Analysis
-
max time kernel
93s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe
Resource
win10v2004-20241007-en
General
-
Target
04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe
-
Size
94KB
-
MD5
61cb6eefedc7ce7fa989a1f28ef61d90
-
SHA1
bca42fcfc731bd8dcd75fde15dfe2f3163a7acec
-
SHA256
04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4
-
SHA512
49d599bb11be95454aa240f4a6025e1ad150a943292569a018455fd4dd9835cac76451078061fcbf107be892879c397db7b73ebb228842a4a764bd3dbff85920
-
SSDEEP
1536:mKlC0VxhR73jxmqeRuI/oseLXfdiJ8pjf6aPJJhu7BR9L4DT2EnINs:mKFxh93jxmq8uIwfgJGjbju6+ob
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gkedjo32.exeFnejdiep.exeQidckjae.exeLhimji32.exeLpoaheja.exeNljhhi32.exeGncgbkki.exeCjmmffgn.exeNmacej32.exeOdflmp32.exePnkiebib.exeIkgfdlcb.exeIhqilnig.exeOpjlkc32.exeDboglhna.exeAkgibd32.exeFhjoof32.exeJkgbcofn.exeKbeqjl32.exeNpnclf32.exeEhgaknbp.exePqjhjf32.exeDilddl32.exeDdbmcb32.exeIilceh32.exeHlcbfnjk.exeKbpnkm32.exeOekehomj.exeApilcoho.exeLmcdkbao.exeBmldji32.exeKiemmh32.exeNloachkf.exeQbodjofc.exeCbajme32.exeIjqjgo32.exeBakaaepk.exeEfffpjmk.exeEiilge32.exeQoqhncgp.exeHbhagiem.exeNcipjieo.exeLjcbcngi.exeDlbaljhn.exeEldbkbop.exeIfgklp32.exeQpniokan.exeFcilnl32.exeBggjjlnb.exeCceapl32.exeJgppmpjp.exePmmcfi32.exeHabkeacd.exeHplbamdf.exeIleoknhh.exeOgohdeam.exeFjqhef32.exeMpimbcnf.exeIocioq32.exeLaogfg32.exeCkkhga32.exeDochelmj.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkedjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnejdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qidckjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhimji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpoaheja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncgbkki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmmffgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmacej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odflmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkiebib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikgfdlcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihqilnig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opjlkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboglhna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akgibd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhjoof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgbcofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbeqjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnclf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgaknbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqjhjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dilddl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddbmcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iilceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlcbfnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oekehomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmcdkbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmldji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiemmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nloachkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbodjofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbajme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bakaaepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efffpjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoqhncgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbhagiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncipjieo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljcbcngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbaljhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldbkbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcilnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bggjjlnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceapl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgppmpjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmcfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habkeacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hplbamdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogohdeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjqhef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpimbcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjmmffgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laogfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkhga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dochelmj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cnipak32.exeChocodch.exeCnnimkom.exeDfkjgm32.exeDbdham32.exeDiqmcgca.exeEiciig32.exeEldbkbop.exeEhkcpc32.exeEhmpeb32.exeFjnignob.exeFmnahilc.exeFhhbif32.exeFhjoof32.exeFacdgl32.exeFogdap32.exeGpjmnh32.exeGibbgmfe.exeGcmcebkc.exeGncgbkki.exeHhmhcigh.exeHaemloni.exeHkmaed32.exeHlmnogkl.exeHnpgloog.exeHjggap32.exeIkfdkc32.exeIdohdhbo.exeIqhfnifq.exeIjqjgo32.exeIfgklp32.exeJelhmlgm.exeJngilalk.exeJnifaajh.exeJfekec32.exeKijmbnpo.exeKecjmodq.exeLkbpke32.exeLalhgogb.exeLhimji32.exeLkifkdjm.exeLgpfpe32.exeMgbcfdmo.exeMpkhoj32.exeMdmmhn32.exeMneaacno.exeMhkfnlme.exeNpfjbn32.exeNjnokdaq.exeNcgcdi32.exeNnlhab32.exeNcipjieo.exeNnodgbed.exeNfjildbp.exeNhhehpbc.exeNcnjeh32.exeOdacbpee.exeObecld32.exeOdflmp32.exeOjceef32.exeOggeokoq.exeOekehomj.exePjhnqfla.exePglojj32.exepid process 2448 Cnipak32.exe 2864 Chocodch.exe 2716 Cnnimkom.exe 2728 Dfkjgm32.exe 2612 Dbdham32.exe 636 Diqmcgca.exe 2932 Eiciig32.exe 2580 Eldbkbop.exe 2392 Ehkcpc32.exe 1796 Ehmpeb32.exe 2956 Fjnignob.exe 588 Fmnahilc.exe 2344 Fhhbif32.exe 2128 Fhjoof32.exe 2092 Facdgl32.exe 944 Fogdap32.exe 2568 Gpjmnh32.exe 1772 Gibbgmfe.exe 2208 Gcmcebkc.exe 1148 Gncgbkki.exe 3024 Hhmhcigh.exe 2056 Haemloni.exe 2968 Hkmaed32.exe 1912 Hlmnogkl.exe 1480 Hnpgloog.exe 1568 Hjggap32.exe 1756 Ikfdkc32.exe 2300 Idohdhbo.exe 2112 Iqhfnifq.exe 2052 Ijqjgo32.exe 2588 Ifgklp32.exe 1620 Jelhmlgm.exe 1648 Jngilalk.exe 3008 Jnifaajh.exe 2844 Jfekec32.exe 648 Kijmbnpo.exe 2960 Kecjmodq.exe 1688 Lkbpke32.exe 2464 Lalhgogb.exe 1056 Lhimji32.exe 2148 Lkifkdjm.exe 1904 Lgpfpe32.exe 2020 Mgbcfdmo.exe 904 Mpkhoj32.exe 1908 Mdmmhn32.exe 536 Mneaacno.exe 2524 Mhkfnlme.exe 3000 Npfjbn32.exe 3012 Njnokdaq.exe 892 Ncgcdi32.exe 1748 Nnlhab32.exe 2804 Ncipjieo.exe 2788 Nnodgbed.exe 2832 Nfjildbp.exe 2596 Nhhehpbc.exe 1200 Ncnjeh32.exe 2924 Odacbpee.exe 2936 Obecld32.exe 1156 Odflmp32.exe 2340 Ojceef32.exe 1216 Oggeokoq.exe 2352 Oekehomj.exe 2100 Pjhnqfla.exe 1712 Pglojj32.exe -
Loads dropped DLL 64 IoCs
Processes:
04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exeCnipak32.exeChocodch.exeCnnimkom.exeDfkjgm32.exeDbdham32.exeDiqmcgca.exeEiciig32.exeEldbkbop.exeEhkcpc32.exeEhmpeb32.exeFjnignob.exeFmnahilc.exeFhhbif32.exeFhjoof32.exeFacdgl32.exeFogdap32.exeGpjmnh32.exeGibbgmfe.exeGcmcebkc.exeGncgbkki.exeHhmhcigh.exeHaemloni.exeHkmaed32.exeHlmnogkl.exeHnpgloog.exeHjggap32.exeIkfdkc32.exeIdohdhbo.exeIqhfnifq.exeIjqjgo32.exeIfgklp32.exepid process 844 04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe 844 04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe 2448 Cnipak32.exe 2448 Cnipak32.exe 2864 Chocodch.exe 2864 Chocodch.exe 2716 Cnnimkom.exe 2716 Cnnimkom.exe 2728 Dfkjgm32.exe 2728 Dfkjgm32.exe 2612 Dbdham32.exe 2612 Dbdham32.exe 636 Diqmcgca.exe 636 Diqmcgca.exe 2932 Eiciig32.exe 2932 Eiciig32.exe 2580 Eldbkbop.exe 2580 Eldbkbop.exe 2392 Ehkcpc32.exe 2392 Ehkcpc32.exe 1796 Ehmpeb32.exe 1796 Ehmpeb32.exe 2956 Fjnignob.exe 2956 Fjnignob.exe 588 Fmnahilc.exe 588 Fmnahilc.exe 2344 Fhhbif32.exe 2344 Fhhbif32.exe 2128 Fhjoof32.exe 2128 Fhjoof32.exe 2092 Facdgl32.exe 2092 Facdgl32.exe 944 Fogdap32.exe 944 Fogdap32.exe 2568 Gpjmnh32.exe 2568 Gpjmnh32.exe 1772 Gibbgmfe.exe 1772 Gibbgmfe.exe 2208 Gcmcebkc.exe 2208 Gcmcebkc.exe 1148 Gncgbkki.exe 1148 Gncgbkki.exe 3024 Hhmhcigh.exe 3024 Hhmhcigh.exe 2056 Haemloni.exe 2056 Haemloni.exe 2968 Hkmaed32.exe 2968 Hkmaed32.exe 1912 Hlmnogkl.exe 1912 Hlmnogkl.exe 1480 Hnpgloog.exe 1480 Hnpgloog.exe 1568 Hjggap32.exe 1568 Hjggap32.exe 1756 Ikfdkc32.exe 1756 Ikfdkc32.exe 2300 Idohdhbo.exe 2300 Idohdhbo.exe 2112 Iqhfnifq.exe 2112 Iqhfnifq.exe 2052 Ijqjgo32.exe 2052 Ijqjgo32.exe 2588 Ifgklp32.exe 2588 Ifgklp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Njnokdaq.exeGhddnnfi.exeApnhggln.exeGncgbkki.exeIdbnmgll.exeOgohdeam.exeOcqhcqgk.exeNcipjieo.exeHnpgloog.exeCkhpejbf.exeGjjafkpe.exeNdjhpcoe.exeDiqmcgca.exeJfekec32.exeBggjjlnb.exeGeilah32.exeNddeae32.exeMganfp32.exeChocodch.exeEiilge32.exeGbhcpmkm.exePeqhgmdd.exeDlbaljhn.exeBlipno32.exeMdmmhn32.exeNpfjbn32.exeIpdolbbj.exeNklaipbj.exeKnddcg32.exeNmgjee32.exeOdflmp32.exeLfdpjp32.exeOeaael32.exePiemih32.exeLalhgogb.exeJmdiahco.exeMkohjbah.exeBllomg32.exeIhnmfoli.exeHaemloni.exeJgppmpjp.exeAkgibd32.exeAialjgbh.exeCkkhga32.exeNhhehpbc.exeQcjoci32.exeBfbjdf32.exeHkmjjn32.exePnnmeh32.exeCjmmffgn.exeBjiljf32.exeBclqme32.exeCamqpnel.exeLiboodmk.exeLmcdkbao.exeMgbcfdmo.exeOgpjmn32.exeEifobe32.exeJkcmjpma.exeLffohikd.exeDilddl32.exePjjkfe32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ncgcdi32.exe Njnokdaq.exe File created C:\Windows\SysWOW64\Gjemoi32.exe Ghddnnfi.exe File opened for modification C:\Windows\SysWOW64\Afhpca32.exe Apnhggln.exe File created C:\Windows\SysWOW64\Hhmhcigh.exe Gncgbkki.exe File opened for modification C:\Windows\SysWOW64\Iafofkkf.exe Idbnmgll.exe File created C:\Windows\SysWOW64\Oqgmmk32.exe Ogohdeam.exe File opened for modification C:\Windows\SysWOW64\Ohmalgeb.exe Ocqhcqgk.exe File created C:\Windows\SysWOW64\Bfdbgnmd.dll Ncipjieo.exe File created C:\Windows\SysWOW64\Hjggap32.exe Hnpgloog.exe File created C:\Windows\SysWOW64\Cdpdnpif.exe Ckhpejbf.exe File created C:\Windows\SysWOW64\Ajpqndbo.dll Gjjafkpe.exe File created C:\Windows\SysWOW64\Afhggc32.dll Ndjhpcoe.exe File opened for modification C:\Windows\SysWOW64\Eiciig32.exe Diqmcgca.exe File created C:\Windows\SysWOW64\Kijmbnpo.exe Jfekec32.exe File opened for modification C:\Windows\SysWOW64\Cdkkcp32.exe Bggjjlnb.exe File created C:\Windows\SysWOW64\Mmkhejmb.dll Geilah32.exe File created C:\Windows\SysWOW64\Nmmjjk32.exe Nddeae32.exe File created C:\Windows\SysWOW64\Eqlhflgh.dll Mganfp32.exe File opened for modification C:\Windows\SysWOW64\Cnnimkom.exe Chocodch.exe File opened for modification C:\Windows\SysWOW64\Epcddopf.exe Eiilge32.exe File created C:\Windows\SysWOW64\Glpgibbn.exe Gbhcpmkm.exe File opened for modification C:\Windows\SysWOW64\Pqgilnji.exe Peqhgmdd.exe File created C:\Windows\SysWOW64\Ddnfql32.exe Dlbaljhn.exe File created C:\Windows\SysWOW64\Eknjoj32.dll Blipno32.exe File created C:\Windows\SysWOW64\Aaknah32.dll Hnpgloog.exe File created C:\Windows\SysWOW64\Mneaacno.exe Mdmmhn32.exe File created C:\Windows\SysWOW64\Njnokdaq.exe Npfjbn32.exe File created C:\Windows\SysWOW64\Nejfepch.dll Ipdolbbj.exe File opened for modification C:\Windows\SysWOW64\Nafiej32.exe Nklaipbj.exe File created C:\Windows\SysWOW64\Kgmilmkb.exe Knddcg32.exe File opened for modification C:\Windows\SysWOW64\Nbdbml32.exe Nmgjee32.exe File created C:\Windows\SysWOW64\Kdjphodi.dll Diqmcgca.exe File opened for modification C:\Windows\SysWOW64\Ojceef32.exe Odflmp32.exe File created C:\Windows\SysWOW64\Imlkdf32.dll Lfdpjp32.exe File opened for modification C:\Windows\SysWOW64\Oojfnakl.exe Oeaael32.exe File created C:\Windows\SysWOW64\Mmkcpmmb.dll Piemih32.exe File created C:\Windows\SysWOW64\Lhimji32.exe Lalhgogb.exe File created C:\Windows\SysWOW64\Aoffeijg.dll Jmdiahco.exe File opened for modification C:\Windows\SysWOW64\Meemgk32.exe Mkohjbah.exe File created C:\Windows\SysWOW64\Okmbclmp.dll Bllomg32.exe File created C:\Windows\SysWOW64\Imkeneja.exe Ihnmfoli.exe File created C:\Windows\SysWOW64\Flhbifkd.dll Haemloni.exe File created C:\Windows\SysWOW64\Jcgqbq32.exe Jgppmpjp.exe File created C:\Windows\SysWOW64\Hjmjhgbh.dll Akgibd32.exe File created C:\Windows\SysWOW64\Anndbnao.exe Aialjgbh.exe File created C:\Windows\SysWOW64\Paebkkhn.dll Ckkhga32.exe File created C:\Windows\SysWOW64\Gdfqnhjl.dll Nhhehpbc.exe File created C:\Windows\SysWOW64\Ihjfjc32.dll Qcjoci32.exe File opened for modification C:\Windows\SysWOW64\Blobmm32.exe Bfbjdf32.exe File opened for modification C:\Windows\SysWOW64\Hibgkjee.exe Hkmjjn32.exe File created C:\Windows\SysWOW64\Qklhgdgp.dll Pnnmeh32.exe File created C:\Windows\SysWOW64\Ihpfbd32.dll Cjmmffgn.exe File created C:\Windows\SysWOW64\Bacefpbg.exe Bjiljf32.exe File opened for modification C:\Windows\SysWOW64\Bpbabf32.exe Bclqme32.exe File opened for modification C:\Windows\SysWOW64\Cmdaeo32.exe Camqpnel.exe File opened for modification C:\Windows\SysWOW64\Lffohikd.exe Liboodmk.exe File created C:\Windows\SysWOW64\Lfkhch32.exe Lmcdkbao.exe File opened for modification C:\Windows\SysWOW64\Mpkhoj32.exe Mgbcfdmo.exe File created C:\Windows\SysWOW64\Giedhjnn.dll Ogpjmn32.exe File created C:\Windows\SysWOW64\Mqpkpl32.dll Eifobe32.exe File created C:\Windows\SysWOW64\Dheoedma.dll Jkcmjpma.exe File opened for modification C:\Windows\SysWOW64\Lbmpnjai.exe Lffohikd.exe File created C:\Windows\SysWOW64\Bfkfbm32.dll Dilddl32.exe File created C:\Windows\SysWOW64\Pfqlkfoc.exe Pjjkfe32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4704 2148 WerFault.exe Eceimadb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ccnddg32.exeBakaaepk.exeOjkhjabc.exeEjohdbok.exeKgmilmkb.exeDpdpkfga.exeKiemmh32.exeMkohjbah.exeJoebccpp.exeNljhhi32.exeNpnclf32.exeEldbkbop.exeEddjhb32.exeCkkhga32.exeAmoibc32.exeAfhpca32.exeGlpgibbn.exeDakpiajj.exeNdoelpid.exeGhddnnfi.exeQidckjae.exeEkfaij32.exeCmdaeo32.exeCeoooj32.exeIqhfnifq.exeLkifkdjm.exeJcocgkbp.exeBcoffd32.exeCcgnelll.exeJjmcfl32.exePkfghh32.exeBomhnb32.exeJdjgfomh.exeIjqjgo32.exeMeemgk32.exeLggbmbfc.exeAgnjge32.exePefhlcdk.exeQoqhncgp.exeGlijnmdj.exeQjeihl32.exePijgbl32.exeDleelp32.exeLmhdph32.exeDnhgoa32.exeLiboodmk.exeJegdgj32.exeKfopdk32.exeDdnfql32.exeJpqgkpcl.exeJofdll32.exeBnhncclq.exeEhkcpc32.exeCojghf32.exePnkiebib.exePmmcfi32.exeIocioq32.exeMcofid32.exeHdbbnd32.exeKobkbaac.exeCamqpnel.exeChblqlcj.exeAoihaa32.exeBmhkojab.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnddg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakaaepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejohdbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmilmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdpkfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiemmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohjbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joebccpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljhhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npnclf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldbkbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkhga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amoibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhpca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpgibbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakpiajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoelpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghddnnfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qidckjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekfaij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdaeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoooj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhfnifq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkifkdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcocgkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoffd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgnelll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomhnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdjgfomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meemgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggbmbfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agnjge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefhlcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoqhncgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glijnmdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjeihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dleelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhdph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhgoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liboodmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegdgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfopdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpqgkpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofdll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhncclq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkcpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkiebib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmcfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocioq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcofid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbbnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobkbaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camqpnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chblqlcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoihaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhkojab.exe -
Modifies registry class 64 IoCs
Processes:
Apnhggln.exeLiboodmk.exeMhckloge.exeFogdap32.exeNjnokdaq.exeBlipno32.exeFfjljmla.exeLaogfg32.exeDicann32.exeBggjjlnb.exeFjaoplho.exeIkgfdlcb.exeDcjmcd32.exeBfppgohb.exePeqhgmdd.exeMhfoleio.exeHpfoboml.exeCnipak32.exeIqhfnifq.exeOdflmp32.exeGeilah32.exeLfdpjp32.exeAmoibc32.exeHkmjjn32.exeBacefpbg.exeHhfmbq32.exeJojloc32.exeIphhgb32.exeDdnfql32.exeHlmnogkl.exeHnpgloog.exePglojj32.exeAbnopj32.exeCceapl32.exePdajpf32.exeNejdjf32.exeNnlhab32.exeFpgnoo32.exeOeaael32.exeBllomg32.exeKgmilmkb.exePnnmeh32.exeFmddgg32.exeOqgmmk32.exeEdpoeoea.exeOgpjmn32.exeAeccdila.exeEldbkbop.exeNfjildbp.exeJngkdj32.exeFgjkmijh.exeIemalkgd.exeKnddcg32.exeAicipgqe.exeEnmqjq32.exeNiqgof32.exeAqanke32.exePpipdl32.exeQlggjlep.exeIocioq32.exeDjjeedhp.exeBmldji32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alqqip32.dll" Apnhggln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liboodmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhckloge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fogdap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknjoj32.dll" Blipno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiiopj.dll" Ffjljmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laogfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dicann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjaoplho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikgfdlcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcjmcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipojic32.dll" Bfppgohb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpldngk.dll" Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpfoboml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnipak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqhfnifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odflmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geilah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfdpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amoibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkmjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll" Bacefpbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhfmbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jojloc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iphhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnjc32.dll" Ddnfql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickcibdp.dll" Hlmnogkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnpgloog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pglojj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cceapl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdajpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdkjqpq.dll" Nejdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmglihnc.dll" Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bllomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dehfhq32.dll" Kgmilmkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnnmeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmddgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjeimkch.dll" Oqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkafpim.dll" Edpoeoea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogpjmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeccdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidgoh32.dll" Eldbkbop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfjildbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpfoboml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgefap32.dll" Jngkdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgjkmijh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iemalkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfimld32.dll" Knddcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aicipgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enmqjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niqgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebepc32.dll" Aqanke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfoacnc.dll" Ppipdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdehcgni.dll" Iocioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djjeedhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmldji32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exeCnipak32.exeChocodch.exeCnnimkom.exeDfkjgm32.exeDbdham32.exeDiqmcgca.exeEiciig32.exeEldbkbop.exeEhkcpc32.exeEhmpeb32.exeFjnignob.exeFmnahilc.exeFhhbif32.exeFhjoof32.exeFacdgl32.exedescription pid process target process PID 844 wrote to memory of 2448 844 04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe Cnipak32.exe PID 844 wrote to memory of 2448 844 04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe Cnipak32.exe PID 844 wrote to memory of 2448 844 04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe Cnipak32.exe PID 844 wrote to memory of 2448 844 04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe Cnipak32.exe PID 2448 wrote to memory of 2864 2448 Cnipak32.exe Chocodch.exe PID 2448 wrote to memory of 2864 2448 Cnipak32.exe Chocodch.exe PID 2448 wrote to memory of 2864 2448 Cnipak32.exe Chocodch.exe PID 2448 wrote to memory of 2864 2448 Cnipak32.exe Chocodch.exe PID 2864 wrote to memory of 2716 2864 Chocodch.exe Cnnimkom.exe PID 2864 wrote to memory of 2716 2864 Chocodch.exe Cnnimkom.exe PID 2864 wrote to memory of 2716 2864 Chocodch.exe Cnnimkom.exe PID 2864 wrote to memory of 2716 2864 Chocodch.exe Cnnimkom.exe PID 2716 wrote to memory of 2728 2716 Cnnimkom.exe Dfkjgm32.exe PID 2716 wrote to memory of 2728 2716 Cnnimkom.exe Dfkjgm32.exe PID 2716 wrote to memory of 2728 2716 Cnnimkom.exe Dfkjgm32.exe PID 2716 wrote to memory of 2728 2716 Cnnimkom.exe Dfkjgm32.exe PID 2728 wrote to memory of 2612 2728 Dfkjgm32.exe Dbdham32.exe PID 2728 wrote to memory of 2612 2728 Dfkjgm32.exe Dbdham32.exe PID 2728 wrote to memory of 2612 2728 Dfkjgm32.exe Dbdham32.exe PID 2728 wrote to memory of 2612 2728 Dfkjgm32.exe Dbdham32.exe PID 2612 wrote to memory of 636 2612 Dbdham32.exe Diqmcgca.exe PID 2612 wrote to memory of 636 2612 Dbdham32.exe Diqmcgca.exe PID 2612 wrote to memory of 636 2612 Dbdham32.exe Diqmcgca.exe PID 2612 wrote to memory of 636 2612 Dbdham32.exe Diqmcgca.exe PID 636 wrote to memory of 2932 636 Diqmcgca.exe Eiciig32.exe PID 636 wrote to memory of 2932 636 Diqmcgca.exe Eiciig32.exe PID 636 wrote to memory of 2932 636 Diqmcgca.exe Eiciig32.exe PID 636 wrote to memory of 2932 636 Diqmcgca.exe Eiciig32.exe PID 2932 wrote to memory of 2580 2932 Eiciig32.exe Eldbkbop.exe PID 2932 wrote to memory of 2580 2932 Eiciig32.exe Eldbkbop.exe PID 2932 wrote to memory of 2580 2932 Eiciig32.exe Eldbkbop.exe PID 2932 wrote to memory of 2580 2932 Eiciig32.exe Eldbkbop.exe PID 2580 wrote to memory of 2392 2580 Eldbkbop.exe Ehkcpc32.exe PID 2580 wrote to memory of 2392 2580 Eldbkbop.exe Ehkcpc32.exe PID 2580 wrote to memory of 2392 2580 Eldbkbop.exe Ehkcpc32.exe PID 2580 wrote to memory of 2392 2580 Eldbkbop.exe Ehkcpc32.exe PID 2392 wrote to memory of 1796 2392 Ehkcpc32.exe Ehmpeb32.exe PID 2392 wrote to memory of 1796 2392 Ehkcpc32.exe Ehmpeb32.exe PID 2392 wrote to memory of 1796 2392 Ehkcpc32.exe Ehmpeb32.exe PID 2392 wrote to memory of 1796 2392 Ehkcpc32.exe Ehmpeb32.exe PID 1796 wrote to memory of 2956 1796 Ehmpeb32.exe Fjnignob.exe PID 1796 wrote to memory of 2956 1796 Ehmpeb32.exe Fjnignob.exe PID 1796 wrote to memory of 2956 1796 Ehmpeb32.exe Fjnignob.exe PID 1796 wrote to memory of 2956 1796 Ehmpeb32.exe Fjnignob.exe PID 2956 wrote to memory of 588 2956 Fjnignob.exe Fmnahilc.exe PID 2956 wrote to memory of 588 2956 Fjnignob.exe Fmnahilc.exe PID 2956 wrote to memory of 588 2956 Fjnignob.exe Fmnahilc.exe PID 2956 wrote to memory of 588 2956 Fjnignob.exe Fmnahilc.exe PID 588 wrote to memory of 2344 588 Fmnahilc.exe Fhhbif32.exe PID 588 wrote to memory of 2344 588 Fmnahilc.exe Fhhbif32.exe PID 588 wrote to memory of 2344 588 Fmnahilc.exe Fhhbif32.exe PID 588 wrote to memory of 2344 588 Fmnahilc.exe Fhhbif32.exe PID 2344 wrote to memory of 2128 2344 Fhhbif32.exe Fhjoof32.exe PID 2344 wrote to memory of 2128 2344 Fhhbif32.exe Fhjoof32.exe PID 2344 wrote to memory of 2128 2344 Fhhbif32.exe Fhjoof32.exe PID 2344 wrote to memory of 2128 2344 Fhhbif32.exe Fhjoof32.exe PID 2128 wrote to memory of 2092 2128 Fhjoof32.exe Facdgl32.exe PID 2128 wrote to memory of 2092 2128 Fhjoof32.exe Facdgl32.exe PID 2128 wrote to memory of 2092 2128 Fhjoof32.exe Facdgl32.exe PID 2128 wrote to memory of 2092 2128 Fhjoof32.exe Facdgl32.exe PID 2092 wrote to memory of 944 2092 Facdgl32.exe Fogdap32.exe PID 2092 wrote to memory of 944 2092 Facdgl32.exe Fogdap32.exe PID 2092 wrote to memory of 944 2092 Facdgl32.exe Fogdap32.exe PID 2092 wrote to memory of 944 2092 Facdgl32.exe Fogdap32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe"C:\Users\Admin\AppData\Local\Temp\04bcdcec770f36c6b9f32ec8f53739435437bf9490277f09400f51be76dbd9f4N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Gpjmnh32.exeC:\Windows\system32\Gpjmnh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Gibbgmfe.exeC:\Windows\system32\Gibbgmfe.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Gncgbkki.exeC:\Windows\system32\Gncgbkki.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Jelhmlgm.exeC:\Windows\system32\Jelhmlgm.exe33⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe34⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe35⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe37⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe38⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe39⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe43⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe45⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe47⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe48⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Npfjbn32.exeC:\Windows\system32\Npfjbn32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe51⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Nnlhab32.exeC:\Windows\system32\Nnlhab32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe54⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Nfjildbp.exeC:\Windows\system32\Nfjildbp.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Nhhehpbc.exeC:\Windows\system32\Nhhehpbc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe57⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe58⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe59⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe61⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe62⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe64⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe66⤵
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe67⤵PID:1508
-
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe68⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe69⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe71⤵PID:2532
-
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe73⤵PID:2180
-
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe74⤵PID:2708
-
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe75⤵PID:2884
-
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe76⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe77⤵PID:1116
-
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1380 -
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe79⤵PID:2136
-
C:\Windows\SysWOW64\Amoibc32.exeC:\Windows\system32\Amoibc32.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Afgnkilf.exeC:\Windows\system32\Afgnkilf.exe81⤵PID:2472
-
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe82⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe83⤵PID:616
-
C:\Windows\SysWOW64\Bbqkeioh.exeC:\Windows\system32\Bbqkeioh.exe84⤵PID:2492
-
C:\Windows\SysWOW64\Blipno32.exeC:\Windows\system32\Blipno32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Bafhff32.exeC:\Windows\system32\Bafhff32.exe86⤵PID:1604
-
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe87⤵PID:2380
-
C:\Windows\SysWOW64\Bakaaepk.exeC:\Windows\system32\Bakaaepk.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Bggjjlnb.exeC:\Windows\system32\Bggjjlnb.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe90⤵PID:2620
-
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe91⤵PID:2760
-
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe92⤵
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe93⤵PID:2044
-
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe95⤵PID:2460
-
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe97⤵
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe98⤵PID:1120
-
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe100⤵PID:2368
-
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:620 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe102⤵PID:1916
-
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe103⤵PID:2200
-
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe105⤵PID:3056
-
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe108⤵PID:800
-
C:\Windows\SysWOW64\Eifobe32.exeC:\Windows\system32\Eifobe32.exe109⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe110⤵PID:1804
-
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe112⤵PID:112
-
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe113⤵PID:1556
-
C:\Windows\SysWOW64\Epeajo32.exeC:\Windows\system32\Epeajo32.exe114⤵PID:1664
-
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe115⤵PID:2748
-
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe116⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe117⤵PID:2828
-
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe118⤵PID:3064
-
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe119⤵
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe120⤵PID:776
-
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe121⤵PID:2348
-
C:\Windows\SysWOW64\Ffjljmla.exeC:\Windows\system32\Ffjljmla.exe122⤵
- Modifies registry class
PID:1368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-