Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe
Resource
win10v2004-20241007-en
General
-
Target
b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe
-
Size
384KB
-
MD5
d74d2580d6ea571b896fd44ea826c497
-
SHA1
fb5f86e3f2ed213a9a5f0044fbae63080d6a2a9b
-
SHA256
b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116
-
SHA512
becb90cd8bb969afbfd369c3f08838bde4559df2a17a27fe15aa3c3292e6416bd63d1e5c0b5d016534ffa0f310dca97833fb0f13e5365502efd5e3f176b001e6
-
SSDEEP
6144:KHmZN6C6jTpui6yYPaIGckjh/xaSfBJKFbhD7sYQpui6yYPaIGck7/DiuoH3ygND:OOipV6yYPMLnfBJKFbhDwBpV6yYP0riN
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kmjaddii.exeKninog32.exeIofhmi32.exePdcgeejf.exeFbiijb32.exeFikgda32.exeNoifmmec.exeLndqbk32.exeMfihml32.exeOmeini32.exeGnmihgkh.exeHmneebeb.exeKhcbpa32.exeKghoan32.exeQoaaqb32.exeDkjkcfjc.exeEbofcd32.exeIoaobjin.exeJcdmbk32.exeJkdoci32.exeJlghpa32.exePkifgpeh.exeQgfmlp32.exeAalaoipc.exeBaigen32.exePeiaij32.exeQqldpfmh.exeOlopjddf.exeMilaecdp.exeAkkokc32.exeMdmhfpkg.exeHjhchg32.exeJdlclo32.exeJkobgm32.exeKfdfdf32.exeDhlogjko.exeMnkfcjqe.exeDgalhgpg.exeMganfp32.exeMffkgl32.exeFbfldc32.exeJcfjhj32.exeLmqgec32.exeMpalfabn.exeFmbjjp32.exeFmdfppkb.exeGfdaid32.exeKgjlgm32.exeCdqfgh32.exeLjbkig32.exeMbdfni32.exeMhckloge.exeAkmlacdn.exeHlecmkel.exeNepach32.exeOgddhmdl.exeCmikpngk.exeOhjmlaci.exeAmhopfof.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kninog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iofhmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdcgeejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbiijb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikgda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noifmmec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndqbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfihml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omeini32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmihgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmneebeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khcbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kghoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qoaaqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjkcfjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebofcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioaobjin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkdoci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlghpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkifgpeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgfmlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalaoipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baigen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peiaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqldpfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omeini32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olopjddf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Milaecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akkokc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdmhfpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjhchg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdlclo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkobgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfdfdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhlogjko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkfcjqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baigen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgalhgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mganfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mffkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbfldc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmqgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpalfabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmbjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmdfppkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfdaid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjlgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdqfgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbdfni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhckloge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmlacdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fikgda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlecmkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmhfpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nepach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogddhmdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmikpngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohjmlaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amhopfof.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Bllomg32.exeBaigen32.exeBdgcaj32.exeBjalndpb.exeCdnjaibm.exeCdqfgh32.exeCmikpngk.exeCpidai32.exeDakpiajj.exeDlbaljhn.exeDoamhe32.exeDhlogjko.exeDkjkcfjc.exeDgalhgpg.exeEdelakoq.exeEqnillbb.exeEbofcd32.exeEdpoeoea.exeEhlkfn32.exeEnhcnd32.exeFdblkoco.exeFgqhgjbb.exeFbfldc32.exeFjaqhe32.exeFbiijb32.exeFjdnne32.exeFmbjjp32.exeFfkncf32.exeFmdfppkb.exeFfmkhe32.exeFikgda32.exeGfogneop.exeGjkcod32.exeGphlgk32.exeGbfhcf32.exeGnmihgkh.exeGfdaid32.exeGhenamai.exeGanbjb32.exeGnabcf32.exeGapoob32.exeHlecmkel.exeHjhchg32.exeHmgodc32.exeHengep32.exeHhlcal32.exeHnflnfbm.exeHpghfn32.exeHdcdfmqe.exeHhopgkin.exeHipmoc32.exeHpjeknfi.exeHbhagiem.exeHmneebeb.exeHplbamdf.exeHdhnal32.exeHffjng32.exeHlcbfnjk.exeIoaobjin.exeIigcobid.exeIhjcko32.exeIpaklm32.exeIboghh32.exeIabhdefo.exepid process 2696 Bllomg32.exe 2868 Baigen32.exe 2280 Bdgcaj32.exe 2632 Bjalndpb.exe 2596 Cdnjaibm.exe 2188 Cdqfgh32.exe 2700 Cmikpngk.exe 828 Cpidai32.exe 2924 Dakpiajj.exe 1248 Dlbaljhn.exe 2084 Doamhe32.exe 1052 Dhlogjko.exe 1788 Dkjkcfjc.exe 1596 Dgalhgpg.exe 1084 Edelakoq.exe 1812 Eqnillbb.exe 1436 Ebofcd32.exe 2116 Edpoeoea.exe 2936 Ehlkfn32.exe 2536 Enhcnd32.exe 1108 Fdblkoco.exe 1216 Fgqhgjbb.exe 1336 Fbfldc32.exe 2124 Fjaqhe32.exe 1692 Fbiijb32.exe 2820 Fjdnne32.exe 2824 Fmbjjp32.exe 2812 Ffkncf32.exe 2660 Fmdfppkb.exe 2728 Ffmkhe32.exe 2376 Fikgda32.exe 1688 Gfogneop.exe 996 Gjkcod32.exe 2996 Gphlgk32.exe 1784 Gbfhcf32.exe 2420 Gnmihgkh.exe 1064 Gfdaid32.exe 1100 Ghenamai.exe 2396 Ganbjb32.exe 2104 Gnabcf32.exe 1008 Gapoob32.exe 972 Hlecmkel.exe 264 Hjhchg32.exe 980 Hmgodc32.exe 1068 Hengep32.exe 864 Hhlcal32.exe 468 Hnflnfbm.exe 1480 Hpghfn32.exe 1992 Hdcdfmqe.exe 2816 Hhopgkin.exe 2624 Hipmoc32.exe 2608 Hpjeknfi.exe 2672 Hbhagiem.exe 2580 Hmneebeb.exe 3040 Hplbamdf.exe 2904 Hdhnal32.exe 2428 Hffjng32.exe 2040 Hlcbfnjk.exe 2128 Ioaobjin.exe 564 Iigcobid.exe 2572 Ihjcko32.exe 1716 Ipaklm32.exe 2160 Iboghh32.exe 856 Iabhdefo.exe -
Loads dropped DLL 64 IoCs
Processes:
b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exeBllomg32.exeBaigen32.exeBdgcaj32.exeBjalndpb.exeCdnjaibm.exeCdqfgh32.exeCmikpngk.exeCpidai32.exeDakpiajj.exeDlbaljhn.exeDoamhe32.exeDhlogjko.exeDkjkcfjc.exeDgalhgpg.exeEdelakoq.exeEqnillbb.exeEbofcd32.exeEdpoeoea.exeEhlkfn32.exeEnhcnd32.exeFdblkoco.exeFgqhgjbb.exeFbfldc32.exeFjaqhe32.exeFbiijb32.exeFjdnne32.exeFmbjjp32.exeFfkncf32.exeFmdfppkb.exeFfmkhe32.exeFikgda32.exepid process 2508 b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe 2508 b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe 2696 Bllomg32.exe 2696 Bllomg32.exe 2868 Baigen32.exe 2868 Baigen32.exe 2280 Bdgcaj32.exe 2280 Bdgcaj32.exe 2632 Bjalndpb.exe 2632 Bjalndpb.exe 2596 Cdnjaibm.exe 2596 Cdnjaibm.exe 2188 Cdqfgh32.exe 2188 Cdqfgh32.exe 2700 Cmikpngk.exe 2700 Cmikpngk.exe 828 Cpidai32.exe 828 Cpidai32.exe 2924 Dakpiajj.exe 2924 Dakpiajj.exe 1248 Dlbaljhn.exe 1248 Dlbaljhn.exe 2084 Doamhe32.exe 2084 Doamhe32.exe 1052 Dhlogjko.exe 1052 Dhlogjko.exe 1788 Dkjkcfjc.exe 1788 Dkjkcfjc.exe 1596 Dgalhgpg.exe 1596 Dgalhgpg.exe 1084 Edelakoq.exe 1084 Edelakoq.exe 1812 Eqnillbb.exe 1812 Eqnillbb.exe 1436 Ebofcd32.exe 1436 Ebofcd32.exe 2116 Edpoeoea.exe 2116 Edpoeoea.exe 2936 Ehlkfn32.exe 2936 Ehlkfn32.exe 2536 Enhcnd32.exe 2536 Enhcnd32.exe 1108 Fdblkoco.exe 1108 Fdblkoco.exe 1216 Fgqhgjbb.exe 1216 Fgqhgjbb.exe 1336 Fbfldc32.exe 1336 Fbfldc32.exe 2124 Fjaqhe32.exe 2124 Fjaqhe32.exe 1692 Fbiijb32.exe 1692 Fbiijb32.exe 2820 Fjdnne32.exe 2820 Fjdnne32.exe 2824 Fmbjjp32.exe 2824 Fmbjjp32.exe 2812 Ffkncf32.exe 2812 Ffkncf32.exe 2660 Fmdfppkb.exe 2660 Fmdfppkb.exe 2728 Ffmkhe32.exe 2728 Ffmkhe32.exe 2376 Fikgda32.exe 2376 Fikgda32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bllomg32.exeJkobgm32.exeNhcgkbja.exeOdoakckp.exeEqnillbb.exeIhjcko32.exeAgdlfd32.exeCdqfgh32.exeFjaqhe32.exeNbbegl32.exeBnbnnm32.exeIkoehj32.exeKninog32.exeLelljepm.exeHdhnal32.exeLqgjkbop.exeBejiehfi.exeIpaklm32.exeJjneoeeh.exeLkfdfo32.exeAkkokc32.exeHengep32.exeKcamln32.exeMlhmkbhb.exePelnniga.exeKfbemi32.exeMcfbfaao.exePdajpf32.exeFikgda32.exeHhopgkin.exeIagaod32.exeLmqgec32.exeOiljcj32.exePdcgeejf.exeDgalhgpg.exeKgmilmkb.exeLkhalo32.exeLnfmhj32.exeNokcbm32.exeOacbdg32.exeJpnkep32.exeKnbgnhfd.exeLgabgl32.exeOkfmbm32.exeOkkfmmqj.exeJcocgkbp.exeKdjceb32.exeOmeini32.exeAmhopfof.exeEdpoeoea.exeKkaolm32.exeFbiijb32.exeJnbkodci.exeKghoan32.exeMnncii32.exeOgddhmdl.exePnllnk32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Baigen32.exe Bllomg32.exe File created C:\Windows\SysWOW64\Jcfjhj32.exe Jkobgm32.exe File opened for modification C:\Windows\SysWOW64\Nkbcgnie.exe Nhcgkbja.exe File opened for modification C:\Windows\SysWOW64\Ohjmlaci.exe Odoakckp.exe File created C:\Windows\SysWOW64\Ebofcd32.exe Eqnillbb.exe File created C:\Windows\SysWOW64\Ipaklm32.exe Ihjcko32.exe File opened for modification C:\Windows\SysWOW64\Aalaoipc.exe Agdlfd32.exe File opened for modification C:\Windows\SysWOW64\Cmikpngk.exe Cdqfgh32.exe File created C:\Windows\SysWOW64\Glopccij.dll Fjaqhe32.exe File created C:\Windows\SysWOW64\Nepach32.exe Nbbegl32.exe File created C:\Windows\SysWOW64\Bmenijcd.exe Bnbnnm32.exe File created C:\Windows\SysWOW64\Iainddpg.exe Ikoehj32.exe File created C:\Windows\SysWOW64\Fjiegbjj.dll Kninog32.exe File opened for modification C:\Windows\SysWOW64\Lkfdfo32.exe Lelljepm.exe File created C:\Windows\SysWOW64\Fphepgbl.dll Hdhnal32.exe File created C:\Windows\SysWOW64\Jdeadmlb.dll Lqgjkbop.exe File created C:\Windows\SysWOW64\Bcmjpd32.exe Bejiehfi.exe File opened for modification C:\Windows\SysWOW64\Iboghh32.exe Ipaklm32.exe File created C:\Windows\SysWOW64\Eaqehcbj.dll Jjneoeeh.exe File created C:\Windows\SysWOW64\Cgejdc32.dll Lkfdfo32.exe File created C:\Windows\SysWOW64\Dbknfn32.dll Odoakckp.exe File opened for modification C:\Windows\SysWOW64\Afpchl32.exe Akkokc32.exe File created C:\Windows\SysWOW64\Hhlcal32.exe Hengep32.exe File opened for modification C:\Windows\SysWOW64\Kgmilmkb.exe Kcamln32.exe File created C:\Windows\SysWOW64\Nbbegl32.exe Mlhmkbhb.exe File created C:\Windows\SysWOW64\Lpcklckl.dll Pelnniga.exe File created C:\Windows\SysWOW64\Kninog32.exe Kfbemi32.exe File created C:\Windows\SysWOW64\Ebeffboh.dll Mcfbfaao.exe File created C:\Windows\SysWOW64\Hnjfjm32.dll Pdajpf32.exe File created C:\Windows\SysWOW64\Gfogneop.exe Fikgda32.exe File opened for modification C:\Windows\SysWOW64\Hipmoc32.exe Hhopgkin.exe File created C:\Windows\SysWOW64\Iebmpcjc.exe Iagaod32.exe File created C:\Windows\SysWOW64\Lckpbm32.exe Lmqgec32.exe File created C:\Windows\SysWOW64\Jngakhdp.dll Oiljcj32.exe File created C:\Windows\SysWOW64\Pgacaaij.exe Pdcgeejf.exe File created C:\Windows\SysWOW64\Laholc32.dll Dgalhgpg.exe File opened for modification C:\Windows\SysWOW64\Kmjaddii.exe Kgmilmkb.exe File created C:\Windows\SysWOW64\Pmhikf32.dll Lkhalo32.exe File created C:\Windows\SysWOW64\Milaecdp.exe Lnfmhj32.exe File created C:\Windows\SysWOW64\Niqgof32.exe Nokcbm32.exe File opened for modification C:\Windows\SysWOW64\Odanqb32.exe Oacbdg32.exe File created C:\Windows\SysWOW64\Jkdoci32.exe Jpnkep32.exe File opened for modification C:\Windows\SysWOW64\Jkobgm32.exe Jjneoeeh.exe File opened for modification C:\Windows\SysWOW64\Kqqdjceh.exe Knbgnhfd.exe File opened for modification C:\Windows\SysWOW64\Lmnkpc32.exe Lgabgl32.exe File created C:\Windows\SysWOW64\Liopnp32.dll Okfmbm32.exe File created C:\Windows\SysWOW64\Qmcnifll.dll Okkfmmqj.exe File opened for modification C:\Windows\SysWOW64\Ebofcd32.exe Eqnillbb.exe File created C:\Windows\SysWOW64\Jlghpa32.exe Jcocgkbp.exe File created C:\Windows\SysWOW64\Kghoan32.exe Kdjceb32.exe File created C:\Windows\SysWOW64\Lgfamj32.dll Omeini32.exe File created C:\Windows\SysWOW64\Bemkkdbc.dll Amhopfof.exe File created C:\Windows\SysWOW64\Djakgb32.dll Edpoeoea.exe File created C:\Windows\SysWOW64\Nciija32.dll Hengep32.exe File created C:\Windows\SysWOW64\Kdjceb32.exe Kkaolm32.exe File created C:\Windows\SysWOW64\Fjdnne32.exe Fbiijb32.exe File opened for modification C:\Windows\SysWOW64\Jdlclo32.exe Jnbkodci.exe File created C:\Windows\SysWOW64\Naheae32.dll Kghoan32.exe File created C:\Windows\SysWOW64\Dhmbnh32.dll Knbgnhfd.exe File created C:\Windows\SysWOW64\Malpee32.exe Mnncii32.exe File opened for modification C:\Windows\SysWOW64\Odoakckp.exe Omeini32.exe File created C:\Windows\SysWOW64\Oegdcj32.exe Ogddhmdl.exe File created C:\Windows\SysWOW64\Nmbjkm32.dll Pnllnk32.exe File opened for modification C:\Windows\SysWOW64\Fjdnne32.exe Fbiijb32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3596 3516 WerFault.exe Bmenijcd.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kkfhglen.exeAkmlacdn.exeFjaqhe32.exeHmgodc32.exeLgabgl32.exeMdmhfpkg.exeGphlgk32.exeHhlcal32.exeOmjbihpn.exeAfpchl32.exeBcmjpd32.exeCpidai32.exeDakpiajj.exeJdlclo32.exeMbdfni32.exeMnkfcjqe.exeEnhcnd32.exeKqqdjceh.exeKmjaddii.exeLndqbk32.exeMeeopdhb.exeIpaklm32.exeIljifm32.exeAkbelbpi.exeNejdjf32.exeOkkfmmqj.exeBdgcaj32.exeDlbaljhn.exeFfkncf32.exeIgffmkno.exeJpeafo32.exeJcfjhj32.exeGfdaid32.exeNalldh32.exeMjgqcj32.exeGanbjb32.exeOdckfb32.exeKghoan32.exeOlalpdbc.exeFgqhgjbb.exeIoaobjin.exeJnbkodci.exeGfogneop.exeLkhalo32.exeDhlogjko.exeFbiijb32.exeFmbjjp32.exeGnmihgkh.exeGapoob32.exeHpjeknfi.exeFbfldc32.exeOdanqb32.exeb338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exeHlecmkel.exeJcocgkbp.exeJofdll32.exePelnniga.exePgdpgqgg.exeHbhagiem.exePkifgpeh.exeBejiehfi.exeBjalndpb.exeGbfhcf32.exeGhenamai.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfhglen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmlacdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjaqhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmgodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgabgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmhfpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphlgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjbihpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpchl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpidai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakpiajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdfni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkfcjqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqqdjceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjaddii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndqbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeopdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipaklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbelbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejdjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkfmmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbaljhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffkncf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igffmkno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeafo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfjhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdaid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalldh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgqcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganbjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odckfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghoan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olalpdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgqhgjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioaobjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbkodci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfogneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlogjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbiijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbjjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmihgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjeknfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odanqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlecmkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcocgkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofdll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pelnniga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdpgqgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhagiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkifgpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejiehfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjalndpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfhcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghenamai.exe -
Modifies registry class 64 IoCs
Processes:
Mnijnjbh.exeOkkfmmqj.exeBcmjpd32.exeFmbjjp32.exeIainddpg.exeFfmkhe32.exeMffkgl32.exeEhlkfn32.exeFgqhgjbb.exeMhfhaoec.exeNdjhpcoe.exeNlapaapg.exeOiljcj32.exeQgiibp32.exeHpghfn32.exeHffjng32.exeOmeini32.exeb338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exeMnncii32.exeLjbkig32.exeAalaoipc.exeJcocgkbp.exeNejdjf32.exeQqldpfmh.exeJidbifmb.exeLgabgl32.exeIiipeb32.exeDoamhe32.exeFbiijb32.exeLndqbk32.exeOophlpag.exeCmikpngk.exeKnbgnhfd.exeKqqdjceh.exeOkfmbm32.exeJlghpa32.exeJcfjhj32.exeFdblkoco.exeHplbamdf.exeKfbemi32.exeNoplmlok.exePkifgpeh.exeHhlcal32.exeOacbdg32.exeJkobgm32.exeNepach32.exeNljjqbfp.exeOnlooh32.exeHlecmkel.exeHnflnfbm.exeMeeopdhb.exePeiaij32.exePhhmeehg.exeHjhchg32.exeLqgjkbop.exeHmneebeb.exeKgjlgm32.exeOgbgbn32.exeQnpeijla.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhaikja.dll" Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmcnifll.dll" Okkfmmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcmjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eedmnimd.dll" Fmbjjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iainddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnkap32.dll" Ffmkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feglnpia.dll" Mffkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehlkfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgqhgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhfhaoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndjhpcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edljdb32.dll" Nlapaapg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiljcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qgiibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcdpd32.dll" Hpghfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hffjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfamj32.dll" Omeini32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnncii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qgiibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aalaoipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emadmmop.dll" Jcocgkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nejdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qqldpfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jidbifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfkjdikj.dll" Lgabgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iiipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpimnjhm.dll" Doamhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbiijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfigef32.dll" Lndqbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oophlpag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmikpngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knbgnhfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kqqdjceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okfmbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlghpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlghpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdblkoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljbfq32.dll" Hplbamdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfbemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noplmlok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foefccmp.dll" Pkifgpeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbfgj32.dll" Hhlcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaecdo32.dll" Oacbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpghfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkobgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nepach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nljjqbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfdeplh.dll" Onlooh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlecmkel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnflnfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meeopdhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Peiaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phhmeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkimple.dll" Hjhchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqgjkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflibl32.dll" Hmneebeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgjlgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfekom32.dll" Ogbgbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkifgpeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnpeijla.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exeBllomg32.exeBaigen32.exeBdgcaj32.exeBjalndpb.exeCdnjaibm.exeCdqfgh32.exeCmikpngk.exeCpidai32.exeDakpiajj.exeDlbaljhn.exeDoamhe32.exeDhlogjko.exeDkjkcfjc.exeDgalhgpg.exeEdelakoq.exedescription pid process target process PID 2508 wrote to memory of 2696 2508 b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe Bllomg32.exe PID 2508 wrote to memory of 2696 2508 b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe Bllomg32.exe PID 2508 wrote to memory of 2696 2508 b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe Bllomg32.exe PID 2508 wrote to memory of 2696 2508 b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe Bllomg32.exe PID 2696 wrote to memory of 2868 2696 Bllomg32.exe Baigen32.exe PID 2696 wrote to memory of 2868 2696 Bllomg32.exe Baigen32.exe PID 2696 wrote to memory of 2868 2696 Bllomg32.exe Baigen32.exe PID 2696 wrote to memory of 2868 2696 Bllomg32.exe Baigen32.exe PID 2868 wrote to memory of 2280 2868 Baigen32.exe Bdgcaj32.exe PID 2868 wrote to memory of 2280 2868 Baigen32.exe Bdgcaj32.exe PID 2868 wrote to memory of 2280 2868 Baigen32.exe Bdgcaj32.exe PID 2868 wrote to memory of 2280 2868 Baigen32.exe Bdgcaj32.exe PID 2280 wrote to memory of 2632 2280 Bdgcaj32.exe Bjalndpb.exe PID 2280 wrote to memory of 2632 2280 Bdgcaj32.exe Bjalndpb.exe PID 2280 wrote to memory of 2632 2280 Bdgcaj32.exe Bjalndpb.exe PID 2280 wrote to memory of 2632 2280 Bdgcaj32.exe Bjalndpb.exe PID 2632 wrote to memory of 2596 2632 Bjalndpb.exe Cdnjaibm.exe PID 2632 wrote to memory of 2596 2632 Bjalndpb.exe Cdnjaibm.exe PID 2632 wrote to memory of 2596 2632 Bjalndpb.exe Cdnjaibm.exe PID 2632 wrote to memory of 2596 2632 Bjalndpb.exe Cdnjaibm.exe PID 2596 wrote to memory of 2188 2596 Cdnjaibm.exe Cdqfgh32.exe PID 2596 wrote to memory of 2188 2596 Cdnjaibm.exe Cdqfgh32.exe PID 2596 wrote to memory of 2188 2596 Cdnjaibm.exe Cdqfgh32.exe PID 2596 wrote to memory of 2188 2596 Cdnjaibm.exe Cdqfgh32.exe PID 2188 wrote to memory of 2700 2188 Cdqfgh32.exe Cmikpngk.exe PID 2188 wrote to memory of 2700 2188 Cdqfgh32.exe Cmikpngk.exe PID 2188 wrote to memory of 2700 2188 Cdqfgh32.exe Cmikpngk.exe PID 2188 wrote to memory of 2700 2188 Cdqfgh32.exe Cmikpngk.exe PID 2700 wrote to memory of 828 2700 Cmikpngk.exe Cpidai32.exe PID 2700 wrote to memory of 828 2700 Cmikpngk.exe Cpidai32.exe PID 2700 wrote to memory of 828 2700 Cmikpngk.exe Cpidai32.exe PID 2700 wrote to memory of 828 2700 Cmikpngk.exe Cpidai32.exe PID 828 wrote to memory of 2924 828 Cpidai32.exe Dakpiajj.exe PID 828 wrote to memory of 2924 828 Cpidai32.exe Dakpiajj.exe PID 828 wrote to memory of 2924 828 Cpidai32.exe Dakpiajj.exe PID 828 wrote to memory of 2924 828 Cpidai32.exe Dakpiajj.exe PID 2924 wrote to memory of 1248 2924 Dakpiajj.exe Dlbaljhn.exe PID 2924 wrote to memory of 1248 2924 Dakpiajj.exe Dlbaljhn.exe PID 2924 wrote to memory of 1248 2924 Dakpiajj.exe Dlbaljhn.exe PID 2924 wrote to memory of 1248 2924 Dakpiajj.exe Dlbaljhn.exe PID 1248 wrote to memory of 2084 1248 Dlbaljhn.exe Doamhe32.exe PID 1248 wrote to memory of 2084 1248 Dlbaljhn.exe Doamhe32.exe PID 1248 wrote to memory of 2084 1248 Dlbaljhn.exe Doamhe32.exe PID 1248 wrote to memory of 2084 1248 Dlbaljhn.exe Doamhe32.exe PID 2084 wrote to memory of 1052 2084 Doamhe32.exe Dhlogjko.exe PID 2084 wrote to memory of 1052 2084 Doamhe32.exe Dhlogjko.exe PID 2084 wrote to memory of 1052 2084 Doamhe32.exe Dhlogjko.exe PID 2084 wrote to memory of 1052 2084 Doamhe32.exe Dhlogjko.exe PID 1052 wrote to memory of 1788 1052 Dhlogjko.exe Dkjkcfjc.exe PID 1052 wrote to memory of 1788 1052 Dhlogjko.exe Dkjkcfjc.exe PID 1052 wrote to memory of 1788 1052 Dhlogjko.exe Dkjkcfjc.exe PID 1052 wrote to memory of 1788 1052 Dhlogjko.exe Dkjkcfjc.exe PID 1788 wrote to memory of 1596 1788 Dkjkcfjc.exe Dgalhgpg.exe PID 1788 wrote to memory of 1596 1788 Dkjkcfjc.exe Dgalhgpg.exe PID 1788 wrote to memory of 1596 1788 Dkjkcfjc.exe Dgalhgpg.exe PID 1788 wrote to memory of 1596 1788 Dkjkcfjc.exe Dgalhgpg.exe PID 1596 wrote to memory of 1084 1596 Dgalhgpg.exe Edelakoq.exe PID 1596 wrote to memory of 1084 1596 Dgalhgpg.exe Edelakoq.exe PID 1596 wrote to memory of 1084 1596 Dgalhgpg.exe Edelakoq.exe PID 1596 wrote to memory of 1084 1596 Dgalhgpg.exe Edelakoq.exe PID 1084 wrote to memory of 1812 1084 Edelakoq.exe Eqnillbb.exe PID 1084 wrote to memory of 1812 1084 Edelakoq.exe Eqnillbb.exe PID 1084 wrote to memory of 1812 1084 Edelakoq.exe Eqnillbb.exe PID 1084 wrote to memory of 1812 1084 Edelakoq.exe Eqnillbb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe"C:\Users\Admin\AppData\Local\Temp\b338b6a9758e620683697e30c3d4af587050b738389648b77bfbbab882dbc116.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Baigen32.exeC:\Windows\system32\Baigen32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Bdgcaj32.exeC:\Windows\system32\Bdgcaj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Cdqfgh32.exeC:\Windows\system32\Cdqfgh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Dakpiajj.exeC:\Windows\system32\Dakpiajj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Doamhe32.exeC:\Windows\system32\Doamhe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Dgalhgpg.exeC:\Windows\system32\Dgalhgpg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Edelakoq.exeC:\Windows\system32\Edelakoq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Ehlkfn32.exeC:\Windows\system32\Ehlkfn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Fgqhgjbb.exeC:\Windows\system32\Fgqhgjbb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Fmbjjp32.exeC:\Windows\system32\Fmbjjp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Fikgda32.exeC:\Windows\system32\Fikgda32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Gfogneop.exeC:\Windows\system32\Gfogneop.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Gjkcod32.exeC:\Windows\system32\Gjkcod32.exe34⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Gnmihgkh.exeC:\Windows\system32\Gnmihgkh.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe41⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Hlecmkel.exeC:\Windows\system32\Hlecmkel.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Hmgodc32.exeC:\Windows\system32\Hmgodc32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Hhlcal32.exeC:\Windows\system32\Hhlcal32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Hnflnfbm.exeC:\Windows\system32\Hnflnfbm.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe50⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe52⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Hpjeknfi.exeC:\Windows\system32\Hpjeknfi.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Hmneebeb.exeC:\Windows\system32\Hmneebeb.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Hdhnal32.exeC:\Windows\system32\Hdhnal32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Hlcbfnjk.exeC:\Windows\system32\Hlcbfnjk.exe59⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe61⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Ihjcko32.exeC:\Windows\system32\Ihjcko32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Ipaklm32.exeC:\Windows\system32\Ipaklm32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe64⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Iabhdefo.exeC:\Windows\system32\Iabhdefo.exe65⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe66⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Iaddid32.exeC:\Windows\system32\Iaddid32.exe68⤵PID:2768
-
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Imkeneja.exeC:\Windows\system32\Imkeneja.exe70⤵PID:3044
-
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe71⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Iebmpcjc.exeC:\Windows\system32\Iebmpcjc.exe72⤵PID:3068
-
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe73⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe74⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe75⤵
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe76⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe77⤵PID:2028
-
C:\Windows\SysWOW64\Jpnkep32.exeC:\Windows\system32\Jpnkep32.exe78⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Jcocgkbp.exeC:\Windows\system32\Jcocgkbp.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Jlghpa32.exeC:\Windows\system32\Jlghpa32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Jofdll32.exeC:\Windows\system32\Jofdll32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Jjkiie32.exeC:\Windows\system32\Jjkiie32.exe85⤵PID:2172
-
C:\Windows\SysWOW64\Jljeeqfn.exeC:\Windows\system32\Jljeeqfn.exe86⤵PID:2808
-
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Jjneoeeh.exeC:\Windows\system32\Jjneoeeh.exe89⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Jcfjhj32.exeC:\Windows\system32\Jcfjhj32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Kfdfdf32.exeC:\Windows\system32\Kfdfdf32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Khcbpa32.exeC:\Windows\system32\Khcbpa32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:824 -
C:\Windows\SysWOW64\Kkaolm32.exeC:\Windows\system32\Kkaolm32.exe94⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Kdjceb32.exeC:\Windows\system32\Kdjceb32.exe95⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Kghoan32.exeC:\Windows\system32\Kghoan32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Knbgnhfd.exeC:\Windows\system32\Knbgnhfd.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Kgjlgm32.exeC:\Windows\system32\Kgjlgm32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Kkfhglen.exeC:\Windows\system32\Kkfhglen.exe100⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Kqcqpc32.exeC:\Windows\system32\Kqcqpc32.exe101⤵PID:2156
-
C:\Windows\SysWOW64\Kcamln32.exeC:\Windows\system32\Kcamln32.exe102⤵
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Kgmilmkb.exeC:\Windows\system32\Kgmilmkb.exe103⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Lqgjkbop.exeC:\Windows\system32\Lqgjkbop.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe109⤵PID:2544
-
C:\Windows\SysWOW64\Lomglo32.exeC:\Windows\system32\Lomglo32.exe110⤵PID:2792
-
C:\Windows\SysWOW64\Lbkchj32.exeC:\Windows\system32\Lbkchj32.exe111⤵PID:2680
-
C:\Windows\SysWOW64\Ljbkig32.exeC:\Windows\system32\Ljbkig32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe114⤵PID:2988
-
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe115⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe116⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe118⤵PID:3020
-
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Lnfmhj32.exeC:\Windows\system32\Lnfmhj32.exe120⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Milaecdp.exeC:\Windows\system32\Milaecdp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe122⤵PID:2260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-