Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:02
Static task
static1
Behavioral task
behavioral1
Sample
9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe
Resource
win10v2004-20241007-en
General
-
Target
9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe
-
Size
100KB
-
MD5
a7c33b0e092e84bc14f9f98d6bac4d0e
-
SHA1
31389c8b640ee375323777ff9cedd4cc9707a173
-
SHA256
9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce
-
SHA512
751e870b3c46ef3cd2de68355354c40e1d7548f40a334fc1501d6818bf46ab9e22374edd24ccb7351aab262ccd2158809e220de373cdccc6be29d44cde87bf1b
-
SSDEEP
3072:z8X2fXp/d4wHav5+nRE/0naIhgb3a3+X13XRzT:z8mfH2068nXu7aOl3BzT
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ponklpcg.exeJipaip32.exeGjbqjiem.exeCgidfcdk.exeFiebnjbg.exeGhaeoe32.exeCnflae32.exeMagdam32.exeNohddd32.exeNbpqmfmd.exeJqnhmgmk.exeEokgij32.exeBlkmdodf.exeFblljhbo.exePdbmfb32.exeQiflohqk.exeAbdeoe32.exeFfboohnm.exeJjpdmi32.exeIkjjda32.exeAlmihjlj.exeBpbmqe32.exeKekkiq32.exePebbcdkn.exeGajjhkgh.exeLolofd32.exeKhadpa32.exeBhdhefpc.exeMnblhddb.exeHecebm32.exeGedbfimc.exeOejcpf32.exeFfdilo32.exePflbpg32.exeBimphc32.exeKghmhegc.exeEdcqjc32.exeJnifaajh.exe9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exeOpaqpn32.exeEpkepakn.exeNbmdhfog.exePkmmigjo.exeBeggec32.exeCgbfcjag.exeEhclbpic.exeEjioln32.exeMkdioh32.exeHflndjin.exeMakkcc32.exeBchhqo32.exeChocodch.exeDfngll32.exeGekhgh32.exeCodeih32.exeMokilo32.exeJbclgf32.exeFkilka32.exeEepmlf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ponklpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipaip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjbqjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiebnjbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghaeoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnflae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magdam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohddd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpqmfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqnhmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eokgij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkmdodf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblljhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdbmfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abdeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffboohnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikjjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Almihjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebbcdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gajjhkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lolofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khadpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnblhddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hecebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gedbfimc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffdilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflbpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcqjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnifaajh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opaqpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkepakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmdhfog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmmigjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgbfcjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehclbpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejioln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkdioh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflndjin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bchhqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chocodch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfngll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gekhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbclgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkilka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepmlf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Iphgln32.exeIcdcllpc.exeIiqldc32.exeImlhebfc.exeIfgicg32.exeInbnhihl.exeJbnjhh32.exeJndjmifj.exeJhmofo32.exeJlhkgm32.exeJdcpkp32.exeJjpdmi32.exeJmnqje32.exeJkbaci32.exeKmqmod32.exeKmcjedcg.exeKpafapbk.exeKenoifpb.exeKlhgfq32.exeKcdlhj32.exeKaglcgdc.exeKhadpa32.exeLlomfpag.exeLnqjnhge.exeLegaoehg.exeLjigih32.exeLaqojfli.exeLngpog32.exeLpflkb32.exeMokilo32.exeMfeaiime.exeMqjefamk.exeMomfan32.exeMkfclo32.exeMbqkiind.exeMdadjd32.exeNgpqfp32.exeNqhepeai.exeNcfalqpm.exeNcinap32.exeNjbfnjeg.exeNqmnjd32.exeNihcog32.exeNqokpd32.exeNcmglp32.exeNjgpij32.exeNijpdfhm.exeNlilqbgp.exeNcpdbohb.exeOfnpnkgf.exeOimmjffj.exeOmhhke32.exeOniebmda.exeObeacl32.exeOhbikbkb.exeOlmela32.exeOnlahm32.exeOajndh32.exeOiafee32.exeOlpbaa32.exeObjjnkie.exeOehgjfhi.exeOlbogqoe.exeOnqkclni.exepid process 2704 Iphgln32.exe 2768 Icdcllpc.exe 2764 Iiqldc32.exe 2668 Imlhebfc.exe 1912 Ifgicg32.exe 1616 Inbnhihl.exe 2932 Jbnjhh32.exe 2368 Jndjmifj.exe 1756 Jhmofo32.exe 316 Jlhkgm32.exe 2652 Jdcpkp32.exe 536 Jjpdmi32.exe 2964 Jmnqje32.exe 2268 Jkbaci32.exe 2192 Kmqmod32.exe 2160 Kmcjedcg.exe 1316 Kpafapbk.exe 1088 Kenoifpb.exe 1748 Klhgfq32.exe 1368 Kcdlhj32.exe 1624 Kaglcgdc.exe 3008 Khadpa32.exe 2084 Llomfpag.exe 1968 Lnqjnhge.exe 2760 Legaoehg.exe 1592 Ljigih32.exe 2672 Laqojfli.exe 2944 Lngpog32.exe 2572 Lpflkb32.exe 848 Mokilo32.exe 1488 Mfeaiime.exe 2912 Mqjefamk.exe 2148 Momfan32.exe 600 Mkfclo32.exe 1612 Mbqkiind.exe 2744 Mdadjd32.exe 1396 Ngpqfp32.exe 2532 Nqhepeai.exe 1364 Ncfalqpm.exe 2264 Ncinap32.exe 1944 Njbfnjeg.exe 956 Nqmnjd32.exe 2520 Nihcog32.exe 1812 Nqokpd32.exe 1772 Ncmglp32.exe 2344 Njgpij32.exe 1976 Nijpdfhm.exe 1992 Nlilqbgp.exe 2456 Ncpdbohb.exe 2660 Ofnpnkgf.exe 2756 Oimmjffj.exe 2720 Omhhke32.exe 2616 Oniebmda.exe 2916 Obeacl32.exe 2888 Ohbikbkb.exe 1168 Olmela32.exe 1100 Onlahm32.exe 2876 Oajndh32.exe 2012 Oiafee32.exe 2808 Olpbaa32.exe 2112 Objjnkie.exe 2980 Oehgjfhi.exe 2040 Olbogqoe.exe 2020 Onqkclni.exe -
Loads dropped DLL 64 IoCs
Processes:
9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exeIphgln32.exeIcdcllpc.exeIiqldc32.exeImlhebfc.exeIfgicg32.exeInbnhihl.exeJbnjhh32.exeJndjmifj.exeJhmofo32.exeJlhkgm32.exeJdcpkp32.exeJjpdmi32.exeJmnqje32.exeJkbaci32.exeKmqmod32.exeKmcjedcg.exeKpafapbk.exeKenoifpb.exeKlhgfq32.exeKcdlhj32.exeKaglcgdc.exeKhadpa32.exeLlomfpag.exeLnqjnhge.exeLegaoehg.exeLjigih32.exeLaqojfli.exeLngpog32.exeLpflkb32.exeMokilo32.exeMfeaiime.exepid process 2380 9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe 2380 9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe 2704 Iphgln32.exe 2704 Iphgln32.exe 2768 Icdcllpc.exe 2768 Icdcllpc.exe 2764 Iiqldc32.exe 2764 Iiqldc32.exe 2668 Imlhebfc.exe 2668 Imlhebfc.exe 1912 Ifgicg32.exe 1912 Ifgicg32.exe 1616 Inbnhihl.exe 1616 Inbnhihl.exe 2932 Jbnjhh32.exe 2932 Jbnjhh32.exe 2368 Jndjmifj.exe 2368 Jndjmifj.exe 1756 Jhmofo32.exe 1756 Jhmofo32.exe 316 Jlhkgm32.exe 316 Jlhkgm32.exe 2652 Jdcpkp32.exe 2652 Jdcpkp32.exe 536 Jjpdmi32.exe 536 Jjpdmi32.exe 2964 Jmnqje32.exe 2964 Jmnqje32.exe 2268 Jkbaci32.exe 2268 Jkbaci32.exe 2192 Kmqmod32.exe 2192 Kmqmod32.exe 2160 Kmcjedcg.exe 2160 Kmcjedcg.exe 1316 Kpafapbk.exe 1316 Kpafapbk.exe 1088 Kenoifpb.exe 1088 Kenoifpb.exe 1748 Klhgfq32.exe 1748 Klhgfq32.exe 1368 Kcdlhj32.exe 1368 Kcdlhj32.exe 1624 Kaglcgdc.exe 1624 Kaglcgdc.exe 3008 Khadpa32.exe 3008 Khadpa32.exe 2084 Llomfpag.exe 2084 Llomfpag.exe 1968 Lnqjnhge.exe 1968 Lnqjnhge.exe 2760 Legaoehg.exe 2760 Legaoehg.exe 1592 Ljigih32.exe 1592 Ljigih32.exe 2672 Laqojfli.exe 2672 Laqojfli.exe 2944 Lngpog32.exe 2944 Lngpog32.exe 2572 Lpflkb32.exe 2572 Lpflkb32.exe 848 Mokilo32.exe 848 Mokilo32.exe 1488 Mfeaiime.exe 1488 Mfeaiime.exe -
Drops file in System32 directory 64 IoCs
Processes:
Phledp32.exeAbdbflnf.exeLehdhn32.exeGhbljk32.exeNcgcdi32.exeHmijajbd.exeJqbbhg32.exeOdnobj32.exeNqhepeai.exeMclgklel.exePpipdl32.exePnkiebib.exeImlhebfc.exeGkcekfad.exeKjhcag32.exeCkmpkpbl.exeDjeljd32.exeEhhfjcff.exeAbjeejep.exeFmdbnnlj.exeGefmcp32.exeGefolhja.exeFfboohnm.exeJndflk32.exeNokqidll.exeBmlbaqfh.exeOiafee32.exeQkghgpfi.exeMkdioh32.exeBcflko32.exeCgqmpkfg.exeOcefpnom.exeIqllghon.exeBhjpnj32.exeAebobgmi.exeCjhckg32.exeDboeco32.exeIkqnlh32.exeHkogpn32.exePjmnfk32.exeNeblqoel.exeIclbpj32.exeLofifi32.exePeefcjlg.exeEmdeok32.exeDhklna32.exeFdnlcakk.exeKfggkc32.exeIlifndlo.exeAbhlak32.exeChlgid32.exeCgnpjkhj.exeIfbkgj32.exeDpodgocb.exePddjlb32.exeJajocl32.exeQekbgbpf.exeCffjagko.exeBckefnki.exeHkmaed32.exedescription ioc process File created C:\Windows\SysWOW64\Pbajbi32.exe Phledp32.exe File created C:\Windows\SysWOW64\Nhldnm32.dll Abdbflnf.exe File opened for modification C:\Windows\SysWOW64\Ldkdckff.exe Lehdhn32.exe File created C:\Windows\SysWOW64\Ffadkgnl.dll Ghbljk32.exe File created C:\Windows\SysWOW64\Ghibjjfb.dll Ncgcdi32.exe File opened for modification C:\Windows\SysWOW64\Mpngmb32.exe File opened for modification C:\Windows\SysWOW64\Hpgfmeag.exe Hmijajbd.exe File opened for modification C:\Windows\SysWOW64\Joebccpp.exe Jqbbhg32.exe File created C:\Windows\SysWOW64\Iagiph32.dll Odnobj32.exe File created C:\Windows\SysWOW64\Ncfalqpm.exe Nqhepeai.exe File created C:\Windows\SysWOW64\Jmemme32.dll File created C:\Windows\SysWOW64\Dabahf32.dll Mclgklel.exe File created C:\Windows\SysWOW64\Pfchqf32.exe Ppipdl32.exe File opened for modification C:\Windows\SysWOW64\Peeabm32.exe Pnkiebib.exe File created C:\Windows\SysWOW64\Ifgicg32.exe Imlhebfc.exe File created C:\Windows\SysWOW64\Gcjmmdbf.exe Gkcekfad.exe File created C:\Windows\SysWOW64\Kmfpmc32.exe Kjhcag32.exe File created C:\Windows\SysWOW64\Cbghhj32.exe Ckmpkpbl.exe File created C:\Windows\SysWOW64\Dpodgocb.exe Djeljd32.exe File created C:\Windows\SysWOW64\Bplnpkga.dll Ehhfjcff.exe File created C:\Windows\SysWOW64\Ajamfh32.exe Abjeejep.exe File created C:\Windows\SysWOW64\Fdnjkh32.exe Fmdbnnlj.exe File opened for modification C:\Windows\SysWOW64\Gkcekfad.exe Gefmcp32.exe File opened for modification C:\Windows\SysWOW64\Ghekhd32.exe Gefolhja.exe File created C:\Windows\SysWOW64\Hbpkaopd.dll Ffboohnm.exe File created C:\Windows\SysWOW64\Jmgfgham.exe Jndflk32.exe File created C:\Windows\SysWOW64\Qhnmei32.dll Nokqidll.exe File created C:\Windows\SysWOW64\Bdfjnkne.exe Bmlbaqfh.exe File created C:\Windows\SysWOW64\Olpbaa32.exe Oiafee32.exe File opened for modification C:\Windows\SysWOW64\Qobdgo32.exe Qkghgpfi.exe File opened for modification C:\Windows\SysWOW64\Mclqqeaq.exe Mkdioh32.exe File created C:\Windows\SysWOW64\Bjpdhifk.exe Bcflko32.exe File created C:\Windows\SysWOW64\Cjoilfek.exe Cgqmpkfg.exe File created C:\Windows\SysWOW64\Ofdclinq.exe Ocefpnom.exe File created C:\Windows\SysWOW64\Igeddb32.exe Iqllghon.exe File created C:\Windows\SysWOW64\Bjiljf32.exe Bhjpnj32.exe File opened for modification C:\Windows\SysWOW64\Aphcppmo.exe Aebobgmi.exe File created C:\Windows\SysWOW64\Cpbkhabp.exe Cjhckg32.exe File created C:\Windows\SysWOW64\Demaoj32.exe Dboeco32.exe File created C:\Windows\SysWOW64\Inojhc32.exe Ikqnlh32.exe File created C:\Windows\SysWOW64\Laoekk32.dll Hkogpn32.exe File created C:\Windows\SysWOW64\Cbfinf32.dll File created C:\Windows\SysWOW64\Paggce32.exe Pjmnfk32.exe File opened for modification C:\Windows\SysWOW64\Nhqhmj32.exe Neblqoel.exe File opened for modification C:\Windows\SysWOW64\Jfjolf32.exe Iclbpj32.exe File created C:\Windows\SysWOW64\Ladebd32.exe Lofifi32.exe File opened for modification C:\Windows\SysWOW64\Pmmneg32.exe Peefcjlg.exe File created C:\Windows\SysWOW64\Iilceh32.exe File created C:\Windows\SysWOW64\Bdmnkd32.dll Emdeok32.exe File opened for modification C:\Windows\SysWOW64\Dnhefh32.exe Dhklna32.exe File created C:\Windows\SysWOW64\Ibafjo32.dll Fdnlcakk.exe File created C:\Windows\SysWOW64\Kiecgo32.exe Kfggkc32.exe File created C:\Windows\SysWOW64\Inkcem32.exe Ilifndlo.exe File created C:\Windows\SysWOW64\Kakoco32.dll Abhlak32.exe File opened for modification C:\Windows\SysWOW64\Cofofolh.exe Chlgid32.exe File opened for modification C:\Windows\SysWOW64\Cnhhge32.exe Cgnpjkhj.exe File opened for modification C:\Windows\SysWOW64\Idekbgji.exe Ifbkgj32.exe File created C:\Windows\SysWOW64\Akeaja32.dll Dpodgocb.exe File created C:\Windows\SysWOW64\Peefcjlg.exe Pddjlb32.exe File opened for modification C:\Windows\SysWOW64\Jcikog32.exe Jajocl32.exe File opened for modification C:\Windows\SysWOW64\Qldjdlgb.exe Qekbgbpf.exe File created C:\Windows\SysWOW64\Dhdfmbjc.exe Cffjagko.exe File created C:\Windows\SysWOW64\Cqlile32.dll Bckefnki.exe File created C:\Windows\SysWOW64\Objbia32.dll Hkmaed32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 3168 3200 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Golgon32.exeGoocenaa.exeApppkekc.exeGmlablaa.exeLehdhn32.exeJnemfa32.exeAgeompfe.exeJpepkk32.exeMdigoo32.exeBhjneadb.exeEpkepakn.exeEnneln32.exeNknkeg32.exeJndjmifj.exeBhonjg32.exePilbocej.exeEmdhhdqb.exeEfedga32.exeHmdkjmip.exeGhoijebj.exeLglmefcg.exePhcleoho.exeFdlpnamm.exeOomjng32.exeBacihmoo.exeCfehhn32.exeOjkeah32.exeFlcojeak.exeKbpefc32.exePhgannal.exeKlcgpkhh.exeMnblhddb.exeDjdjalea.exeLijiaabk.exeBmelpa32.exeOejcpf32.exeBlinefnd.exeEbqngb32.exeNanfqo32.exeBpbmqe32.exeMpnkopeh.exeCgqmpkfg.exeEclcon32.exeDjjjga32.exeDgnjqe32.exeKoflgf32.exeOpaqpn32.exePaiche32.exeMomfan32.exeOehgjfhi.exeBgghac32.exeAjjgei32.exeEnenef32.exeDoqkpl32.exeGekhgh32.exeBjpdhifk.exeMclqqeaq.exeBoeoek32.exeJqeomfgc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Golgon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goocenaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlablaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehdhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnemfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpepkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjneadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkepakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enneln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndjmifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhonjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilbocej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdhhdqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdkjmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghoijebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglmefcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcleoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlpnamm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacihmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfehhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkeah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcojeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgannal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcgpkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnblhddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdjalea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijiaabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejcpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blinefnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebqngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanfqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbmqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnkopeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqmpkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnjqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koflgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaqpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiche32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehgjfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgghac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjgei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enenef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekhgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpdhifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclqqeaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqeomfgc.exe -
Modifies registry class 64 IoCs
Processes:
Cpbkhabp.exeMhalngad.exeObeacl32.exeEeagimdf.exeLdkdckff.exeEddjhb32.exeLdjmidcj.exeQmepanje.exeCnlnpd32.exeAeokba32.exeLchqcd32.exeGdkebolm.exeEogolc32.exeCfknhi32.exeJfojpn32.exeBchhqo32.exeGlckihcg.exeAfcdpi32.exeMkacfiga.exeFappgflg.exeOjeakfnd.exeCgqmpkfg.exeIgeddb32.exeHjlemlnk.exeJkbaci32.exeIoeclg32.exeMiocmq32.exeKgocid32.exeInepgn32.exeOdnobj32.exeMhninb32.exeBeldao32.exeElibpg32.exeBqolji32.exeMgmmfjip.exeCkkenikc.exeOmhhke32.exeIediin32.exeFloeof32.exePegnglnm.exeBbjpil32.exeIfgklp32.exeCeqjla32.exeLlepen32.exeFakglf32.exeJfmnkn32.exeJipaip32.exeDghjkpck.exePfqlkfoc.exeEjgeogmn.exeKoflgf32.exeIfgicg32.exeGaeqmk32.exePdnkanfg.exeNcpdbohb.exeLadebd32.exeLhnmoo32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpbkhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dknnijed.dll" Mhalngad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijjkf32.dll" Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ielqinkm.dll" Eeagimdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldkdckff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eddjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldjmidcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemmee32.dll" Qmepanje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnlnpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeokba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lchqcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdkebolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eogolc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfknhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfojpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bchhqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glckihcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afcdpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkacfiga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojeakfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgqmpkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igeddb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjlemlnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkbaci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbllim.dll" Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemapqnd.dll" Kgocid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inepgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odnobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhninb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elibpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqolji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgmmfjip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckkenikc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggajf32.dll" Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcmiq32.dll" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Floeof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pegnglnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canipj32.dll" Bbjpil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll" Ceqjla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fakglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfmnkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dghjkpck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfqlkfoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejgeogmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgmkef32.dll" Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkadjjcg.dll" Gaeqmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidbakdl.dll" Cpbkhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiinlj.dll" Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncpdbohb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ladebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koflgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhnmoo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exeIphgln32.exeIcdcllpc.exeIiqldc32.exeImlhebfc.exeIfgicg32.exeInbnhihl.exeJbnjhh32.exeJndjmifj.exeJhmofo32.exeJlhkgm32.exeJdcpkp32.exeJjpdmi32.exeJmnqje32.exeJkbaci32.exeKmqmod32.exedescription pid process target process PID 2380 wrote to memory of 2704 2380 9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe Iphgln32.exe PID 2380 wrote to memory of 2704 2380 9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe Iphgln32.exe PID 2380 wrote to memory of 2704 2380 9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe Iphgln32.exe PID 2380 wrote to memory of 2704 2380 9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe Iphgln32.exe PID 2704 wrote to memory of 2768 2704 Iphgln32.exe Icdcllpc.exe PID 2704 wrote to memory of 2768 2704 Iphgln32.exe Icdcllpc.exe PID 2704 wrote to memory of 2768 2704 Iphgln32.exe Icdcllpc.exe PID 2704 wrote to memory of 2768 2704 Iphgln32.exe Icdcllpc.exe PID 2768 wrote to memory of 2764 2768 Icdcllpc.exe Iiqldc32.exe PID 2768 wrote to memory of 2764 2768 Icdcllpc.exe Iiqldc32.exe PID 2768 wrote to memory of 2764 2768 Icdcllpc.exe Iiqldc32.exe PID 2768 wrote to memory of 2764 2768 Icdcllpc.exe Iiqldc32.exe PID 2764 wrote to memory of 2668 2764 Iiqldc32.exe Imlhebfc.exe PID 2764 wrote to memory of 2668 2764 Iiqldc32.exe Imlhebfc.exe PID 2764 wrote to memory of 2668 2764 Iiqldc32.exe Imlhebfc.exe PID 2764 wrote to memory of 2668 2764 Iiqldc32.exe Imlhebfc.exe PID 2668 wrote to memory of 1912 2668 Imlhebfc.exe Ifgicg32.exe PID 2668 wrote to memory of 1912 2668 Imlhebfc.exe Ifgicg32.exe PID 2668 wrote to memory of 1912 2668 Imlhebfc.exe Ifgicg32.exe PID 2668 wrote to memory of 1912 2668 Imlhebfc.exe Ifgicg32.exe PID 1912 wrote to memory of 1616 1912 Ifgicg32.exe Inbnhihl.exe PID 1912 wrote to memory of 1616 1912 Ifgicg32.exe Inbnhihl.exe PID 1912 wrote to memory of 1616 1912 Ifgicg32.exe Inbnhihl.exe PID 1912 wrote to memory of 1616 1912 Ifgicg32.exe Inbnhihl.exe PID 1616 wrote to memory of 2932 1616 Inbnhihl.exe Jbnjhh32.exe PID 1616 wrote to memory of 2932 1616 Inbnhihl.exe Jbnjhh32.exe PID 1616 wrote to memory of 2932 1616 Inbnhihl.exe Jbnjhh32.exe PID 1616 wrote to memory of 2932 1616 Inbnhihl.exe Jbnjhh32.exe PID 2932 wrote to memory of 2368 2932 Jbnjhh32.exe Jndjmifj.exe PID 2932 wrote to memory of 2368 2932 Jbnjhh32.exe Jndjmifj.exe PID 2932 wrote to memory of 2368 2932 Jbnjhh32.exe Jndjmifj.exe PID 2932 wrote to memory of 2368 2932 Jbnjhh32.exe Jndjmifj.exe PID 2368 wrote to memory of 1756 2368 Jndjmifj.exe Jhmofo32.exe PID 2368 wrote to memory of 1756 2368 Jndjmifj.exe Jhmofo32.exe PID 2368 wrote to memory of 1756 2368 Jndjmifj.exe Jhmofo32.exe PID 2368 wrote to memory of 1756 2368 Jndjmifj.exe Jhmofo32.exe PID 1756 wrote to memory of 316 1756 Jhmofo32.exe Jlhkgm32.exe PID 1756 wrote to memory of 316 1756 Jhmofo32.exe Jlhkgm32.exe PID 1756 wrote to memory of 316 1756 Jhmofo32.exe Jlhkgm32.exe PID 1756 wrote to memory of 316 1756 Jhmofo32.exe Jlhkgm32.exe PID 316 wrote to memory of 2652 316 Jlhkgm32.exe Jdcpkp32.exe PID 316 wrote to memory of 2652 316 Jlhkgm32.exe Jdcpkp32.exe PID 316 wrote to memory of 2652 316 Jlhkgm32.exe Jdcpkp32.exe PID 316 wrote to memory of 2652 316 Jlhkgm32.exe Jdcpkp32.exe PID 2652 wrote to memory of 536 2652 Jdcpkp32.exe Jjpdmi32.exe PID 2652 wrote to memory of 536 2652 Jdcpkp32.exe Jjpdmi32.exe PID 2652 wrote to memory of 536 2652 Jdcpkp32.exe Jjpdmi32.exe PID 2652 wrote to memory of 536 2652 Jdcpkp32.exe Jjpdmi32.exe PID 536 wrote to memory of 2964 536 Jjpdmi32.exe Jmnqje32.exe PID 536 wrote to memory of 2964 536 Jjpdmi32.exe Jmnqje32.exe PID 536 wrote to memory of 2964 536 Jjpdmi32.exe Jmnqje32.exe PID 536 wrote to memory of 2964 536 Jjpdmi32.exe Jmnqje32.exe PID 2964 wrote to memory of 2268 2964 Jmnqje32.exe Jkbaci32.exe PID 2964 wrote to memory of 2268 2964 Jmnqje32.exe Jkbaci32.exe PID 2964 wrote to memory of 2268 2964 Jmnqje32.exe Jkbaci32.exe PID 2964 wrote to memory of 2268 2964 Jmnqje32.exe Jkbaci32.exe PID 2268 wrote to memory of 2192 2268 Jkbaci32.exe Kmqmod32.exe PID 2268 wrote to memory of 2192 2268 Jkbaci32.exe Kmqmod32.exe PID 2268 wrote to memory of 2192 2268 Jkbaci32.exe Kmqmod32.exe PID 2268 wrote to memory of 2192 2268 Jkbaci32.exe Kmqmod32.exe PID 2192 wrote to memory of 2160 2192 Kmqmod32.exe Kmcjedcg.exe PID 2192 wrote to memory of 2160 2192 Kmqmod32.exe Kmcjedcg.exe PID 2192 wrote to memory of 2160 2192 Kmqmod32.exe Kmcjedcg.exe PID 2192 wrote to memory of 2160 2192 Kmqmod32.exe Kmcjedcg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe"C:\Users\Admin\AppData\Local\Temp\9dfade6d37ad5945766969aea6a839900441b7770629e3694a60b6edf7bf4cce.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Kaglcgdc.exeC:\Windows\system32\Kaglcgdc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe33⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe35⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe36⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe37⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe38⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Ncfalqpm.exeC:\Windows\system32\Ncfalqpm.exe40⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe41⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe42⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe43⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe44⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe45⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe46⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe47⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe48⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe49⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe51⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe52⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe54⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe56⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe57⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe58⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe59⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Olpbaa32.exeC:\Windows\system32\Olpbaa32.exe61⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe62⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe64⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe65⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe67⤵PID:2480
-
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe68⤵PID:2696
-
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe69⤵PID:1564
-
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe70⤵PID:1596
-
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe71⤵PID:2548
-
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe72⤵PID:2196
-
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe73⤵PID:3044
-
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe75⤵PID:2052
-
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe76⤵PID:1380
-
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe77⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe78⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe79⤵PID:1064
-
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe81⤵PID:1972
-
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe82⤵PID:936
-
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe83⤵PID:2940
-
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe84⤵PID:1792
-
C:\Windows\SysWOW64\Qiflohqk.exeC:\Windows\system32\Qiflohqk.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe86⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Qobdgo32.exeC:\Windows\system32\Qobdgo32.exe87⤵PID:2116
-
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe88⤵PID:2692
-
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe89⤵PID:2604
-
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe90⤵PID:2372
-
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe91⤵PID:544
-
C:\Windows\SysWOW64\Adaiee32.exeC:\Windows\system32\Adaiee32.exe92⤵PID:872
-
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe93⤵PID:2016
-
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe94⤵PID:572
-
C:\Windows\SysWOW64\Ahpbkd32.exeC:\Windows\system32\Ahpbkd32.exe95⤵PID:1896
-
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe96⤵PID:696
-
C:\Windows\SysWOW64\Acicla32.exeC:\Windows\system32\Acicla32.exe97⤵PID:3064
-
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe98⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe99⤵PID:2780
-
C:\Windows\SysWOW64\Apmcefmf.exeC:\Windows\system32\Apmcefmf.exe100⤵PID:2852
-
C:\Windows\SysWOW64\Adipfd32.exeC:\Windows\system32\Adipfd32.exe101⤵PID:1952
-
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe102⤵PID:3004
-
C:\Windows\SysWOW64\Ajehnk32.exeC:\Windows\system32\Ajehnk32.exe103⤵PID:2348
-
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe104⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Acnlgajg.exeC:\Windows\system32\Acnlgajg.exe105⤵PID:1028
-
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe106⤵PID:2128
-
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Bacihmoo.exeC:\Windows\system32\Bacihmoo.exe108⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe109⤵PID:3060
-
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe110⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe111⤵PID:896
-
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe112⤵PID:2584
-
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe113⤵PID:576
-
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe114⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Bbhccm32.exeC:\Windows\system32\Bbhccm32.exe115⤵PID:2868
-
C:\Windows\SysWOW64\Bdfooh32.exeC:\Windows\system32\Bdfooh32.exe116⤵PID:1724
-
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe117⤵PID:2124
-
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe118⤵PID:2176
-
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe119⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Bhdhefpc.exeC:\Windows\system32\Bhdhefpc.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Bgghac32.exeC:\Windows\system32\Bgghac32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Bnapnm32.exeC:\Windows\system32\Bnapnm32.exe122⤵PID:2608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-