Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:04
Behavioral task
behavioral1
Sample
9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe
Resource
win10v2004-20241007-en
General
-
Target
9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe
-
Size
108KB
-
MD5
fb0140f189bfb3be850a6e96ac6f3a62
-
SHA1
81385e98738696b17edfaa92a8c06d3865abf6bb
-
SHA256
9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6
-
SHA512
409ad7bd95dcd30dc052c3c40cee68ab97954446ac9077cd52e6984e6a2867582e88311fa4e48e54eca1e78dcf5c7fdc357b999dcbe3016dd18e790273d12731
-
SSDEEP
3072:dhAXEIXLClrxbi4BjEGt4roGAfTsgFcFmKcUsvKwF:dhAbXul9iRzQTs0Us
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ajgbkbjp.exeDhpemm32.exeFjhcegll.exeOmkjbb32.exeDkfbfjdf.exeHnpbjnpo.exeIonefb32.exeKkileele.exePhpjnnki.exeKbdmeoob.exeEdfbaabj.exeGildahhp.exeMmogmjmn.exeOanefo32.exeInjndk32.exeDdfcje32.exeIoliqbjn.exeQinjgbpg.exeEapfagno.exeMmdgbp32.exeHlafnbal.exeOhendqhd.exeBajomhbl.exeElldgehk.exeMmfdhojb.exePkcpei32.exeGcheib32.exeMpamde32.exeNcbplk32.exeAjecmj32.exeEgiiapci.exeGihniioc.exeCjgoje32.exeCeeieced.exeHcgjmo32.exeIhfjognl.exeJjjclobg.exeIpokcdjn.exeOhhkjp32.exeHbfepmmn.exeFolfoj32.exeDgpfkakd.exeAbkhkgbb.exePecgea32.exeHmdhad32.exeDakmfh32.exeBfqpecma.exeCpdgbm32.exeDhobddbf.exeFgnokb32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhpemm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omkjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkfbfjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ionefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkileele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phpjnnki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmeoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gildahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmogmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oanefo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddfcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioliqbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qinjgbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eapfagno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdgbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlafnbal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elldgehk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmfdhojb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcheib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpamde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajecmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egiiapci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gihniioc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeieced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfjognl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjclobg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipokcdjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohhkjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfepmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpfkakd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abkhkgbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecgea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dakmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpdgbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhobddbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnokb32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lfpclh32.exeLmikibio.exeLaegiq32.exeLphhenhc.exeLjmlbfhi.exeLbiqfied.exeLibicbma.exeMlaeonld.exeMooaljkh.exeMieeibkn.exeMoanaiie.exeMigbnb32.exeMkhofjoj.exeModkfi32.exeMhloponc.exeMmihhelk.exeMholen32.exeMmldme32.exeNhaikn32.exeNgdifkpi.exeNaimccpo.exeNgfflj32.exeNiebhf32.exeNekbmgcn.exeNlekia32.exeNpagjpcd.exeNcpcfkbg.exeNiikceid.exeNcbplk32.exeNkmdpm32.exeOohqqlei.exeOagmmgdm.exeOcfigjlp.exeOeeecekc.exeOdhfob32.exeOlonpp32.exeOalfhf32.exeOhendqhd.exeOkdkal32.exeOopfakpa.exeOqacic32.exeOhhkjp32.exeOjigbhlp.exeOdoloalf.exeOcalkn32.exePngphgbf.exePqemdbaj.exePcdipnqn.exePgpeal32.exePfbelipa.exePokieo32.exePjpnbg32.exePqjfoa32.exePomfkndo.exePcibkm32.exePiekcd32.exePkdgpo32.exePckoam32.exePfikmh32.exePmccjbaf.exePkfceo32.exePndpajgd.exeQflhbhgg.exeQeohnd32.exepid process 2688 Lfpclh32.exe 2564 Lmikibio.exe 1680 Laegiq32.exe 3068 Lphhenhc.exe 536 Ljmlbfhi.exe 1432 Lbiqfied.exe 2072 Libicbma.exe 2088 Mlaeonld.exe 1248 Mooaljkh.exe 1508 Mieeibkn.exe 2872 Moanaiie.exe 2480 Migbnb32.exe 1232 Mkhofjoj.exe 2428 Modkfi32.exe 1888 Mhloponc.exe 716 Mmihhelk.exe 1972 Mholen32.exe 1216 Mmldme32.exe 3040 Nhaikn32.exe 904 Ngdifkpi.exe 1288 Naimccpo.exe 920 Ngfflj32.exe 1604 Niebhf32.exe 2012 Nekbmgcn.exe 2036 Nlekia32.exe 1540 Npagjpcd.exe 2652 Ncpcfkbg.exe 2744 Niikceid.exe 792 Ncbplk32.exe 1136 Nkmdpm32.exe 2104 Oohqqlei.exe 2928 Oagmmgdm.exe 2368 Ocfigjlp.exe 2868 Oeeecekc.exe 2600 Odhfob32.exe 2080 Olonpp32.exe 3052 Oalfhf32.exe 2032 Ohendqhd.exe 2984 Okdkal32.exe 2376 Oopfakpa.exe 2412 Oqacic32.exe 1176 Ohhkjp32.exe 1900 Ojigbhlp.exe 704 Odoloalf.exe 1944 Ocalkn32.exe 1276 Pngphgbf.exe 1468 Pqemdbaj.exe 1992 Pcdipnqn.exe 1712 Pgpeal32.exe 1240 Pfbelipa.exe 2964 Pokieo32.exe 2556 Pjpnbg32.exe 2136 Pqjfoa32.exe 484 Pomfkndo.exe 1572 Pcibkm32.exe 3020 Piekcd32.exe 2748 Pkdgpo32.exe 2784 Pckoam32.exe 2752 Pfikmh32.exe 2264 Pmccjbaf.exe 1980 Pkfceo32.exe 1568 Pndpajgd.exe 1544 Qflhbhgg.exe 432 Qeohnd32.exe -
Loads dropped DLL 64 IoCs
Processes:
9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exeLfpclh32.exeLmikibio.exeLaegiq32.exeLphhenhc.exeLjmlbfhi.exeLbiqfied.exeLibicbma.exeMlaeonld.exeMooaljkh.exeMieeibkn.exeMoanaiie.exeMigbnb32.exeMkhofjoj.exeModkfi32.exeMhloponc.exeMmihhelk.exeMholen32.exeMmldme32.exeNhaikn32.exeNgdifkpi.exeNaimccpo.exeNgfflj32.exeNiebhf32.exeNekbmgcn.exeNlekia32.exeNpagjpcd.exeNcpcfkbg.exeNiikceid.exeNcbplk32.exeNkmdpm32.exeOohqqlei.exepid process 2756 9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe 2756 9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe 2688 Lfpclh32.exe 2688 Lfpclh32.exe 2564 Lmikibio.exe 2564 Lmikibio.exe 1680 Laegiq32.exe 1680 Laegiq32.exe 3068 Lphhenhc.exe 3068 Lphhenhc.exe 536 Ljmlbfhi.exe 536 Ljmlbfhi.exe 1432 Lbiqfied.exe 1432 Lbiqfied.exe 2072 Libicbma.exe 2072 Libicbma.exe 2088 Mlaeonld.exe 2088 Mlaeonld.exe 1248 Mooaljkh.exe 1248 Mooaljkh.exe 1508 Mieeibkn.exe 1508 Mieeibkn.exe 2872 Moanaiie.exe 2872 Moanaiie.exe 2480 Migbnb32.exe 2480 Migbnb32.exe 1232 Mkhofjoj.exe 1232 Mkhofjoj.exe 2428 Modkfi32.exe 2428 Modkfi32.exe 1888 Mhloponc.exe 1888 Mhloponc.exe 716 Mmihhelk.exe 716 Mmihhelk.exe 1972 Mholen32.exe 1972 Mholen32.exe 1216 Mmldme32.exe 1216 Mmldme32.exe 3040 Nhaikn32.exe 3040 Nhaikn32.exe 904 Ngdifkpi.exe 904 Ngdifkpi.exe 1288 Naimccpo.exe 1288 Naimccpo.exe 920 Ngfflj32.exe 920 Ngfflj32.exe 1604 Niebhf32.exe 1604 Niebhf32.exe 2012 Nekbmgcn.exe 2012 Nekbmgcn.exe 2036 Nlekia32.exe 2036 Nlekia32.exe 1540 Npagjpcd.exe 1540 Npagjpcd.exe 2652 Ncpcfkbg.exe 2652 Ncpcfkbg.exe 2744 Niikceid.exe 2744 Niikceid.exe 792 Ncbplk32.exe 792 Ncbplk32.exe 1136 Nkmdpm32.exe 1136 Nkmdpm32.exe 2104 Oohqqlei.exe 2104 Oohqqlei.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bjebdfnn.exeKqknil32.exeBaigca32.exeNlfmbibo.exeMiehak32.exePhfmllbd.exeGblkoham.exeAbeemhkh.exeAbbeflpf.exeChqoipkk.exeOpfbngfb.exeOpaebkmc.exeLibicbma.exeCfnmfn32.exeAkhfoldn.exeHboddk32.exeNkmdpm32.exeCpfdhl32.exeEnlidg32.exeAnahqh32.exeCljodo32.exeEgjbdo32.exeHlccdboi.exeHjcppidk.exeMkddnf32.exeGncldi32.exeCophko32.exeEgiiapci.exeEiekpd32.exeOhidmoaa.exeGjdjklek.exeHpphhp32.exeJkbfdfbm.exePkofjijm.exeHmkeke32.exeEhgbhbgn.exeGpkpedmh.exeGligjd32.exeBcjqdmla.exeEfnfbl32.exeChlfnp32.exeFmegncpp.exeKofaicon.exePhcpgm32.exeBmhkmm32.exeMmihhelk.exeDiphbfdi.exeKfnmpn32.exeAopahjll.exeMmldme32.exeIkefkcmo.exePhpjnnki.exeKpadhg32.exeIpehmebh.exeQhmcmk32.exeJkbojpna.exeKhcomhbi.exedescription ioc process File created C:\Windows\SysWOW64\Kncinl32.dll Bjebdfnn.exe File created C:\Windows\SysWOW64\Kcijeg32.exe Kqknil32.exe File created C:\Windows\SysWOW64\Bplhnoej.exe Baigca32.exe File opened for modification C:\Windows\SysWOW64\Ndmecgba.exe Nlfmbibo.exe File opened for modification C:\Windows\SysWOW64\Mkddnf32.exe Miehak32.exe File created C:\Windows\SysWOW64\Plaimk32.exe Phfmllbd.exe File opened for modification C:\Windows\SysWOW64\Gdkgkcpq.exe Gblkoham.exe File created C:\Windows\SysWOW64\Bqgmfkhg.exe File created C:\Windows\SysWOW64\Emfmdo32.dll Abeemhkh.exe File created C:\Windows\SysWOW64\Lgahjhop.dll Abbeflpf.exe File opened for modification C:\Windows\SysWOW64\Ckolek32.exe Chqoipkk.exe File opened for modification C:\Windows\SysWOW64\Oagoep32.exe Opfbngfb.exe File created C:\Windows\SysWOW64\Jjjkclbf.dll Opaebkmc.exe File created C:\Windows\SysWOW64\Pecomlgc.dll Libicbma.exe File created C:\Windows\SysWOW64\Cilibi32.exe Cfnmfn32.exe File created C:\Windows\SysWOW64\Bnfblgca.exe Akhfoldn.exe File opened for modification C:\Windows\SysWOW64\Hihlqeib.exe Hboddk32.exe File created C:\Windows\SysWOW64\Ladpkl32.dll File created C:\Windows\SysWOW64\Oohqqlei.exe Nkmdpm32.exe File created C:\Windows\SysWOW64\Cbepdhgc.exe Cpfdhl32.exe File created C:\Windows\SysWOW64\Qffhlolm.dll Enlidg32.exe File opened for modification C:\Windows\SysWOW64\Aapemc32.exe Anahqh32.exe File created C:\Windows\SysWOW64\Ljodek32.dll Cljodo32.exe File opened for modification C:\Windows\SysWOW64\Eoajel32.exe Egjbdo32.exe File opened for modification C:\Windows\SysWOW64\Hjfcpo32.exe Hlccdboi.exe File opened for modification C:\Windows\SysWOW64\Hmalldcn.exe Hjcppidk.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe File created C:\Windows\SysWOW64\Mpopnejo.exe Mkddnf32.exe File created C:\Windows\SysWOW64\Mggljj32.dll Gncldi32.exe File created C:\Windows\SysWOW64\Mpioba32.dll File created C:\Windows\SysWOW64\Jgnakn32.dll Cophko32.exe File created C:\Windows\SysWOW64\Eflill32.exe Egiiapci.exe File opened for modification C:\Windows\SysWOW64\Eldglp32.exe Eiekpd32.exe File created C:\Windows\SysWOW64\Pepcelel.exe File created C:\Windows\SysWOW64\Ojiilami.dll Ohidmoaa.exe File created C:\Windows\SysWOW64\Jqojeand.dll Gjdjklek.exe File created C:\Windows\SysWOW64\Nmepgp32.dll Hpphhp32.exe File created C:\Windows\SysWOW64\Ihfeaiog.dll Jkbfdfbm.exe File created C:\Windows\SysWOW64\Qmdnng32.dll Pkofjijm.exe File opened for modification C:\Windows\SysWOW64\Hqfaldbo.exe Hmkeke32.exe File created C:\Windows\SysWOW64\Ncdgll32.dll Ehgbhbgn.exe File opened for modification C:\Windows\SysWOW64\Jmdepg32.exe File opened for modification C:\Windows\SysWOW64\Gcglec32.exe Gpkpedmh.exe File created C:\Windows\SysWOW64\Gngcgp32.exe Gligjd32.exe File opened for modification C:\Windows\SysWOW64\Bfhmqhkd.exe Bcjqdmla.exe File created C:\Windows\SysWOW64\Aiodmlgo.dll Efnfbl32.exe File created C:\Windows\SysWOW64\Picanc32.dll Chlfnp32.exe File created C:\Windows\SysWOW64\Foccjood.exe Fmegncpp.exe File created C:\Windows\SysWOW64\Kbdmeoob.exe Kofaicon.exe File created C:\Windows\SysWOW64\Pomhcg32.exe Phcpgm32.exe File created C:\Windows\SysWOW64\Bofgii32.exe Bmhkmm32.exe File created C:\Windows\SysWOW64\Nldodg32.dll Mmihhelk.exe File created C:\Windows\SysWOW64\Dhbhmb32.exe Diphbfdi.exe File created C:\Windows\SysWOW64\Hqbbglbj.dll Kfnmpn32.exe File opened for modification C:\Windows\SysWOW64\Aggiigmn.exe Aopahjll.exe File opened for modification C:\Windows\SysWOW64\Nhaikn32.exe Mmldme32.exe File opened for modification C:\Windows\SysWOW64\Incbgnmc.exe Ikefkcmo.exe File opened for modification C:\Windows\SysWOW64\Pgckjk32.exe Phpjnnki.exe File created C:\Windows\SysWOW64\Fnbdfpji.dll Kpadhg32.exe File created C:\Windows\SysWOW64\Cebeem32.exe File created C:\Windows\SysWOW64\Idadnd32.exe Ipehmebh.exe File created C:\Windows\SysWOW64\Agpcihcf.exe Qhmcmk32.exe File created C:\Windows\SysWOW64\Jnpkflne.exe Jkbojpna.exe File opened for modification C:\Windows\SysWOW64\Lomgjb32.exe Khcomhbi.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 1972 2808 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hbfepmmn.exeMacilmnk.exeMaefamlh.exeHjacjifm.exeHfedqagp.exeEdqocbkp.exeIpokcdjn.exeMccbmh32.exeAopahjll.exeBiojif32.exeBbjmpcab.exeGonocmbi.exeBoplllob.exeCakqgeoi.exeMndmoaog.exeGkephn32.exeJcpkpe32.exeQmgibqjc.exeAnneqafn.exeDklddhka.exeIakgefqe.exeIfjlcmmj.exeLphhenhc.exeFbgpkpnn.exePeedka32.exeFnacpffh.exeHakkgc32.exeKgpmjf32.exePqkobqhd.exeBmcnqama.exeIlnomp32.exePndpajgd.exeKdpcikdi.exeAipfmane.exeAbkhkgbb.exeMpamde32.exeGligjd32.exeMelifl32.exeQaqnkafa.exeOeeecekc.exeOopfakpa.exeDdfcje32.exeIncbgnmc.exePjfpafmb.exeFfqofohj.exeIoilkblq.exeAkhfoldn.exeNpdfhhhe.exeBkpeci32.exeEogmcjef.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfepmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macilmnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjacjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfedqagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edqocbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipokcdjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopahjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biojif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjmpcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boplllob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakqgeoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mndmoaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkephn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpkpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmgibqjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anneqafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakgefqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphhenhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgpkpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peedka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnacpffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgpmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqkobqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcnqama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnomp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pndpajgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpcikdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipfmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkhkgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpamde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gligjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Melifl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqnkafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeeecekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oopfakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfcje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incbgnmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfpafmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqofohj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioilkblq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhfoldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdfhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpeci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogmcjef.exe -
Modifies registry class 64 IoCs
Processes:
Hjacjifm.exeKobkpdfa.exeMmakmp32.exeMfjoeeeh.exeCbajkiof.exeGmmfaa32.exeMbhjlbbh.exeCifelgmd.exeBepjha32.exeDanmmd32.exeLeopgo32.exeGcmoda32.exeIipiljgf.exePecgea32.exeAlhmjbhj.exeQqdbiopj.exeHahlhkhi.exeAqonbm32.exeNlbgikia.exeBoidnh32.exeClbnhmjo.exeBpjkiogm.exeGhiaof32.exeEpecbd32.exeDklddhka.exeBmkomchi.exePdihiook.exeDdiibc32.exeMieeibkn.exeCmpdgf32.exeOoclji32.exeHbiaemkk.exeBehgcf32.exeEggndi32.exeBbonei32.exeKfebambf.exeKhiccj32.exeIlcoce32.exeGiiglhjb.exeCpcnonob.exeGppipc32.exeHijgml32.exeCdoajb32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goackilq.dll" Kobkpdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiijc32.dll" Mmakmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfjoeeeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbajkiof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaoacgen.dll" Mbhjlbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioba32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pppcjfnh.dll" Cifelgmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bepjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpafcmd.dll" Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkmhkcc.dll" Leopgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdnpmb32.dll" Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egkoigpo.dll" Pecgea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hahlhkhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmkqhaf.dll" Aqonbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddnjc32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcchb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmobpj32.dll" Nlbgikia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchqdi32.dll" Boidnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbjqpda.dll" Clbnhmjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpjkiogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkfeo32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghiaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epecbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmkomchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdihiook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddiibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mieeibkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmpdgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdedjl32.dll" Ooclji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbiaemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Behgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpife32.dll" Kfebambf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdho32.dll" Khiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbaihlkd.dll" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meccmfen.dll" Cmpdgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giiglhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gppipc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hijgml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdoajb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exeLfpclh32.exeLmikibio.exeLaegiq32.exeLphhenhc.exeLjmlbfhi.exeLbiqfied.exeLibicbma.exeMlaeonld.exeMooaljkh.exeMieeibkn.exeMoanaiie.exeMigbnb32.exeMkhofjoj.exeModkfi32.exeMhloponc.exedescription pid process target process PID 2756 wrote to memory of 2688 2756 9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe Lfpclh32.exe PID 2756 wrote to memory of 2688 2756 9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe Lfpclh32.exe PID 2756 wrote to memory of 2688 2756 9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe Lfpclh32.exe PID 2756 wrote to memory of 2688 2756 9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe Lfpclh32.exe PID 2688 wrote to memory of 2564 2688 Lfpclh32.exe Lmikibio.exe PID 2688 wrote to memory of 2564 2688 Lfpclh32.exe Lmikibio.exe PID 2688 wrote to memory of 2564 2688 Lfpclh32.exe Lmikibio.exe PID 2688 wrote to memory of 2564 2688 Lfpclh32.exe Lmikibio.exe PID 2564 wrote to memory of 1680 2564 Lmikibio.exe Laegiq32.exe PID 2564 wrote to memory of 1680 2564 Lmikibio.exe Laegiq32.exe PID 2564 wrote to memory of 1680 2564 Lmikibio.exe Laegiq32.exe PID 2564 wrote to memory of 1680 2564 Lmikibio.exe Laegiq32.exe PID 1680 wrote to memory of 3068 1680 Laegiq32.exe Lphhenhc.exe PID 1680 wrote to memory of 3068 1680 Laegiq32.exe Lphhenhc.exe PID 1680 wrote to memory of 3068 1680 Laegiq32.exe Lphhenhc.exe PID 1680 wrote to memory of 3068 1680 Laegiq32.exe Lphhenhc.exe PID 3068 wrote to memory of 536 3068 Lphhenhc.exe Ljmlbfhi.exe PID 3068 wrote to memory of 536 3068 Lphhenhc.exe Ljmlbfhi.exe PID 3068 wrote to memory of 536 3068 Lphhenhc.exe Ljmlbfhi.exe PID 3068 wrote to memory of 536 3068 Lphhenhc.exe Ljmlbfhi.exe PID 536 wrote to memory of 1432 536 Ljmlbfhi.exe Lbiqfied.exe PID 536 wrote to memory of 1432 536 Ljmlbfhi.exe Lbiqfied.exe PID 536 wrote to memory of 1432 536 Ljmlbfhi.exe Lbiqfied.exe PID 536 wrote to memory of 1432 536 Ljmlbfhi.exe Lbiqfied.exe PID 1432 wrote to memory of 2072 1432 Lbiqfied.exe Libicbma.exe PID 1432 wrote to memory of 2072 1432 Lbiqfied.exe Libicbma.exe PID 1432 wrote to memory of 2072 1432 Lbiqfied.exe Libicbma.exe PID 1432 wrote to memory of 2072 1432 Lbiqfied.exe Libicbma.exe PID 2072 wrote to memory of 2088 2072 Libicbma.exe Mlaeonld.exe PID 2072 wrote to memory of 2088 2072 Libicbma.exe Mlaeonld.exe PID 2072 wrote to memory of 2088 2072 Libicbma.exe Mlaeonld.exe PID 2072 wrote to memory of 2088 2072 Libicbma.exe Mlaeonld.exe PID 2088 wrote to memory of 1248 2088 Mlaeonld.exe Mooaljkh.exe PID 2088 wrote to memory of 1248 2088 Mlaeonld.exe Mooaljkh.exe PID 2088 wrote to memory of 1248 2088 Mlaeonld.exe Mooaljkh.exe PID 2088 wrote to memory of 1248 2088 Mlaeonld.exe Mooaljkh.exe PID 1248 wrote to memory of 1508 1248 Mooaljkh.exe Mieeibkn.exe PID 1248 wrote to memory of 1508 1248 Mooaljkh.exe Mieeibkn.exe PID 1248 wrote to memory of 1508 1248 Mooaljkh.exe Mieeibkn.exe PID 1248 wrote to memory of 1508 1248 Mooaljkh.exe Mieeibkn.exe PID 1508 wrote to memory of 2872 1508 Mieeibkn.exe Moanaiie.exe PID 1508 wrote to memory of 2872 1508 Mieeibkn.exe Moanaiie.exe PID 1508 wrote to memory of 2872 1508 Mieeibkn.exe Moanaiie.exe PID 1508 wrote to memory of 2872 1508 Mieeibkn.exe Moanaiie.exe PID 2872 wrote to memory of 2480 2872 Moanaiie.exe Migbnb32.exe PID 2872 wrote to memory of 2480 2872 Moanaiie.exe Migbnb32.exe PID 2872 wrote to memory of 2480 2872 Moanaiie.exe Migbnb32.exe PID 2872 wrote to memory of 2480 2872 Moanaiie.exe Migbnb32.exe PID 2480 wrote to memory of 1232 2480 Migbnb32.exe Mkhofjoj.exe PID 2480 wrote to memory of 1232 2480 Migbnb32.exe Mkhofjoj.exe PID 2480 wrote to memory of 1232 2480 Migbnb32.exe Mkhofjoj.exe PID 2480 wrote to memory of 1232 2480 Migbnb32.exe Mkhofjoj.exe PID 1232 wrote to memory of 2428 1232 Mkhofjoj.exe Modkfi32.exe PID 1232 wrote to memory of 2428 1232 Mkhofjoj.exe Modkfi32.exe PID 1232 wrote to memory of 2428 1232 Mkhofjoj.exe Modkfi32.exe PID 1232 wrote to memory of 2428 1232 Mkhofjoj.exe Modkfi32.exe PID 2428 wrote to memory of 1888 2428 Modkfi32.exe Mhloponc.exe PID 2428 wrote to memory of 1888 2428 Modkfi32.exe Mhloponc.exe PID 2428 wrote to memory of 1888 2428 Modkfi32.exe Mhloponc.exe PID 2428 wrote to memory of 1888 2428 Modkfi32.exe Mhloponc.exe PID 1888 wrote to memory of 716 1888 Mhloponc.exe Mmihhelk.exe PID 1888 wrote to memory of 716 1888 Mhloponc.exe Mmihhelk.exe PID 1888 wrote to memory of 716 1888 Mhloponc.exe Mmihhelk.exe PID 1888 wrote to memory of 716 1888 Mhloponc.exe Mmihhelk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe"C:\Users\Admin\AppData\Local\Temp\9e7b8245c1c8c1fb0b1023c05c1c21211a316897cf5cf6e9385415b6e8268ec6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:716 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe33⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe34⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe36⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe37⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe38⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe40⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Oopfakpa.exeC:\Windows\system32\Oopfakpa.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe42⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe44⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe45⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe46⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe47⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe48⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe49⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe50⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe51⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe52⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe53⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe54⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe55⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe56⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe57⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe58⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe59⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe60⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe61⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe62⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe64⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe65⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Qkhpkoen.exeC:\Windows\system32\Qkhpkoen.exe66⤵PID:968
-
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe67⤵PID:972
-
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe68⤵PID:2440
-
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe69⤵PID:2432
-
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe70⤵PID:1988
-
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe71⤵PID:2796
-
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe72⤵PID:2584
-
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe73⤵PID:2016
-
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe74⤵PID:2068
-
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe75⤵
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe76⤵PID:2304
-
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe77⤵PID:2620
-
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe78⤵PID:2896
-
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe79⤵PID:1912
-
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe80⤵PID:2028
-
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe81⤵PID:2996
-
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe82⤵PID:2004
-
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe83⤵PID:1112
-
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe84⤵PID:1316
-
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1196 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe86⤵PID:1460
-
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe87⤵PID:2760
-
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe88⤵PID:2668
-
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe89⤵PID:2808
-
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe90⤵PID:2108
-
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe91⤵
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe92⤵PID:1788
-
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe93⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe94⤵PID:1932
-
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe95⤵PID:2192
-
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe96⤵PID:2216
-
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe97⤵PID:1480
-
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe98⤵PID:852
-
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe100⤵PID:2608
-
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe102⤵PID:2528
-
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe103⤵PID:2212
-
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe104⤵PID:2568
-
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe105⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe106⤵PID:2936
-
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe107⤵PID:2976
-
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe108⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe109⤵PID:1012
-
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe110⤵PID:1484
-
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe111⤵PID:2360
-
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe112⤵PID:1904
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe113⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe114⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe115⤵PID:1796
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe116⤵PID:2924
-
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe117⤵PID:2860
-
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe118⤵PID:1564
-
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe119⤵PID:1608
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe120⤵PID:1808
-
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe121⤵PID:2576
-
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe122⤵PID:2544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-