce.exeC:\Windows\system32\Fohphgce.exe117⤵PID:3008
-
C:\Windows\SysWOW64\Fqilppic.exeC:\Windows\system32\Fqilppic.exe118⤵PID:1964
-
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe119⤵PID:2420
-
C:\Windows\SysWOW64\Feiaknmg.exeC:\Windows\system32\Feiaknmg.exe120⤵PID:112
-
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe121⤵PID:2696
-
C:\Windows\SysWOW64\Fikgda32.exeC:\Windows\system32\Fikgda32.exe122⤵PID:1796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-