Analysis
-
max time kernel
85s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 02:03
Static task
static1
Behavioral task
behavioral1
Sample
ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe
Resource
win10v2004-20241007-en
General
-
Target
ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe
-
Size
92KB
-
MD5
70aea04dd05264017eec712f71e6e7c0
-
SHA1
3024dde78a09979763055861439f7f097c205fa6
-
SHA256
ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3
-
SHA512
776e6c1b4aad2b2563c94022c36bd1225c48da1ec4296f625324dbcee699e2c0c843c4cc2639233cbe39689df9b0ffbe1e9150ae770dfb4d190e8700c22e91cd
-
SSDEEP
1536:JFij5wQs6ZmplBgFPu0jU6AcRQAHRJJ5R2xOSC4Bus3cO57OWxXPu4s:JF+5JlZmW1uAUKeUrJ5wxO34d9puX
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jdcpkp32.exeMhninb32.exeImlhebfc.exeMmccqbpm.exeDnqlmq32.exeDgknkf32.exeEkkjheja.exeMpnkopeh.exeDemaoj32.exeEfedga32.exeFaonom32.exeHjfnnajl.exeMgmmfjip.exeGncgbkki.exeDeondj32.exeAgbbgqhh.exeBjedmo32.exeFolhgbid.exeNqokpd32.exeJbfilffm.exeNkobpmlo.exeCdqkifmb.exeGnphdceh.exeAdipfd32.exeKlmbjh32.exeCgoelh32.exeNflchkii.exeOlpbaa32.exeHgciff32.exeIgebkiof.exePepfnd32.exeMhflcm32.exeDblhmoio.exeDgfmep32.exeEhmpeb32.exeJbnlaqhi.exeCjonncab.exeEihjolae.exeDjgfgkbo.exeIqhfnifq.exeLaodmoep.exeBjpaop32.exeNmflee32.exeOfnpnkgf.exeMfmqmgbm.exeGgbieb32.exeLpfnckhe.exeKmegjdad.exeGefmcp32.exeHkjkle32.exeClefdcog.exeHjcaha32.exeFleifl32.exeFofbhgde.exeJacfidem.exeFkefbcmf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdcpkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhninb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imlhebfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmccqbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgknkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkjheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpnkopeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efedga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjfnnajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmmfjip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncgbkki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbfilffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkobpmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdqkifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnphdceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adipfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmbjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgoelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olpbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgciff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igebkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhflcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dblhmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfmep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmpeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnlaqhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eihjolae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgfgkbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqhfnifq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laodmoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfmqmgbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggbieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpfnckhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gefmcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clefdcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjcaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fleifl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jacfidem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Adlcfjgh.exeAkfkbd32.exeAndgop32.exeBnfddp32.exeBdqlajbb.exeBkjdndjo.exeBdcifi32.exeBjpaop32.exeBoljgg32.exeBieopm32.exeBcjcme32.exeBmbgfkje.exeCbppnbhm.exeCmedlk32.exeCfmhdpnc.exeCgoelh32.exeCinafkkd.exeCjonncab.exeClojhf32.exeCnmfdb32.exeCgfkmgnj.exeDjdgic32.exeDfkhndca.exeDiidjpbe.exeDfmeccao.exeDilapopb.exeDmgmpnhl.exeDinneo32.exeDphfbiem.exeDbfbnddq.exeDhckfkbh.exeDomccejd.exeDbiocd32.exeEegkpo32.exeEheglk32.exeElacliin.exeEbklic32.exeEanldqgf.exeEdlhqlfi.exeElcpbigl.exeEoblnd32.exeEmdmjamj.exeEaphjp32.exeEdoefl32.exeEgmabg32.exeEodicd32.exeEabepp32.exeEdaalk32.exeEgonhf32.exeEkkjheja.exeEmifeqid.exeEaebeoan.exeEdcnakpa.exeEgajnfoe.exeEipgjaoi.exeFmlbjq32.exeFpjofl32.exeFchkbg32.exeFeggob32.exeFibcoalf.exeFplllkdc.exeFoolgh32.exeFgfdie32.exeFeiddbbj.exepid process 1288 Adlcfjgh.exe 1976 Akfkbd32.exe 2768 Andgop32.exe 2372 Bnfddp32.exe 2592 Bdqlajbb.exe 2604 Bkjdndjo.exe 2968 Bdcifi32.exe 1604 Bjpaop32.exe 2544 Boljgg32.exe 2036 Bieopm32.exe 332 Bcjcme32.exe 2644 Bmbgfkje.exe 1388 Cbppnbhm.exe 1280 Cmedlk32.exe 2536 Cfmhdpnc.exe 1600 Cgoelh32.exe 1716 Cinafkkd.exe 2516 Cjonncab.exe 2936 Clojhf32.exe 1664 Cnmfdb32.exe 2960 Cgfkmgnj.exe 1588 Djdgic32.exe 2504 Dfkhndca.exe 2788 Diidjpbe.exe 2660 Dfmeccao.exe 2360 Dilapopb.exe 2724 Dmgmpnhl.exe 2628 Dinneo32.exe 1624 Dphfbiem.exe 1544 Dbfbnddq.exe 2316 Dhckfkbh.exe 1072 Domccejd.exe 1064 Dbiocd32.exe 1128 Eegkpo32.exe 628 Eheglk32.exe 2212 Elacliin.exe 2128 Ebklic32.exe 448 Eanldqgf.exe 2428 Edlhqlfi.exe 1040 Elcpbigl.exe 544 Eoblnd32.exe 3004 Emdmjamj.exe 996 Eaphjp32.exe 2472 Edoefl32.exe 1584 Egmabg32.exe 2492 Eodicd32.exe 2844 Eabepp32.exe 2780 Edaalk32.exe 2748 Egonhf32.exe 1632 Ekkjheja.exe 2260 Emifeqid.exe 1092 Eaebeoan.exe 2616 Edcnakpa.exe 2020 Egajnfoe.exe 1056 Eipgjaoi.exe 1652 Fmlbjq32.exe 2836 Fpjofl32.exe 2144 Fchkbg32.exe 2220 Feggob32.exe 948 Fibcoalf.exe 1324 Fplllkdc.exe 876 Foolgh32.exe 836 Fgfdie32.exe 3000 Feiddbbj.exe -
Loads dropped DLL 64 IoCs
Processes:
ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exeAdlcfjgh.exeAkfkbd32.exeAndgop32.exeBnfddp32.exeBdqlajbb.exeBkjdndjo.exeBdcifi32.exeBjpaop32.exeBoljgg32.exeBieopm32.exeBcjcme32.exeBmbgfkje.exeCbppnbhm.exeCmedlk32.exeCfmhdpnc.exeCgoelh32.exeCinafkkd.exeCjonncab.exeClojhf32.exeCnmfdb32.exeCgfkmgnj.exeDjdgic32.exeDfkhndca.exeDiidjpbe.exeDfmeccao.exeDilapopb.exeDmgmpnhl.exeDinneo32.exeDphfbiem.exeDbfbnddq.exeDhckfkbh.exepid process 2280 ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe 2280 ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe 1288 Adlcfjgh.exe 1288 Adlcfjgh.exe 1976 Akfkbd32.exe 1976 Akfkbd32.exe 2768 Andgop32.exe 2768 Andgop32.exe 2372 Bnfddp32.exe 2372 Bnfddp32.exe 2592 Bdqlajbb.exe 2592 Bdqlajbb.exe 2604 Bkjdndjo.exe 2604 Bkjdndjo.exe 2968 Bdcifi32.exe 2968 Bdcifi32.exe 1604 Bjpaop32.exe 1604 Bjpaop32.exe 2544 Boljgg32.exe 2544 Boljgg32.exe 2036 Bieopm32.exe 2036 Bieopm32.exe 332 Bcjcme32.exe 332 Bcjcme32.exe 2644 Bmbgfkje.exe 2644 Bmbgfkje.exe 1388 Cbppnbhm.exe 1388 Cbppnbhm.exe 1280 Cmedlk32.exe 1280 Cmedlk32.exe 2536 Cfmhdpnc.exe 2536 Cfmhdpnc.exe 1600 Cgoelh32.exe 1600 Cgoelh32.exe 1716 Cinafkkd.exe 1716 Cinafkkd.exe 2516 Cjonncab.exe 2516 Cjonncab.exe 2936 Clojhf32.exe 2936 Clojhf32.exe 1664 Cnmfdb32.exe 1664 Cnmfdb32.exe 2960 Cgfkmgnj.exe 2960 Cgfkmgnj.exe 1588 Djdgic32.exe 1588 Djdgic32.exe 2504 Dfkhndca.exe 2504 Dfkhndca.exe 2788 Diidjpbe.exe 2788 Diidjpbe.exe 2660 Dfmeccao.exe 2660 Dfmeccao.exe 2360 Dilapopb.exe 2360 Dilapopb.exe 2724 Dmgmpnhl.exe 2724 Dmgmpnhl.exe 2628 Dinneo32.exe 2628 Dinneo32.exe 1624 Dphfbiem.exe 1624 Dphfbiem.exe 1544 Dbfbnddq.exe 1544 Dbfbnddq.exe 2316 Dhckfkbh.exe 2316 Dhckfkbh.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jjnjqb32.exeColpld32.exeOfilgh32.exeAfmbak32.exeGenlgnhd.exeMcfemmna.exeAddfkeid.exeJlqjkk32.exeChocodch.exeBkkgfm32.exeEdcqjc32.exeFhhbif32.exeHiqoeplo.exeBkpglbaj.exeGoqnae32.exeNomkfk32.exeBkjdndjo.exeKpdcfoph.exeGckdgjeb.exePnfnajed.exeEheglk32.exeCoicfd32.exeDjicmk32.exeAlageg32.exeFooembgb.exeBdckobhd.exeJfdhmk32.exeDjdgic32.exeInbnhihl.exeAgglbp32.exeIbfmmb32.exeEinlmkhp.exeHjlemlnk.exeAhchdb32.exeKmqmod32.exeQkielpdf.exeKadica32.exePhaoppja.exeImmjnj32.exeLalhgogb.exeCfmhdpnc.exeGcgqgd32.exeHmdkjmip.exeIqapnjli.exeKajiigba.exeLdbaopdj.exeMgcjpkak.exeEaednh32.exeAfpogk32.exeBkhjamcf.exeCbpbgk32.exeKlfmijae.exeAiaoclgl.exeBqolji32.exePmnghfhi.exedescription ioc process File created C:\Windows\SysWOW64\Eciljg32.dll Jjnjqb32.exe File created C:\Windows\SysWOW64\Cbjlhpkb.exe Colpld32.exe File created C:\Windows\SysWOW64\Oddphp32.exe File created C:\Windows\SysWOW64\Oighcd32.exe Ofilgh32.exe File opened for modification C:\Windows\SysWOW64\Aepbmhpl.exe Afmbak32.exe File created C:\Windows\SysWOW64\Obckefai.dll File created C:\Windows\SysWOW64\Hhmhcigh.exe Genlgnhd.exe File opened for modification C:\Windows\SysWOW64\Mgbaml32.exe Mcfemmna.exe File created C:\Windows\SysWOW64\Flfifa32.dll Addfkeid.exe File created C:\Windows\SysWOW64\Ibodnd32.dll Jlqjkk32.exe File created C:\Windows\SysWOW64\Ejgicl32.dll Chocodch.exe File opened for modification C:\Windows\SysWOW64\Bjngbihn.exe Bkkgfm32.exe File created C:\Windows\SysWOW64\Ffbmfo32.exe Edcqjc32.exe File created C:\Windows\SysWOW64\Fpokjd32.exe Fhhbif32.exe File opened for modification C:\Windows\SysWOW64\Hmlkfo32.exe Hiqoeplo.exe File created C:\Windows\SysWOW64\Lqhkjacc.dll Bkpglbaj.exe File opened for modification C:\Windows\SysWOW64\Gncnmane.exe Goqnae32.exe File created C:\Windows\SysWOW64\Medefa32.dll Nomkfk32.exe File created C:\Windows\SysWOW64\Oaoplfhc.dll Bkjdndjo.exe File created C:\Windows\SysWOW64\Chmihd32.dll Kpdcfoph.exe File created C:\Windows\SysWOW64\Gkalhgfd.exe Gckdgjeb.exe File created C:\Windows\SysWOW64\Jplfkjbd.exe Jlqjkk32.exe File created C:\Windows\SysWOW64\Jfckkecc.dll Pnfnajed.exe File created C:\Windows\SysWOW64\Emdhhdqb.exe File opened for modification C:\Windows\SysWOW64\Elacliin.exe Eheglk32.exe File opened for modification C:\Windows\SysWOW64\Cceogcfj.exe Coicfd32.exe File created C:\Windows\SysWOW64\Dmgoif32.exe Djicmk32.exe File opened for modification C:\Windows\SysWOW64\Adipfd32.exe Alageg32.exe File opened for modification C:\Windows\SysWOW64\Fmaeho32.exe Fooembgb.exe File created C:\Windows\SysWOW64\Epokjceb.dll Bdckobhd.exe File created C:\Windows\SysWOW64\Amhcad32.exe File created C:\Windows\SysWOW64\Jokqnhpa.exe Jfdhmk32.exe File created C:\Windows\SysWOW64\Bpajjg32.dll File opened for modification C:\Windows\SysWOW64\Dfkhndca.exe Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Djafaf32.exe File created C:\Windows\SysWOW64\Jfieigio.exe Inbnhihl.exe File opened for modification C:\Windows\SysWOW64\Ajehnk32.exe Agglbp32.exe File opened for modification C:\Windows\SysWOW64\Iediin32.exe Ibfmmb32.exe File created C:\Windows\SysWOW64\Mchdpibh.dll Einlmkhp.exe File created C:\Windows\SysWOW64\Dblknlpo.dll Hjlemlnk.exe File created C:\Windows\SysWOW64\Kcacil32.dll File created C:\Windows\SysWOW64\Cenbegcl.dll Ahchdb32.exe File created C:\Windows\SysWOW64\Okobem32.dll File created C:\Windows\SysWOW64\Kpojkp32.exe Kmqmod32.exe File created C:\Windows\SysWOW64\Qmhahkdj.exe Qkielpdf.exe File created C:\Windows\SysWOW64\Jbdhhp32.dll Kadica32.exe File created C:\Windows\SysWOW64\Pnkglj32.exe Phaoppja.exe File created C:\Windows\SysWOW64\Iqhfnifq.exe Immjnj32.exe File created C:\Windows\SysWOW64\Elhnce32.dll Lalhgogb.exe File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe Cfmhdpnc.exe File opened for modification C:\Windows\SysWOW64\Gefmcp32.exe Gcgqgd32.exe File created C:\Windows\SysWOW64\Iocgfhhc.exe Hmdkjmip.exe File created C:\Windows\SysWOW64\Eoeffhea.dll Iqapnjli.exe File created C:\Windows\SysWOW64\Cmpppdfa.dll Kajiigba.exe File created C:\Windows\SysWOW64\Eaobak32.dll Ldbaopdj.exe File created C:\Windows\SysWOW64\Mkofaj32.exe Mgcjpkak.exe File created C:\Windows\SysWOW64\Pdnpjc32.dll Eaednh32.exe File opened for modification C:\Windows\SysWOW64\Ainkcf32.exe Afpogk32.exe File created C:\Windows\SysWOW64\Bngfmhbj.exe Bkhjamcf.exe File created C:\Windows\SysWOW64\Nldpgbhe.dll Cbpbgk32.exe File opened for modification C:\Windows\SysWOW64\Kpbhjh32.exe Klfmijae.exe File opened for modification C:\Windows\SysWOW64\Aahfdihn.exe Aiaoclgl.exe File created C:\Windows\SysWOW64\Bdkhjgeh.exe Bqolji32.exe File created C:\Windows\SysWOW64\Heldbm32.dll Pmnghfhi.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 10952 1064 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kfggkc32.exeDinneo32.exeJbbccgmp.exeGekfnoog.exeMnmbme32.exeEaednh32.exeFmnahilc.exeEannmi32.exeGpmjcg32.exeGoiongbc.exeGoldfelp.exeHmbndmkb.exeIcncgf32.exeJimdcqom.exeLohelidp.exeHdefnjkj.exeHgiked32.exeAiaoclgl.exeFigmjq32.exeMbqkiind.exeNqpdcc32.exeImmjnj32.exeFennoa32.exeGodaakic.exeHcdgmimg.exeDlgjldnm.exeGojhafnb.exeLeikbd32.exeBkjdndjo.exeAkdafn32.exeHajfgnjc.exeCjonncab.exeHadcipbi.exeNhpfdaml.exeBllcnega.exeGieommdc.exeLhdcojaa.exeDgnjqe32.exeDcdkef32.exeElkofg32.exePepfnd32.exeCkhfpp32.exeEiciig32.exeMhdpnm32.exeCgogealf.exeMonhjgkj.exeMgbaml32.exePlhaeofp.exeLgingm32.exeNnleiipc.exeNfbjhf32.exeOepjoa32.exeBpbmqe32.exeGqdgom32.exeHqnjek32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfggkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinneo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbccgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekfnoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmbme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaednh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnahilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eannmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpmjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiongbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbndmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icncgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohelidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdefnjkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaoclgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figmjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqkiind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpdcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immjnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fennoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Godaakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdgmimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjldnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leikbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajfgnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadcipbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpfdaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllcnega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gieommdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdcojaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnjqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkofg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhfpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiciig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgogealf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monhjgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbaml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plhaeofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgingm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfbjhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepjoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbmqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Lngpog32.exeElkofg32.exeFegjgkla.exeGckfpc32.exeFkhbgbkc.exeGhgfekpn.exeHqiqjlga.exeAaipghcn.exeKaglcgdc.exeCqleifna.exeGpogiglp.exeHoimecmb.exeHofngkga.exeHiqoeplo.exeKmcjedcg.exeLopfhk32.exeLdhgnk32.exeAinkcf32.exeEloipb32.exeEaednh32.exeLnecigcp.exeAdipfd32.exePicojhcm.exeHmmdin32.exeIegeonpc.exeJndjmifj.exeMbnocipg.exeAddfkeid.exeBgdkkc32.exeIjqjgo32.exeEipgjaoi.exeHdecea32.exeMjqmig32.exeGgdekbgb.exeBkjdndjo.exeOhipla32.exeNjhilimb.exeCinafkkd.exeNojnql32.exeNbpqmfmd.exeKfnnlboi.exeHcgmfgfd.exeCkhfpp32.exeDmgmpnhl.exeEifmimch.exeFmfocnjg.exeEbialmjb.exeEhmpeb32.exeFkkfgi32.exeGhlfjq32.exeOnlahm32.exeEmdeok32.exeMbchni32.exeEihjolae.exeIcbipe32.exeIcfpbl32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmicg32.dll" Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fegjgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gckfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpijbip.dll" Fkhbgbkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghgfekpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihkmh32.dll" Aaipghcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaglcgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajdfk32.dll" Cqleifna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpflghlp.dll" Gpogiglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoimecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaakfpk.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll" Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hofngkga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehiqh32.dll" Hiqoeplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noockemb.dll" Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldhgnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ainkcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eloipb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eaednh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnecigcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Picojhcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iegeonpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbnocipg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Addfkeid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knblem32.dll" Ijqjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgkjp32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqiibc32.dll" Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klncqmjg.dll" Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkkkap32.dll" Mjqmig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggdekbgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkjdndjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohipla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njhilimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nojnql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbpqmfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfnnlboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggegqe32.dll" Hcgmfgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckhfpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmgmpnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licpomcb.dll" Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmfocnjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhcopq.dll" Ehmpeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghlfjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onlahm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onipnblf.dll" Mbchni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eihjolae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icbipe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahp32.dll" Icfpbl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exeAdlcfjgh.exeAkfkbd32.exeAndgop32.exeBnfddp32.exeBdqlajbb.exeBkjdndjo.exeBdcifi32.exeBjpaop32.exeBoljgg32.exeBieopm32.exeBcjcme32.exeBmbgfkje.exeCbppnbhm.exeCmedlk32.exeCfmhdpnc.exedescription pid process target process PID 2280 wrote to memory of 1288 2280 ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe Adlcfjgh.exe PID 2280 wrote to memory of 1288 2280 ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe Adlcfjgh.exe PID 2280 wrote to memory of 1288 2280 ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe Adlcfjgh.exe PID 2280 wrote to memory of 1288 2280 ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe Adlcfjgh.exe PID 1288 wrote to memory of 1976 1288 Adlcfjgh.exe Akfkbd32.exe PID 1288 wrote to memory of 1976 1288 Adlcfjgh.exe Akfkbd32.exe PID 1288 wrote to memory of 1976 1288 Adlcfjgh.exe Akfkbd32.exe PID 1288 wrote to memory of 1976 1288 Adlcfjgh.exe Akfkbd32.exe PID 1976 wrote to memory of 2768 1976 Akfkbd32.exe Andgop32.exe PID 1976 wrote to memory of 2768 1976 Akfkbd32.exe Andgop32.exe PID 1976 wrote to memory of 2768 1976 Akfkbd32.exe Andgop32.exe PID 1976 wrote to memory of 2768 1976 Akfkbd32.exe Andgop32.exe PID 2768 wrote to memory of 2372 2768 Andgop32.exe Bnfddp32.exe PID 2768 wrote to memory of 2372 2768 Andgop32.exe Bnfddp32.exe PID 2768 wrote to memory of 2372 2768 Andgop32.exe Bnfddp32.exe PID 2768 wrote to memory of 2372 2768 Andgop32.exe Bnfddp32.exe PID 2372 wrote to memory of 2592 2372 Bnfddp32.exe Bdqlajbb.exe PID 2372 wrote to memory of 2592 2372 Bnfddp32.exe Bdqlajbb.exe PID 2372 wrote to memory of 2592 2372 Bnfddp32.exe Bdqlajbb.exe PID 2372 wrote to memory of 2592 2372 Bnfddp32.exe Bdqlajbb.exe PID 2592 wrote to memory of 2604 2592 Bdqlajbb.exe Bkjdndjo.exe PID 2592 wrote to memory of 2604 2592 Bdqlajbb.exe Bkjdndjo.exe PID 2592 wrote to memory of 2604 2592 Bdqlajbb.exe Bkjdndjo.exe PID 2592 wrote to memory of 2604 2592 Bdqlajbb.exe Bkjdndjo.exe PID 2604 wrote to memory of 2968 2604 Bkjdndjo.exe Bdcifi32.exe PID 2604 wrote to memory of 2968 2604 Bkjdndjo.exe Bdcifi32.exe PID 2604 wrote to memory of 2968 2604 Bkjdndjo.exe Bdcifi32.exe PID 2604 wrote to memory of 2968 2604 Bkjdndjo.exe Bdcifi32.exe PID 2968 wrote to memory of 1604 2968 Bdcifi32.exe Bjpaop32.exe PID 2968 wrote to memory of 1604 2968 Bdcifi32.exe Bjpaop32.exe PID 2968 wrote to memory of 1604 2968 Bdcifi32.exe Bjpaop32.exe PID 2968 wrote to memory of 1604 2968 Bdcifi32.exe Bjpaop32.exe PID 1604 wrote to memory of 2544 1604 Bjpaop32.exe Boljgg32.exe PID 1604 wrote to memory of 2544 1604 Bjpaop32.exe Boljgg32.exe PID 1604 wrote to memory of 2544 1604 Bjpaop32.exe Boljgg32.exe PID 1604 wrote to memory of 2544 1604 Bjpaop32.exe Boljgg32.exe PID 2544 wrote to memory of 2036 2544 Boljgg32.exe Bieopm32.exe PID 2544 wrote to memory of 2036 2544 Boljgg32.exe Bieopm32.exe PID 2544 wrote to memory of 2036 2544 Boljgg32.exe Bieopm32.exe PID 2544 wrote to memory of 2036 2544 Boljgg32.exe Bieopm32.exe PID 2036 wrote to memory of 332 2036 Bieopm32.exe Bcjcme32.exe PID 2036 wrote to memory of 332 2036 Bieopm32.exe Bcjcme32.exe PID 2036 wrote to memory of 332 2036 Bieopm32.exe Bcjcme32.exe PID 2036 wrote to memory of 332 2036 Bieopm32.exe Bcjcme32.exe PID 332 wrote to memory of 2644 332 Bcjcme32.exe Bmbgfkje.exe PID 332 wrote to memory of 2644 332 Bcjcme32.exe Bmbgfkje.exe PID 332 wrote to memory of 2644 332 Bcjcme32.exe Bmbgfkje.exe PID 332 wrote to memory of 2644 332 Bcjcme32.exe Bmbgfkje.exe PID 2644 wrote to memory of 1388 2644 Bmbgfkje.exe Cbppnbhm.exe PID 2644 wrote to memory of 1388 2644 Bmbgfkje.exe Cbppnbhm.exe PID 2644 wrote to memory of 1388 2644 Bmbgfkje.exe Cbppnbhm.exe PID 2644 wrote to memory of 1388 2644 Bmbgfkje.exe Cbppnbhm.exe PID 1388 wrote to memory of 1280 1388 Cbppnbhm.exe Cmedlk32.exe PID 1388 wrote to memory of 1280 1388 Cbppnbhm.exe Cmedlk32.exe PID 1388 wrote to memory of 1280 1388 Cbppnbhm.exe Cmedlk32.exe PID 1388 wrote to memory of 1280 1388 Cbppnbhm.exe Cmedlk32.exe PID 1280 wrote to memory of 2536 1280 Cmedlk32.exe Cfmhdpnc.exe PID 1280 wrote to memory of 2536 1280 Cmedlk32.exe Cfmhdpnc.exe PID 1280 wrote to memory of 2536 1280 Cmedlk32.exe Cfmhdpnc.exe PID 1280 wrote to memory of 2536 1280 Cmedlk32.exe Cfmhdpnc.exe PID 2536 wrote to memory of 1600 2536 Cfmhdpnc.exe Cgoelh32.exe PID 2536 wrote to memory of 1600 2536 Cfmhdpnc.exe Cgoelh32.exe PID 2536 wrote to memory of 1600 2536 Cfmhdpnc.exe Cgoelh32.exe PID 2536 wrote to memory of 1600 2536 Cfmhdpnc.exe Cgoelh32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe"C:\Users\Admin\AppData\Local\Temp\ce9a7a740fa007ecea6fca37f56f20bc99659e4618ca3f96f1e48cc0d8e1ddb3N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Dfmeccao.exeC:\Windows\system32\Dfmeccao.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe33⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe34⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe35⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe37⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe38⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe39⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe40⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe41⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe42⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe43⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe44⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe45⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe46⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe47⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe48⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe49⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe50⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe52⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe53⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe54⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe55⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe57⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe58⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe59⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe60⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe61⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe62⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe63⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe64⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe65⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe66⤵PID:1216
-
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe67⤵PID:2352
-
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe68⤵PID:2944
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe69⤵PID:2468
-
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe72⤵PID:2552
-
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe73⤵PID:2972
-
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe75⤵PID:764
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe76⤵
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe78⤵PID:2116
-
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe79⤵PID:2100
-
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe80⤵PID:1140
-
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe81⤵PID:924
-
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe82⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe83⤵PID:784
-
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe84⤵PID:1980
-
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe85⤵PID:1984
-
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe86⤵PID:3036
-
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe87⤵PID:2784
-
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe88⤵PID:2736
-
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe89⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe90⤵PID:2012
-
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe91⤵PID:1788
-
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe93⤵PID:2884
-
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe94⤵PID:2112
-
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe95⤵PID:1952
-
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe96⤵PID:2436
-
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe97⤵PID:1536
-
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe98⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe99⤵PID:2880
-
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe100⤵PID:1084
-
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe101⤵
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe102⤵PID:2988
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe103⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe104⤵PID:2820
-
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe105⤵PID:2284
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe106⤵PID:2732
-
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe107⤵PID:940
-
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe108⤵PID:1964
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe109⤵
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe110⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe112⤵PID:2704
-
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe113⤵PID:2564
-
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe114⤵PID:2676
-
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe115⤵PID:2084
-
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe116⤵PID:1516
-
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe117⤵PID:1908
-
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe118⤵PID:2196
-
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe119⤵PID:2192
-
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe120⤵PID:1720
-
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe121⤵PID:2380
-
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe122⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-