Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:59
Behavioral task
behavioral1
Sample
b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe
Resource
win10v2004-20241007-en
General
-
Target
b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe
-
Size
121KB
-
MD5
f0ef16ddf44c0b5756ea7a2bd5e14b0b
-
SHA1
0d031ef85a25074104b949ab43b5334e2949d4e4
-
SHA256
b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641
-
SHA512
f0a2afcaaddc0ce3990e682fea2ca68bef64fbaacacde4427675d87ee02fa574e946a7202aa9f57ce9eae6b4601b4822b2eb891d74a2fa8c4984d4deb540f2aa
-
SSDEEP
3072:hpVaHp5WddEkqeNjM6On3Cw7HcbHPeW/CyU5IO7AJnD5tvv:HYHvoseC3Cw7HmHj45IOarvv
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mbcmpfhi.exeKpadhg32.exeAccqnc32.exeGacbmk32.exeIhmgiiff.exeKnhhaaki.exeLqhfhigj.exePanaeb32.exeLklgbadb.exeNplimbka.exeDgbeiiqe.exeFkpjnkig.exeIdicbbpi.exePafdjmkq.exeKdbpnk32.exeGfhnjm32.exeBiaign32.exeGqahqd32.exeFmcjhdbc.exeJdejhfig.exeLmjnak32.exeEdfbaabj.exeGjijqa32.exeAgljom32.exeAmcbankf.exeCpkmcldj.exeLkgngb32.exeGiahhj32.exeJlckbh32.exeOgcnkgoh.exeAbmdafpp.exeMfokinhf.exeCjmopkla.exeIbfaopoi.exePlijimee.exeMpmcielb.exeDiaaeepi.exeQiioon32.exeDkiefp32.exeKdjccf32.exeDcfpel32.exeKopokehd.exeNhdocl32.exeHnmeen32.exeLnlnlc32.exeDdliip32.exeJepmgj32.exeKcopdb32.exeNiedqnen.exeMqklqhpg.exeAhpifj32.exeGmjcblbb.exeMjcoqdoc.exePdihiook.exeHdkape32.exeHmmphlpp.exePnjfae32.exeAjgbkbjp.exeDmjqpdje.exeEolmip32.exePjcmap32.exeQfljkp32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbcmpfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gacbmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmgiiff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhhaaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhfhigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lklgbadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplimbka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbeiiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pafdjmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbpnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfhnjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biaign32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqahqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcjhdbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdejhfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmjnak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfbaabj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjijqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agljom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giahhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogcnkgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmdafpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfokinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmdafpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjmopkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibfaopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plijimee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpmcielb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diaaeepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkiefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdjccf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfpel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopokehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhdocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnmeen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlnlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddliip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niedqnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahpifj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjcblbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcoqdoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdihiook.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkape32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmphlpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnjfae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgbkbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjqpdje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcmap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfljkp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Biafnecn.exeBhdgjb32.exeBbikgk32.exeBlaopqpo.exeBjdplm32.exeBfkpqn32.exeBobhal32.exeCfnmfn32.exeCkiigmcd.exeCklfll32.exeClmbddgp.exeCphndc32.exeCgbfamff.exeCpkkjc32.exeCegcbjkn.exeClalod32.exeCophko32.exeDobdqo32.exeDaqamj32.exeDkiefp32.exeDeojci32.exeDognlnlf.exeDaejhjkj.exeDgbcpq32.exeDjqoll32.exeDnlkmkpn.exeDpjgifpa.exeDpmdofno.exeEgglkp32.exeEcnmpa32.exeEgiiapci.exeEodnebpd.exeEbcjamoh.exeEogjka32.exeEfqbglen.exeEdccch32.exeEmkkdf32.exeEknkpbdf.exeEgdlec32.exeFbjpblip.exeFidhof32.exeFkbdkb32.exeFblmglgm.exeFqomci32.exeFkdaqa32.exeFmfnhj32.exeFqajihle.exeFemeig32.exeFcpfedki.exeFjjnan32.exeFmhjni32.exeFpffje32.exeFgnokb32.exeFfqofohj.exeFiokbjgn.exeFafcdh32.exeFcdopc32.exeGiahhj32.exeGmmdiind.exeGlpdde32.exeGbjlaplk.exeGfehan32.exeGicdnj32.exeGpnmjd32.exepid process 2736 Biafnecn.exe 2916 Bhdgjb32.exe 2308 Bbikgk32.exe 2656 Blaopqpo.exe 1924 Bjdplm32.exe 1584 Bfkpqn32.exe 2680 Bobhal32.exe 1444 Cfnmfn32.exe 1592 Ckiigmcd.exe 2684 Cklfll32.exe 2960 Clmbddgp.exe 1752 Cphndc32.exe 1660 Cgbfamff.exe 2324 Cpkkjc32.exe 2240 Cegcbjkn.exe 1912 Clalod32.exe 908 Cophko32.exe 1764 Dobdqo32.exe 1284 Daqamj32.exe 1360 Dkiefp32.exe 2264 Deojci32.exe 1320 Dognlnlf.exe 2508 Daejhjkj.exe 1908 Dgbcpq32.exe 2536 Djqoll32.exe 316 Dnlkmkpn.exe 2892 Dpjgifpa.exe 2172 Dpmdofno.exe 3060 Egglkp32.exe 608 Ecnmpa32.exe 1288 Egiiapci.exe 2068 Eodnebpd.exe 836 Ebcjamoh.exe 2412 Eogjka32.exe 2936 Efqbglen.exe 1072 Edccch32.exe 2568 Emkkdf32.exe 2208 Eknkpbdf.exe 2440 Egdlec32.exe 1496 Fbjpblip.exe 1684 Fidhof32.exe 2980 Fkbdkb32.exe 2016 Fblmglgm.exe 1980 Fqomci32.exe 1692 Fkdaqa32.exe 2336 Fmfnhj32.exe 1516 Fqajihle.exe 2552 Femeig32.exe 2136 Fcpfedki.exe 2052 Fjjnan32.exe 2640 Fmhjni32.exe 536 Fpffje32.exe 2028 Fgnokb32.exe 2232 Ffqofohj.exe 2768 Fiokbjgn.exe 2948 Fafcdh32.exe 2060 Fcdopc32.exe 1076 Giahhj32.exe 2476 Gmmdiind.exe 552 Glpdde32.exe 3020 Gbjlaplk.exe 684 Gfehan32.exe 1372 Gicdnj32.exe 868 Gpnmjd32.exe -
Loads dropped DLL 64 IoCs
Processes:
b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exeBiafnecn.exeBhdgjb32.exeBbikgk32.exeBlaopqpo.exeBjdplm32.exeBfkpqn32.exeBobhal32.exeCfnmfn32.exeCkiigmcd.exeCklfll32.exeClmbddgp.exeCphndc32.exeCgbfamff.exeCpkkjc32.exeCegcbjkn.exeClalod32.exeCophko32.exeDobdqo32.exeDaqamj32.exeDkiefp32.exeDeojci32.exeDognlnlf.exeDaejhjkj.exeDgbcpq32.exeDjqoll32.exeDnlkmkpn.exeDpjgifpa.exeDpmdofno.exeEgglkp32.exeEcnmpa32.exeEgiiapci.exepid process 2844 b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe 2844 b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe 2736 Biafnecn.exe 2736 Biafnecn.exe 2916 Bhdgjb32.exe 2916 Bhdgjb32.exe 2308 Bbikgk32.exe 2308 Bbikgk32.exe 2656 Blaopqpo.exe 2656 Blaopqpo.exe 1924 Bjdplm32.exe 1924 Bjdplm32.exe 1584 Bfkpqn32.exe 1584 Bfkpqn32.exe 2680 Bobhal32.exe 2680 Bobhal32.exe 1444 Cfnmfn32.exe 1444 Cfnmfn32.exe 1592 Ckiigmcd.exe 1592 Ckiigmcd.exe 2684 Cklfll32.exe 2684 Cklfll32.exe 2960 Clmbddgp.exe 2960 Clmbddgp.exe 1752 Cphndc32.exe 1752 Cphndc32.exe 1660 Cgbfamff.exe 1660 Cgbfamff.exe 2324 Cpkkjc32.exe 2324 Cpkkjc32.exe 2240 Cegcbjkn.exe 2240 Cegcbjkn.exe 1912 Clalod32.exe 1912 Clalod32.exe 908 Cophko32.exe 908 Cophko32.exe 1764 Dobdqo32.exe 1764 Dobdqo32.exe 1284 Daqamj32.exe 1284 Daqamj32.exe 1360 Dkiefp32.exe 1360 Dkiefp32.exe 2264 Deojci32.exe 2264 Deojci32.exe 1320 Dognlnlf.exe 1320 Dognlnlf.exe 2508 Daejhjkj.exe 2508 Daejhjkj.exe 1908 Dgbcpq32.exe 1908 Dgbcpq32.exe 2536 Djqoll32.exe 2536 Djqoll32.exe 316 Dnlkmkpn.exe 316 Dnlkmkpn.exe 2892 Dpjgifpa.exe 2892 Dpjgifpa.exe 2172 Dpmdofno.exe 2172 Dpmdofno.exe 3060 Egglkp32.exe 3060 Egglkp32.exe 608 Ecnmpa32.exe 608 Ecnmpa32.exe 1288 Egiiapci.exe 1288 Egiiapci.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bjdplm32.exeOlpgconp.exeIbfaopoi.exeKnkgpi32.exeMcqombic.exeOhkaco32.exeQqdbiopj.exeGcahoqhf.exeHapklimq.exeJlckbh32.exeMpmcielb.exeGoplilpf.exeQcogbdkg.exeAndgop32.exeGlpdde32.exeLgpiij32.exeDmgkgeah.exeLiqoflfh.exeCcdmnj32.exeDgbeiiqe.exeJpigma32.exeOidglb32.exeDlgnmb32.exeMbbfep32.exeFhomkcoa.exeGifclb32.exeQiioon32.exeAgolnbok.exeCfkloq32.exeMioabp32.exeNidkmojn.exeBkjdndjo.exeGfehan32.exeNmcmgm32.exeEaeipfei.exePdgmlhha.exeCinafkkd.exeDnpciaef.exeJnhlbn32.exeGkomjo32.exeImleli32.exeFgigil32.exeKlbdgb32.exePnbojmmp.exeDpapaj32.exeIkbifcpb.exeKqdhhm32.exeIibfajdc.exeAjnpecbj.exeHeakcjcd.exeKncofa32.exeAncefgfd.exeJkpbdq32.exeMeabakda.exeAjeeeblb.exeLfkeokjp.exeDaqamj32.exeHnbopmnm.exeKohnoc32.exeMfglep32.exeOaqbln32.exeAdcdbl32.exeDoecog32.exedescription ioc process File created C:\Windows\SysWOW64\Bfkpqn32.exe Bjdplm32.exe File created C:\Windows\SysWOW64\Odgodl32.exe Olpgconp.exe File opened for modification C:\Windows\SysWOW64\Ifampo32.exe Ibfaopoi.exe File opened for modification C:\Windows\SysWOW64\Kpicle32.exe Knkgpi32.exe File opened for modification C:\Windows\SysWOW64\Mfokinhf.exe Mcqombic.exe File created C:\Windows\SysWOW64\Pkjmoj32.exe Ohkaco32.exe File opened for modification C:\Windows\SysWOW64\Accnekon.exe Qqdbiopj.exe File opened for modification C:\Windows\SysWOW64\Hebdfind.exe Gcahoqhf.exe File opened for modification C:\Windows\SysWOW64\Hhjcic32.exe Hapklimq.exe File created C:\Windows\SysWOW64\Jlckbh32.exe Jlckbh32.exe File created C:\Windows\SysWOW64\Pcncbo32.dll Mpmcielb.exe File created C:\Windows\SysWOW64\Hcijqc32.dll Goplilpf.exe File created C:\Windows\SysWOW64\Olpecfkn.dll Qcogbdkg.exe File created C:\Windows\SysWOW64\Adnpkjde.exe Andgop32.exe File opened for modification C:\Windows\SysWOW64\Gbjlaplk.exe Glpdde32.exe File created C:\Windows\SysWOW64\Lpgajgeg.exe Lgpiij32.exe File opened for modification C:\Windows\SysWOW64\Dohgomgf.exe Dmgkgeah.exe File created C:\Windows\SysWOW64\Oiobjk32.dll Liqoflfh.exe File created C:\Windows\SysWOW64\Amponajh.dll Ccdmnj32.exe File opened for modification C:\Windows\SysWOW64\Diaaeepi.exe Dgbeiiqe.exe File created C:\Windows\SysWOW64\Jbhcim32.exe Jpigma32.exe File opened for modification C:\Windows\SysWOW64\Onocmadb.exe Oidglb32.exe File created C:\Windows\SysWOW64\Dpcjnabn.exe Dlgnmb32.exe File created C:\Windows\SysWOW64\Niplmn32.dll Mbbfep32.exe File created C:\Windows\SysWOW64\Fmkilb32.exe Fhomkcoa.exe File opened for modification C:\Windows\SysWOW64\Goplilpf.exe Gifclb32.exe File created C:\Windows\SysWOW64\Qndkpmkm.exe Qiioon32.exe File created C:\Windows\SysWOW64\Nmlfpfpl.dll Agolnbok.exe File opened for modification C:\Windows\SysWOW64\Cenljmgq.exe Cfkloq32.exe File created C:\Windows\SysWOW64\Iggmbm32.dll Mioabp32.exe File created C:\Windows\SysWOW64\Nhgkil32.exe Nidkmojn.exe File opened for modification C:\Windows\SysWOW64\Mchoid32.exe Mpmcielb.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bkjdndjo.exe File opened for modification C:\Windows\SysWOW64\Gicdnj32.exe Gfehan32.exe File created C:\Windows\SysWOW64\Eemjkkbq.dll Nmcmgm32.exe File opened for modification C:\Windows\SysWOW64\Eddeladm.exe Eaeipfei.exe File created C:\Windows\SysWOW64\Pgfjhcge.exe Pdgmlhha.exe File created C:\Windows\SysWOW64\Cgaaah32.exe Cinafkkd.exe File created C:\Windows\SysWOW64\Dmbcen32.exe Dnpciaef.exe File created C:\Windows\SysWOW64\Bikppe32.dll Jnhlbn32.exe File opened for modification C:\Windows\SysWOW64\Gnmifk32.exe Gkomjo32.exe File created C:\Windows\SysWOW64\Ipjahd32.exe Imleli32.exe File created C:\Windows\SysWOW64\Fncpef32.exe Fgigil32.exe File created C:\Windows\SysWOW64\Kkeecogo.exe Klbdgb32.exe File created C:\Windows\SysWOW64\Qppkfhlc.exe Pnbojmmp.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File created C:\Windows\SysWOW64\Ofinocal.dll Ikbifcpb.exe File created C:\Windows\SysWOW64\Kgnpeg32.exe Kqdhhm32.exe File opened for modification C:\Windows\SysWOW64\Ilabmedg.exe Iibfajdc.exe File created C:\Windows\SysWOW64\Lnnibe32.dll Ajnpecbj.exe File opened for modification C:\Windows\SysWOW64\Hhpgpebh.exe Heakcjcd.exe File opened for modification C:\Windows\SysWOW64\Kfjggo32.exe Kncofa32.exe File opened for modification C:\Windows\SysWOW64\Aboaff32.exe Ancefgfd.exe File opened for modification C:\Windows\SysWOW64\Jjbbpmgo.exe Jkpbdq32.exe File created C:\Windows\SysWOW64\Clnoge32.dll Meabakda.exe File created C:\Windows\SysWOW64\Amcbankf.exe Ajeeeblb.exe File created C:\Windows\SysWOW64\Lkgngb32.exe Lfkeokjp.exe File opened for modification C:\Windows\SysWOW64\Dkiefp32.exe Daqamj32.exe File created C:\Windows\SysWOW64\Flbkkpfc.dll Hnbopmnm.exe File created C:\Windows\SysWOW64\Kbgjkn32.exe Kohnoc32.exe File created C:\Windows\SysWOW64\Jkofeknc.dll Mfglep32.exe File created C:\Windows\SysWOW64\Afoddn32.dll Oaqbln32.exe File created C:\Windows\SysWOW64\Agbpnh32.exe Adcdbl32.exe File created C:\Windows\SysWOW64\Dacpkc32.exe Doecog32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 9320 9236 WerFault.exe Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gjijqa32.exeGacbmk32.exePdjjag32.exeCgfkmgnj.exeCpkmcldj.exeFafcdh32.exeFgadda32.exeLiqoflfh.exePphkbj32.exeBmhkmm32.exeJedcpi32.exeKjmnjkjd.exeAfffenbp.exeGneijien.exeIdiaii32.exeBfagpiam.exeIjklknbn.exeNlfmbibo.exePciddedl.exeLlbqfe32.exeMmicfh32.exeAqmamm32.exeNameek32.exeClalod32.exePnopldgn.exeCkolek32.exeHanogipc.exeNpmphinm.exeHldlga32.exeKdbbgdjj.exePkcbnanl.exePnjfae32.exeEdlfhc32.exeImiigiab.exeBehilopf.exeJnhlbn32.exeKkileele.exeQinjgbpg.exeAfgmodel.exeGifclb32.exeCiohqa32.exeEpbpbnan.exeHihlqeib.exeMdiefffn.exeBceibfgj.exeOhkaco32.exePkjphcff.exeBfioia32.exeBkmhnjlh.exeLoefnpnn.exeHjcmgp32.exeHdkape32.exeKgbipf32.exeHapklimq.exeAnlhkbhq.exeCophko32.exeLdoimh32.exeLnhgim32.exeAncefgfd.exeGfkkpmko.exeOijjka32.exeGaafhloq.exeNocpkf32.exeDmgkgeah.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjijqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacbmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkmcldj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fafcdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgadda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqoflfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphkbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhkmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gneijien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idiaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfagpiam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklknbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfmbibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqmamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nameek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clalod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnopldgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckolek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hanogipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npmphinm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldlga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjfae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlfhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiigiab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhlbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkileele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qinjgbpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmodel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciohqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbpbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihlqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfioia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmhnjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loefnpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcmgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkape32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgbipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hapklimq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlhkbhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cophko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldoimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancefgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkkpmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijjka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaafhloq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocpkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgkgeah.exe -
Modifies registry class 64 IoCs
Processes:
Dobgihgp.exeLddlkg32.exeOmpefj32.exeQcogbdkg.exeAkcldl32.exeFqglggcp.exeOeehln32.exeCpkmcldj.exeCenljmgq.exeKpcqnf32.exeMkddnf32.exePcljmdmj.exeFfqofohj.exeMmdgbp32.exeIpokcdjn.exeJkkija32.exePdmnam32.exeIdadnd32.exeMnifja32.exeOdhhgkib.exeCbiiog32.exeEodnebpd.exeGmjcblbb.exeNplfdj32.exeEnkpahon.exeMnaiol32.exeMmgfqh32.exeGmbfggdo.exeLcfbdd32.exeAciqcifh.exeBqlfaj32.exeHmmphlpp.exeMhgoji32.exeAmnocpdk.exeAapemc32.exeHcgjmo32.exeAhpifj32.exeAndgop32.exeBmlael32.exeBjdplm32.exeGpnmjd32.exeIphecepe.exeAjgbkbjp.exeLdpbpgoh.exeLcncpfaf.exeBidlgdlk.exeEjmhkiig.exeGifclb32.exeJenpajfb.exeJajcdjca.exeAbmgjo32.exeBgaebe32.exeEoiiijcc.exeHemqpf32.exeIfgpnmom.exePgckjk32.exeFmcjhdbc.exeGqnbhf32.exeOagoep32.exeCbgmigeq.exeIflmjihl.exeCegoqlof.exeHlffdh32.exeLkgkoiqc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dobgihgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljoegei.dll" Lddlkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ompefj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akcldl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqglggcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeehln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll" Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpcqnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffqofohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcpnn32.dll" Mmdgbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipokcdjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdpkhqmc.dll" Jkkija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdmnam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimmkm32.dll" Mnifja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbhgd32.dll" Odhhgkib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eodnebpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmjcblbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nplfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henjfpgi.dll" Mnaiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfohbd32.dll" Gmbfggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknehn32.dll" Lcfbdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aciqcifh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqlfaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmmphlpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhgoji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amnocpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aapemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcgjmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahpifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Andgop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjdplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhqhm32.dll" Gpnmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iphecepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogllpah.dll" Lcncpfaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bidlgdlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhakqek.dll" Gifclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jenpajfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jajcdjca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abmgjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanlj32.dll" Eoiiijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifgpnmom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgckjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnjab32.dll" Fmcjhdbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqnbhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iflmjihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cegoqlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlffdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmgmfld.dll" Lkgkoiqc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exeBiafnecn.exeBhdgjb32.exeBbikgk32.exeBlaopqpo.exeBjdplm32.exeBfkpqn32.exeBobhal32.exeCfnmfn32.exeCkiigmcd.exeCklfll32.exeClmbddgp.exeCphndc32.exeCgbfamff.exeCpkkjc32.exeCegcbjkn.exedescription pid process target process PID 2844 wrote to memory of 2736 2844 b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe Biafnecn.exe PID 2844 wrote to memory of 2736 2844 b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe Biafnecn.exe PID 2844 wrote to memory of 2736 2844 b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe Biafnecn.exe PID 2844 wrote to memory of 2736 2844 b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe Biafnecn.exe PID 2736 wrote to memory of 2916 2736 Biafnecn.exe Bhdgjb32.exe PID 2736 wrote to memory of 2916 2736 Biafnecn.exe Bhdgjb32.exe PID 2736 wrote to memory of 2916 2736 Biafnecn.exe Bhdgjb32.exe PID 2736 wrote to memory of 2916 2736 Biafnecn.exe Bhdgjb32.exe PID 2916 wrote to memory of 2308 2916 Bhdgjb32.exe Bbikgk32.exe PID 2916 wrote to memory of 2308 2916 Bhdgjb32.exe Bbikgk32.exe PID 2916 wrote to memory of 2308 2916 Bhdgjb32.exe Bbikgk32.exe PID 2916 wrote to memory of 2308 2916 Bhdgjb32.exe Bbikgk32.exe PID 2308 wrote to memory of 2656 2308 Bbikgk32.exe Blaopqpo.exe PID 2308 wrote to memory of 2656 2308 Bbikgk32.exe Blaopqpo.exe PID 2308 wrote to memory of 2656 2308 Bbikgk32.exe Blaopqpo.exe PID 2308 wrote to memory of 2656 2308 Bbikgk32.exe Blaopqpo.exe PID 2656 wrote to memory of 1924 2656 Blaopqpo.exe Bjdplm32.exe PID 2656 wrote to memory of 1924 2656 Blaopqpo.exe Bjdplm32.exe PID 2656 wrote to memory of 1924 2656 Blaopqpo.exe Bjdplm32.exe PID 2656 wrote to memory of 1924 2656 Blaopqpo.exe Bjdplm32.exe PID 1924 wrote to memory of 1584 1924 Bjdplm32.exe Bfkpqn32.exe PID 1924 wrote to memory of 1584 1924 Bjdplm32.exe Bfkpqn32.exe PID 1924 wrote to memory of 1584 1924 Bjdplm32.exe Bfkpqn32.exe PID 1924 wrote to memory of 1584 1924 Bjdplm32.exe Bfkpqn32.exe PID 1584 wrote to memory of 2680 1584 Bfkpqn32.exe Bobhal32.exe PID 1584 wrote to memory of 2680 1584 Bfkpqn32.exe Bobhal32.exe PID 1584 wrote to memory of 2680 1584 Bfkpqn32.exe Bobhal32.exe PID 1584 wrote to memory of 2680 1584 Bfkpqn32.exe Bobhal32.exe PID 2680 wrote to memory of 1444 2680 Bobhal32.exe Cfnmfn32.exe PID 2680 wrote to memory of 1444 2680 Bobhal32.exe Cfnmfn32.exe PID 2680 wrote to memory of 1444 2680 Bobhal32.exe Cfnmfn32.exe PID 2680 wrote to memory of 1444 2680 Bobhal32.exe Cfnmfn32.exe PID 1444 wrote to memory of 1592 1444 Cfnmfn32.exe Ckiigmcd.exe PID 1444 wrote to memory of 1592 1444 Cfnmfn32.exe Ckiigmcd.exe PID 1444 wrote to memory of 1592 1444 Cfnmfn32.exe Ckiigmcd.exe PID 1444 wrote to memory of 1592 1444 Cfnmfn32.exe Ckiigmcd.exe PID 1592 wrote to memory of 2684 1592 Ckiigmcd.exe Cklfll32.exe PID 1592 wrote to memory of 2684 1592 Ckiigmcd.exe Cklfll32.exe PID 1592 wrote to memory of 2684 1592 Ckiigmcd.exe Cklfll32.exe PID 1592 wrote to memory of 2684 1592 Ckiigmcd.exe Cklfll32.exe PID 2684 wrote to memory of 2960 2684 Cklfll32.exe Clmbddgp.exe PID 2684 wrote to memory of 2960 2684 Cklfll32.exe Clmbddgp.exe PID 2684 wrote to memory of 2960 2684 Cklfll32.exe Clmbddgp.exe PID 2684 wrote to memory of 2960 2684 Cklfll32.exe Clmbddgp.exe PID 2960 wrote to memory of 1752 2960 Clmbddgp.exe Cphndc32.exe PID 2960 wrote to memory of 1752 2960 Clmbddgp.exe Cphndc32.exe PID 2960 wrote to memory of 1752 2960 Clmbddgp.exe Cphndc32.exe PID 2960 wrote to memory of 1752 2960 Clmbddgp.exe Cphndc32.exe PID 1752 wrote to memory of 1660 1752 Cphndc32.exe Cgbfamff.exe PID 1752 wrote to memory of 1660 1752 Cphndc32.exe Cgbfamff.exe PID 1752 wrote to memory of 1660 1752 Cphndc32.exe Cgbfamff.exe PID 1752 wrote to memory of 1660 1752 Cphndc32.exe Cgbfamff.exe PID 1660 wrote to memory of 2324 1660 Cgbfamff.exe Cpkkjc32.exe PID 1660 wrote to memory of 2324 1660 Cgbfamff.exe Cpkkjc32.exe PID 1660 wrote to memory of 2324 1660 Cgbfamff.exe Cpkkjc32.exe PID 1660 wrote to memory of 2324 1660 Cgbfamff.exe Cpkkjc32.exe PID 2324 wrote to memory of 2240 2324 Cpkkjc32.exe Cegcbjkn.exe PID 2324 wrote to memory of 2240 2324 Cpkkjc32.exe Cegcbjkn.exe PID 2324 wrote to memory of 2240 2324 Cpkkjc32.exe Cegcbjkn.exe PID 2324 wrote to memory of 2240 2324 Cpkkjc32.exe Cegcbjkn.exe PID 2240 wrote to memory of 1912 2240 Cegcbjkn.exe Clalod32.exe PID 2240 wrote to memory of 1912 2240 Cegcbjkn.exe Clalod32.exe PID 2240 wrote to memory of 1912 2240 Cegcbjkn.exe Clalod32.exe PID 2240 wrote to memory of 1912 2240 Cegcbjkn.exe Clalod32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe"C:\Users\Admin\AppData\Local\Temp\b6655590ead2cef13744c510ac2deadaceaf052ce12ed861665a31577b9bf641.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe34⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe35⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe36⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe37⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe38⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe39⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe40⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe41⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe42⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe43⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe44⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe45⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe46⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe47⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe48⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe49⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe50⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe51⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe52⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe53⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe54⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe56⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe58⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe60⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe62⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe64⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe66⤵PID:952
-
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe67⤵PID:896
-
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe68⤵PID:2368
-
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe69⤵PID:2076
-
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe70⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe71⤵PID:2964
-
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe72⤵PID:2776
-
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe75⤵PID:2180
-
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe76⤵PID:2328
-
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe78⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe79⤵PID:2080
-
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe80⤵PID:2032
-
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe82⤵PID:2092
-
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe83⤵PID:2664
-
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe84⤵PID:2548
-
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe85⤵PID:2604
-
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe86⤵PID:1716
-
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe87⤵PID:1904
-
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe89⤵PID:296
-
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe91⤵PID:804
-
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe92⤵
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe93⤵PID:1292
-
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe95⤵PID:2400
-
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe96⤵PID:2388
-
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe97⤵PID:2616
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe98⤵PID:1832
-
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe99⤵PID:2140
-
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe100⤵PID:2940
-
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe101⤵PID:1768
-
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe102⤵PID:1932
-
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe104⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe105⤵PID:2108
-
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe106⤵PID:2104
-
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe107⤵PID:1736
-
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe108⤵PID:2720
-
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe109⤵PID:1308
-
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe110⤵PID:580
-
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe111⤵PID:1512
-
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe112⤵PID:1604
-
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe113⤵PID:2252
-
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe114⤵PID:624
-
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe115⤵PID:1508
-
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe117⤵PID:2228
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe118⤵PID:1972
-
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe119⤵PID:568
-
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe120⤵PID:2460
-
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe121⤵PID:2928
-
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe122⤵PID:2448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-