Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:56
Static task
static1
Behavioral task
behavioral1
Sample
b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe
Resource
win10v2004-20241007-en
General
-
Target
b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe
-
Size
96KB
-
MD5
83de0517acf4613ebb2e9e312a511256
-
SHA1
7e319c69dc695baca29879a9ace6317f9abf6274
-
SHA256
b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe
-
SHA512
5bc1adb646435d2235123fbde497fe24b73a5938c06c9532c27d8dde69fd0838c4053e26daac80457c95fab525cdf2d259cec6ba9c2a8ae855463cd7960adc17
-
SSDEEP
1536:PdDtYR3EXSyl35zo+zztp5jM6mmPHN4huwgnui0vSHG7mftt3duV9jojTIvjr:Ps59yrh/hdNE/grx6mldd69jc0v
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Alageg32.exeAakjdo32.exeIndnnfdn.exeNkehql32.exeIjclol32.exeBniajoic.exeGhlfjq32.exePnfnajed.exeGckfpc32.exeInjndk32.exeNbflno32.exeHqgddm32.exeHpnkbpdd.exeDphfbiem.exeOfqmcj32.exeFooembgb.exeFkpjnkig.exeCfkloq32.exeEfljhq32.exeOffpbi32.exeJpgjgboe.exeKlmbjh32.exeOchcem32.exeLpfnckhe.exeAjmijmnn.exeAkcomepg.exeCmpgpond.exeOdkgec32.exeBpbmqe32.exeCbbomjnn.exeKjepaa32.exeJijokbfp.exeKajiigba.exeQejpoi32.exeIebldo32.exeJjfkmdlg.exeCpiqmlfm.exePonklpcg.exeEknpadcn.exeMhninb32.exeCeeieced.exeLbafdlod.exeBccmmf32.exeAgihgp32.exeNqeapo32.exeOighcd32.exePhledp32.exeCmedlk32.exeBfabnl32.exeKhldkllj.exeAljjjb32.exeIegeonpc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alageg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indnnfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkehql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bniajoic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlfjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfnajed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Injndk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnkbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphfbiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqmcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooembgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Offpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpgjgboe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ochcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpfnckhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpbmqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbomjnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jijokbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qejpoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebldo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpiqmlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eknpadcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhninb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceeieced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbafdlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agihgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqeapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oighcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phledp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khldkllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aljjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iegeonpc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Bgibnj32.exeBflbigdb.exeCjjkpe32.exeCcbphk32.exeCfpldf32.exeCpiqmlfm.exeCeeieced.exeCbiiog32.exeChfbgn32.exeCopjdhib.exeCblfdg32.exeDejbqb32.exeDaacecfc.exeDkigoimd.exeDeollamj.exeDhpemm32.exeDiaaeepi.exeDkqnoh32.exeEpmfgo32.exeEggndi32.exeEmagacdm.exeEobchk32.exeEoepnk32.exeEcploipa.exeEhmdgp32.exeElkmmodo.exeEaheeecg.exeFkpjnkig.exeFpmbfbgo.exeFpoolael.exeFdkklp32.exeFqalaa32.exeFgldnkkf.exeGoiehm32.exeGbhbdi32.exeGfcnegnk.exeGbjojh32.exeGnaooi32.exeGfhgpg32.exeGbohehoj.exeGdmdacnn.exeGkglnm32.exeGqdefddb.exeGcbabpcf.exeHjlioj32.exeHmkeke32.exeHcdnhoac.exeHfcjdkpg.exeHnjbeh32.exeHmmbqegc.exeHpkompgg.exeHcgjmo32.exeHjacjifm.exeHidcef32.exeHpnkbpdd.exeHfhcoj32.exeHldlga32.exeHcldhnkk.exeHboddk32.exeHfjpdjjo.exeHihlqeib.exeHlgimqhf.exeHpbdmo32.exeIflmjihl.exepid process 1028 Bgibnj32.exe 1984 Bflbigdb.exe 2496 Cjjkpe32.exe 2940 Ccbphk32.exe 2700 Cfpldf32.exe 3020 Cpiqmlfm.exe 2864 Ceeieced.exe 1268 Cbiiog32.exe 2752 Chfbgn32.exe 816 Copjdhib.exe 3008 Cblfdg32.exe 2868 Dejbqb32.exe 1552 Daacecfc.exe 2508 Dkigoimd.exe 2280 Deollamj.exe 1520 Dhpemm32.exe 448 Diaaeepi.exe 2576 Dkqnoh32.exe 956 Epmfgo32.exe 1688 Eggndi32.exe 496 Emagacdm.exe 812 Eobchk32.exe 2984 Eoepnk32.exe 2648 Ecploipa.exe 1416 Ehmdgp32.exe 1736 Elkmmodo.exe 2124 Eaheeecg.exe 2296 Fkpjnkig.exe 2952 Fpmbfbgo.exe 2824 Fpoolael.exe 2888 Fdkklp32.exe 2724 Fqalaa32.exe 2484 Fgldnkkf.exe 3064 Goiehm32.exe 2680 Gbhbdi32.exe 1820 Gfcnegnk.exe 3060 Gbjojh32.exe 620 Gnaooi32.exe 2560 Gfhgpg32.exe 2384 Gbohehoj.exe 2492 Gdmdacnn.exe 408 Gkglnm32.exe 2172 Gqdefddb.exe 1856 Gcbabpcf.exe 2012 Hjlioj32.exe 2380 Hmkeke32.exe 2232 Hcdnhoac.exe 1776 Hfcjdkpg.exe 2392 Hnjbeh32.exe 2120 Hmmbqegc.exe 2096 Hpkompgg.exe 2268 Hcgjmo32.exe 2720 Hjacjifm.exe 2884 Hidcef32.exe 1320 Hpnkbpdd.exe 1056 Hfhcoj32.exe 1376 Hldlga32.exe 696 Hcldhnkk.exe 2344 Hboddk32.exe 2088 Hfjpdjjo.exe 1088 Hihlqeib.exe 1340 Hlgimqhf.exe 2024 Hpbdmo32.exe 1620 Iflmjihl.exe -
Loads dropped DLL 64 IoCs
Processes:
b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exeBgibnj32.exeBflbigdb.exeCjjkpe32.exeCcbphk32.exeCfpldf32.exeCpiqmlfm.exeCeeieced.exeCbiiog32.exeChfbgn32.exeCopjdhib.exeCblfdg32.exeDejbqb32.exeDaacecfc.exeDkigoimd.exeDeollamj.exeDhpemm32.exeDiaaeepi.exeDkqnoh32.exeEpmfgo32.exeEggndi32.exeEmagacdm.exeEobchk32.exeEoepnk32.exeEcploipa.exeEhmdgp32.exeElkmmodo.exeEaheeecg.exeFkpjnkig.exeFpmbfbgo.exeFpoolael.exeFdkklp32.exepid process 2408 b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe 2408 b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe 1028 Bgibnj32.exe 1028 Bgibnj32.exe 1984 Bflbigdb.exe 1984 Bflbigdb.exe 2496 Cjjkpe32.exe 2496 Cjjkpe32.exe 2940 Ccbphk32.exe 2940 Ccbphk32.exe 2700 Cfpldf32.exe 2700 Cfpldf32.exe 3020 Cpiqmlfm.exe 3020 Cpiqmlfm.exe 2864 Ceeieced.exe 2864 Ceeieced.exe 1268 Cbiiog32.exe 1268 Cbiiog32.exe 2752 Chfbgn32.exe 2752 Chfbgn32.exe 816 Copjdhib.exe 816 Copjdhib.exe 3008 Cblfdg32.exe 3008 Cblfdg32.exe 2868 Dejbqb32.exe 2868 Dejbqb32.exe 1552 Daacecfc.exe 1552 Daacecfc.exe 2508 Dkigoimd.exe 2508 Dkigoimd.exe 2280 Deollamj.exe 2280 Deollamj.exe 1520 Dhpemm32.exe 1520 Dhpemm32.exe 448 Diaaeepi.exe 448 Diaaeepi.exe 2576 Dkqnoh32.exe 2576 Dkqnoh32.exe 956 Epmfgo32.exe 956 Epmfgo32.exe 1688 Eggndi32.exe 1688 Eggndi32.exe 496 Emagacdm.exe 496 Emagacdm.exe 812 Eobchk32.exe 812 Eobchk32.exe 2984 Eoepnk32.exe 2984 Eoepnk32.exe 2648 Ecploipa.exe 2648 Ecploipa.exe 1416 Ehmdgp32.exe 1416 Ehmdgp32.exe 1736 Elkmmodo.exe 1736 Elkmmodo.exe 2124 Eaheeecg.exe 2124 Eaheeecg.exe 2296 Fkpjnkig.exe 2296 Fkpjnkig.exe 2952 Fpmbfbgo.exe 2952 Fpmbfbgo.exe 2824 Fpoolael.exe 2824 Fpoolael.exe 2888 Fdkklp32.exe 2888 Fdkklp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ohipla32.exeInhdgdmk.exeKppldhla.exeOmioekbo.exeAaimopli.exeHfpfdeon.exeCbjlhpkb.exeLcadghnk.exeDjdjalea.exeJacfidem.exeAlddjg32.exeNccnlk32.exeIngmmn32.exeFepjea32.exeJjfkmdlg.exeJpbcek32.exeFobkfqpo.exeLlpoohik.exeCcbphk32.exeElkmmodo.exeOjbbmnhc.exeNfdfmfle.exeGoddjc32.exeKecjmodq.exeChfbgn32.exeFhjmfnok.exeQejpoi32.exeFijbco32.exeNndemg32.exeIbkmchbh.exeFbngfo32.exeEgajnfoe.exeOighcd32.exeBgokfnij.exeIaimipjl.exeJlhkgm32.exeDmebcgbb.exeAgihgp32.exeGcgqgd32.exeGamnhq32.exeLdhgnk32.exeGnkoid32.exeLjnqdhga.exePhaoppja.exeJpdnbbah.exeEafkhn32.exeFacdgl32.exeJedcpi32.exeHieiqo32.exeLafahdcc.exeEmaijk32.exeGockgdeh.exePnfnajed.exePnmdbi32.exeBjpdhifk.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Oflpgnld.exe Ohipla32.exe File opened for modification C:\Windows\SysWOW64\Ifolhann.exe Inhdgdmk.exe File created C:\Windows\SysWOW64\Jnhdiaee.dll Kppldhla.exe File created C:\Windows\SysWOW64\Eiapeffl.dll Omioekbo.exe File created C:\Windows\SysWOW64\Ahbekjcf.exe Aaimopli.exe File created C:\Windows\SysWOW64\Iclafh32.dll File created C:\Windows\SysWOW64\Fdffdghm.dll File created C:\Windows\SysWOW64\Glmbma32.dll File created C:\Windows\SysWOW64\Hinbppna.exe Hfpfdeon.exe File created C:\Windows\SysWOW64\Cehhdkjf.exe Cbjlhpkb.exe File created C:\Windows\SysWOW64\Gebojbpo.dll Lcadghnk.exe File opened for modification C:\Windows\SysWOW64\Dnpebj32.exe Djdjalea.exe File opened for modification C:\Windows\SysWOW64\Jijokbfp.exe Jacfidem.exe File opened for modification C:\Windows\SysWOW64\Aobpfb32.exe Alddjg32.exe File created C:\Windows\SysWOW64\Nfbjhf32.exe Nccnlk32.exe File opened for modification C:\Windows\SysWOW64\Imjmhkpj.exe Ingmmn32.exe File opened for modification C:\Windows\SysWOW64\Ghofam32.exe Fepjea32.exe File created C:\Windows\SysWOW64\Ekhnnojb.dll Jjfkmdlg.exe File created C:\Windows\SysWOW64\Jgjkfi32.exe Jpbcek32.exe File created C:\Windows\SysWOW64\Fbngfo32.exe Fobkfqpo.exe File created C:\Windows\SysWOW64\Lmalgq32.exe Llpoohik.exe File created C:\Windows\SysWOW64\Cfpldf32.exe Ccbphk32.exe File created C:\Windows\SysWOW64\Qffhlolm.dll Elkmmodo.exe File created C:\Windows\SysWOW64\Objjnkie.exe Ojbbmnhc.exe File created C:\Windows\SysWOW64\Mcgkdb32.dll Nfdfmfle.exe File created C:\Windows\SysWOW64\Ggklka32.exe Goddjc32.exe File opened for modification C:\Windows\SysWOW64\Klmbjh32.exe Kecjmodq.exe File created C:\Windows\SysWOW64\Jkkcdb32.dll File created C:\Windows\SysWOW64\Inoaljog.dll Chfbgn32.exe File created C:\Windows\SysWOW64\Lmmnpb32.dll Fhjmfnok.exe File opened for modification C:\Windows\SysWOW64\Qldhkc32.exe Qejpoi32.exe File created C:\Windows\SysWOW64\Fliook32.exe Fijbco32.exe File created C:\Windows\SysWOW64\Nbpqmfmd.exe Nndemg32.exe File created C:\Windows\SysWOW64\Iejiodbl.exe Ibkmchbh.exe File opened for modification C:\Windows\SysWOW64\Felcbk32.exe Fbngfo32.exe File created C:\Windows\SysWOW64\Bqiibc32.dll Egajnfoe.exe File opened for modification C:\Windows\SysWOW64\Pehebbbh.exe File opened for modification C:\Windows\SysWOW64\Opaqpn32.exe Oighcd32.exe File opened for modification C:\Windows\SysWOW64\Bkkgfm32.exe Bgokfnij.exe File created C:\Windows\SysWOW64\Iediin32.exe Iaimipjl.exe File created C:\Windows\SysWOW64\Eepmlf32.exe File opened for modification C:\Windows\SysWOW64\Jbbccgmp.exe Jlhkgm32.exe File opened for modification C:\Windows\SysWOW64\Docopbaf.exe Dmebcgbb.exe File created C:\Windows\SysWOW64\Oehiknbl.dll Agihgp32.exe File opened for modification C:\Windows\SysWOW64\Gefmcp32.exe Gcgqgd32.exe File created C:\Windows\SysWOW64\Gehiioaj.exe Gamnhq32.exe File created C:\Windows\SysWOW64\Llpoohik.exe Ldhgnk32.exe File created C:\Windows\SysWOW64\Hgojdj32.dll Gnkoid32.exe File created C:\Windows\SysWOW64\Llmmpcfe.exe Ljnqdhga.exe File created C:\Windows\SysWOW64\Pjoklkie.exe Phaoppja.exe File created C:\Windows\SysWOW64\Kcbaab32.dll Jpdnbbah.exe File created C:\Windows\SysWOW64\Eimcjl32.exe Eafkhn32.exe File created C:\Windows\SysWOW64\Jbcjnnpl.exe Jpdnbbah.exe File created C:\Windows\SysWOW64\Gafglb32.dll Facdgl32.exe File created C:\Windows\SysWOW64\Epjecp32.dll File opened for modification C:\Windows\SysWOW64\Jlnklcej.exe Jedcpi32.exe File created C:\Windows\SysWOW64\Hkdemk32.exe Hieiqo32.exe File opened for modification C:\Windows\SysWOW64\Mdendpbg.exe Lafahdcc.exe File created C:\Windows\SysWOW64\Licpomcb.dll Emaijk32.exe File opened for modification C:\Windows\SysWOW64\Gqdgom32.exe Gockgdeh.exe File created C:\Windows\SysWOW64\Padjmfdg.exe Pnfnajed.exe File opened for modification C:\Windows\SysWOW64\Pmpdmfff.exe Pnmdbi32.exe File created C:\Windows\SysWOW64\Jimohpcc.dll Bjpdhifk.exe File opened for modification C:\Windows\SysWOW64\Macjgadf.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 3520 3388 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nbeedh32.exeEggndi32.exeMjfphf32.exeNbpqmfmd.exeJfdhmk32.exeElgfkhpi.exeAeiecfga.exeJedcpi32.exeDbaice32.exeDpeiligo.exeGcgqgd32.exePhaoppja.exeDfbnoc32.exeKlecfkff.exeCqglng32.exeHagianlf.exeDblhmoio.exeEaheeecg.exeHmkeke32.exeMjaddn32.exeAjmijmnn.exeMhhgpc32.exeLdhgnk32.exeIafnjg32.exeIcdcllpc.exeMbqkiind.exeFlnlkgjq.exeDnkhfnck.exeHnjbeh32.exeHkolakkb.exeQkielpdf.exeKdeaelok.exeNhpfdaml.exeMmgfqh32.exeAokckm32.exeBooiep32.exeImhqbkbm.exeCgaaah32.exeDjiqdb32.exeApkgpf32.exeCfckcoen.exeIkldqile.exeCbbomjnn.exeFpoolael.exeKgnbnpkp.exeOoabmbbe.exeCjogcm32.exeLljpjchg.exeMdldeo32.exeBapfhg32.exeIblola32.exeBnapnm32.exeGehiioaj.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpqmfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdhmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgfkhpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiecfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpeiligo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phaoppja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klecfkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqglng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagianlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblhmoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaheeecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldhgnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdcllpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqkiind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnlkgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkhfnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkolakkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeaelok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpfdaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokckm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Booiep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhqbkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djiqdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbomjnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoolael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbnpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabmbbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjogcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljpjchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdldeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapfhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iblola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnapnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehiioaj.exe -
Modifies registry class 64 IoCs
Processes:
Nbeedh32.exeAljjjb32.exeIliebpfc.exeAokckm32.exeBgmnpn32.exeKjepaa32.exeLlepen32.exeDpeiligo.exeApmcefmf.exeEknpadcn.exeQigebglj.exeIfjlcmmj.exeFpmbfbgo.exeJpigma32.exePhnpagdp.exeCmpgpond.exeFkefbcmf.exeHofqpc32.exeBgibnj32.exeBjbndpmd.exePfflql32.exeJcdadhjb.exeCfpldf32.exeGqlhkofn.exeJieaofmp.exeBlnpddeo.exeJbcjnnpl.exeNqeapo32.exeNkclkl32.exeAeiecfga.exeKdeaelok.exeBpbmqe32.exeCfckcoen.exeBqijljfd.exeDjiqdb32.exeQiiahgjh.exeBccmmf32.exeAohdmdoh.exeQlgkki32.exeDhpgfeao.exeFloeof32.exeJgbjjf32.exeEodicd32.exeHbkqdepm.exeMcaafk32.exeFennoa32.exeKilgoe32.exeMjdcbf32.exeMjilmejf.exeHboddk32.exeMqklqhpg.exeMjfnomde.exeNlilqbgp.exeDkqnoh32.exeBapfhg32.exeKnfndjdp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiggco32.dll" Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aljjjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iliebpfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokckm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgmnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjepaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdinn32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odecjfnl.dll" Apmcefmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjgaf32.dll" Qigebglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faohbf32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacnfacn.dll" Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmmfimm.dll" Fpmbfbgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpigma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hofqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgibnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjbndpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfflql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcdadhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijppackl.dll" Cfpldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqlhkofn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jieaofmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blnpddeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqeapo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkclkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeiecfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcdki32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdeaelok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpbmqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfckcoen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqijljfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmhmmga.dll" Qiiahgjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll" Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll" Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlgkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepiko32.dll" Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmicpja.dll" Floeof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbleodi.dll" Jgbjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eodicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobakc32.dll" Hbkqdepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcaafk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fennoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kilgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbibolf.dll" Mjdcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjilmejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfjh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkckneq.dll" Mqklqhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdpojm32.dll" Nlilqbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegnj32.dll" Bapfhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knfndjdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exeBgibnj32.exeBflbigdb.exeCjjkpe32.exeCcbphk32.exeCfpldf32.exeCpiqmlfm.exeCeeieced.exeCbiiog32.exeChfbgn32.exeCopjdhib.exeCblfdg32.exeDejbqb32.exeDaacecfc.exeDkigoimd.exeDeollamj.exedescription pid process target process PID 2408 wrote to memory of 1028 2408 b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe Bgibnj32.exe PID 2408 wrote to memory of 1028 2408 b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe Bgibnj32.exe PID 2408 wrote to memory of 1028 2408 b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe Bgibnj32.exe PID 2408 wrote to memory of 1028 2408 b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe Bgibnj32.exe PID 1028 wrote to memory of 1984 1028 Bgibnj32.exe Bflbigdb.exe PID 1028 wrote to memory of 1984 1028 Bgibnj32.exe Bflbigdb.exe PID 1028 wrote to memory of 1984 1028 Bgibnj32.exe Bflbigdb.exe PID 1028 wrote to memory of 1984 1028 Bgibnj32.exe Bflbigdb.exe PID 1984 wrote to memory of 2496 1984 Bflbigdb.exe Cjjkpe32.exe PID 1984 wrote to memory of 2496 1984 Bflbigdb.exe Cjjkpe32.exe PID 1984 wrote to memory of 2496 1984 Bflbigdb.exe Cjjkpe32.exe PID 1984 wrote to memory of 2496 1984 Bflbigdb.exe Cjjkpe32.exe PID 2496 wrote to memory of 2940 2496 Cjjkpe32.exe Ccbphk32.exe PID 2496 wrote to memory of 2940 2496 Cjjkpe32.exe Ccbphk32.exe PID 2496 wrote to memory of 2940 2496 Cjjkpe32.exe Ccbphk32.exe PID 2496 wrote to memory of 2940 2496 Cjjkpe32.exe Ccbphk32.exe PID 2940 wrote to memory of 2700 2940 Ccbphk32.exe Cfpldf32.exe PID 2940 wrote to memory of 2700 2940 Ccbphk32.exe Cfpldf32.exe PID 2940 wrote to memory of 2700 2940 Ccbphk32.exe Cfpldf32.exe PID 2940 wrote to memory of 2700 2940 Ccbphk32.exe Cfpldf32.exe PID 2700 wrote to memory of 3020 2700 Cfpldf32.exe Cpiqmlfm.exe PID 2700 wrote to memory of 3020 2700 Cfpldf32.exe Cpiqmlfm.exe PID 2700 wrote to memory of 3020 2700 Cfpldf32.exe Cpiqmlfm.exe PID 2700 wrote to memory of 3020 2700 Cfpldf32.exe Cpiqmlfm.exe PID 3020 wrote to memory of 2864 3020 Cpiqmlfm.exe Ceeieced.exe PID 3020 wrote to memory of 2864 3020 Cpiqmlfm.exe Ceeieced.exe PID 3020 wrote to memory of 2864 3020 Cpiqmlfm.exe Ceeieced.exe PID 3020 wrote to memory of 2864 3020 Cpiqmlfm.exe Ceeieced.exe PID 2864 wrote to memory of 1268 2864 Ceeieced.exe Cbiiog32.exe PID 2864 wrote to memory of 1268 2864 Ceeieced.exe Cbiiog32.exe PID 2864 wrote to memory of 1268 2864 Ceeieced.exe Cbiiog32.exe PID 2864 wrote to memory of 1268 2864 Ceeieced.exe Cbiiog32.exe PID 1268 wrote to memory of 2752 1268 Cbiiog32.exe Chfbgn32.exe PID 1268 wrote to memory of 2752 1268 Cbiiog32.exe Chfbgn32.exe PID 1268 wrote to memory of 2752 1268 Cbiiog32.exe Chfbgn32.exe PID 1268 wrote to memory of 2752 1268 Cbiiog32.exe Chfbgn32.exe PID 2752 wrote to memory of 816 2752 Chfbgn32.exe Copjdhib.exe PID 2752 wrote to memory of 816 2752 Chfbgn32.exe Copjdhib.exe PID 2752 wrote to memory of 816 2752 Chfbgn32.exe Copjdhib.exe PID 2752 wrote to memory of 816 2752 Chfbgn32.exe Copjdhib.exe PID 816 wrote to memory of 3008 816 Copjdhib.exe Cblfdg32.exe PID 816 wrote to memory of 3008 816 Copjdhib.exe Cblfdg32.exe PID 816 wrote to memory of 3008 816 Copjdhib.exe Cblfdg32.exe PID 816 wrote to memory of 3008 816 Copjdhib.exe Cblfdg32.exe PID 3008 wrote to memory of 2868 3008 Cblfdg32.exe Dejbqb32.exe PID 3008 wrote to memory of 2868 3008 Cblfdg32.exe Dejbqb32.exe PID 3008 wrote to memory of 2868 3008 Cblfdg32.exe Dejbqb32.exe PID 3008 wrote to memory of 2868 3008 Cblfdg32.exe Dejbqb32.exe PID 2868 wrote to memory of 1552 2868 Dejbqb32.exe Daacecfc.exe PID 2868 wrote to memory of 1552 2868 Dejbqb32.exe Daacecfc.exe PID 2868 wrote to memory of 1552 2868 Dejbqb32.exe Daacecfc.exe PID 2868 wrote to memory of 1552 2868 Dejbqb32.exe Daacecfc.exe PID 1552 wrote to memory of 2508 1552 Daacecfc.exe Dkigoimd.exe PID 1552 wrote to memory of 2508 1552 Daacecfc.exe Dkigoimd.exe PID 1552 wrote to memory of 2508 1552 Daacecfc.exe Dkigoimd.exe PID 1552 wrote to memory of 2508 1552 Daacecfc.exe Dkigoimd.exe PID 2508 wrote to memory of 2280 2508 Dkigoimd.exe Deollamj.exe PID 2508 wrote to memory of 2280 2508 Dkigoimd.exe Deollamj.exe PID 2508 wrote to memory of 2280 2508 Dkigoimd.exe Deollamj.exe PID 2508 wrote to memory of 2280 2508 Dkigoimd.exe Deollamj.exe PID 2280 wrote to memory of 1520 2280 Deollamj.exe Dhpemm32.exe PID 2280 wrote to memory of 1520 2280 Deollamj.exe Dhpemm32.exe PID 2280 wrote to memory of 1520 2280 Deollamj.exe Dhpemm32.exe PID 2280 wrote to memory of 1520 2280 Deollamj.exe Dhpemm32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe"C:\Users\Admin\AppData\Local\Temp\b4f9648def0c4e1e76057036e3362a38106b8a57359ee6a9afc7e9b2cd6dc8fe.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:496 -
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe33⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe34⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe35⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe36⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe37⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe38⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe39⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe40⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe41⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe42⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe43⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe44⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe45⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe46⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe48⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe49⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe51⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe52⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe53⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe55⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe57⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe58⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe59⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe61⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe62⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe63⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe64⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe65⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe66⤵PID:884
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe67⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe68⤵PID:2000
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe70⤵PID:2928
-
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe71⤵PID:2256
-
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe72⤵PID:1784
-
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe74⤵PID:2916
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe75⤵PID:2760
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe76⤵PID:1292
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe77⤵PID:1756
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe78⤵PID:876
-
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe79⤵PID:2076
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe81⤵PID:2164
-
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe82⤵PID:2464
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe83⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe84⤵PID:1240
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe85⤵PID:1740
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe86⤵PID:2832
-
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe87⤵PID:2880
-
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe88⤵PID:2728
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe89⤵
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe90⤵
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe91⤵PID:1296
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe92⤵PID:2568
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe94⤵PID:2020
-
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe96⤵PID:888
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe97⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe98⤵PID:2944
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe99⤵PID:2748
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe100⤵PID:1648
-
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe101⤵PID:3036
-
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe102⤵PID:316
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe103⤵PID:2592
-
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe104⤵PID:2476
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe105⤵PID:2068
-
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe106⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe107⤵PID:892
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe108⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe109⤵PID:1592
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe110⤵PID:2816
-
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe111⤵PID:2716
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe112⤵PID:2812
-
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe113⤵PID:3048
-
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe114⤵PID:2584
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe115⤵PID:2376
-
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe116⤵PID:1104
-
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe117⤵PID:1992
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe118⤵PID:568
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe119⤵PID:2600
-
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe120⤵PID:2388
-
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe121⤵PID:2516
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe122⤵PID:1848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-