Analysis
-
max time kernel
89s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe
Resource
win10v2004-20241007-en
General
-
Target
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe
-
Size
1.2MB
-
MD5
9eefab4fbd0fc7b47747b57441d0073b
-
SHA1
f25ff646aa83a1e4b5afea562a0d2bfab19eee20
-
SHA256
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7
-
SHA512
24a73049d23abb4a64a3cc9ab45a03ff070fe449d510510063597a9c400f009b2d89f537b64ea2e3cdb5185560bdaa88a054ac82d2a80e330c44ed2f3169ae0e
-
SSDEEP
6144:8RNZaZNAkOCOu0EajNVBZtHr9zM8d9CXdPipmMH/gysNkvC8vA+XTv7FYUwMOFut:8FqSHCXwpnsKvNA+XTvZHWuEo3oW6c
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Epbpbnan.exeHomdhjai.exePfebnmcj.exeKjaelaok.exeKofaicon.exePegqpacp.exeDafmqb32.exeEjkkfjkj.exeHbdjcffd.exeNqbaic32.exeDlndnacm.exeNmqpam32.exeIeofkp32.exeCmhglq32.exeJdkjnl32.exeNhdocl32.exeHhhgcc32.exeAdcdbl32.exeNpdfhhhe.exeOlophhjd.exeHgeelf32.exeJplfkjbd.exeNdqkleln.exeGcmamj32.exeIfdlng32.exeIinhdmma.exeEbcjamoh.exeJhamckel.exeMlkjne32.exeAbegfa32.exeDeojci32.exeIdgglb32.exePphkbj32.exeBnnaoe32.exeKaompi32.exeMhjcec32.exeIcmegf32.exeOcllehcj.exeKbdmeoob.exeLdjpbign.exeLoclai32.exeMqbejp32.exeGoldfelp.exeMgjpaj32.exeKjfjbdle.exeEhakigbo.exeIahhgnkd.exeIfjlcmmj.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfebnmcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjaelaok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofaicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegqpacp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafmqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejkkfjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbdjcffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqbaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlndnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmqpam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieofkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkjnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhdocl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adcdbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olophhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcmamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdlng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebcjamoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhamckel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkjne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deojci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaompi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjcec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocllehcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqbejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgjpaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehakigbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahhgnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifjlcmmj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Efcfga32.exeEmnndlod.exeFpcqaf32.exeFebfomdd.exeGpncej32.exeGmbdnn32.exeGbcfadgl.exeHbfbgd32.exeHeihnoph.exeHapicp32.exeHgmalg32.exeHmfjha32.exeHdqbekcm.exeIkkjbe32.exeIllgimph.exeIgakgfpn.exeIpjoplgo.exeIgchlf32.exeIheddndj.exeIcjhagdp.exeIeidmbcc.exeIlcmjl32.exeIcmegf32.exeIdnaoohk.exeIleiplhn.exeJnffgd32.exeJhljdm32.exeJofbag32.exeJdbkjn32.exeJjpcbe32.exeJqilooij.exeJkoplhip.exeJqlhdo32.exeJgfqaiod.exeJmbiipml.exeJcmafj32.exeKjfjbdle.exeKocbkk32.exeKmgbdo32.exeKbdklf32.exeKebgia32.exeKklpekno.exeKbfhbeek.exeNigome32.exeNodgel32.exeNenobfak.exeNcbplk32.exeNilhhdga.exeNljddpfe.exeOagmmgdm.exeOhaeia32.exeOaiibg32.exeOkanklik.exeOalfhf32.exeOdjbdb32.exeOkdkal32.exeOnbgmg32.exeOgkkfmml.exeOjigbhlp.exeOdoloalf.exePkidlk32.exePmjqcc32.exePdaheq32.exePjnamh32.exepid Process 2248 Efcfga32.exe 2708 Emnndlod.exe 2668 Fpcqaf32.exe 2720 Febfomdd.exe 2608 Gpncej32.exe 2424 Gmbdnn32.exe 816 Gbcfadgl.exe 2884 Hbfbgd32.exe 2536 Heihnoph.exe 2320 Hapicp32.exe 2640 Hgmalg32.exe 1792 Hmfjha32.exe 2188 Hdqbekcm.exe 3048 Ikkjbe32.exe 316 Illgimph.exe 2920 Igakgfpn.exe 2956 Ipjoplgo.exe 1752 Igchlf32.exe 1720 Iheddndj.exe 1876 Icjhagdp.exe 908 Ieidmbcc.exe 1976 Ilcmjl32.exe 1740 Icmegf32.exe 2312 Idnaoohk.exe 2420 Ileiplhn.exe 2656 Jnffgd32.exe 2916 Jhljdm32.exe 2776 Jofbag32.exe 2712 Jdbkjn32.exe 2688 Jjpcbe32.exe 2252 Jqilooij.exe 2984 Jkoplhip.exe 1324 Jqlhdo32.exe 652 Jgfqaiod.exe 1228 Jmbiipml.exe 2204 Jcmafj32.exe 2384 Kjfjbdle.exe 2760 Kocbkk32.exe 1492 Kmgbdo32.exe 3008 Kbdklf32.exe 1360 Kebgia32.exe 920 Kklpekno.exe 2924 Kbfhbeek.exe 2440 Nigome32.exe 884 Nodgel32.exe 2804 Nenobfak.exe 2552 Ncbplk32.exe 332 Nilhhdga.exe 2648 Nljddpfe.exe 1864 Oagmmgdm.exe 2316 Ohaeia32.exe 1832 Oaiibg32.exe 704 Okanklik.exe 2060 Oalfhf32.exe 2112 Odjbdb32.exe 2560 Okdkal32.exe 2292 Onbgmg32.exe 3044 Ogkkfmml.exe 1796 Ojigbhlp.exe 2272 Odoloalf.exe 2752 Pkidlk32.exe 2224 Pmjqcc32.exe 2200 Pdaheq32.exe 2432 Pjnamh32.exe -
Loads dropped DLL 64 IoCs
Processes:
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exeEfcfga32.exeEmnndlod.exeFpcqaf32.exeFebfomdd.exeGpncej32.exeGmbdnn32.exeGbcfadgl.exeHbfbgd32.exeHeihnoph.exeHapicp32.exeHgmalg32.exeHmfjha32.exeHdqbekcm.exeIkkjbe32.exeIllgimph.exeIgakgfpn.exeIpjoplgo.exeIgchlf32.exeIheddndj.exeIcjhagdp.exeIeidmbcc.exeIlcmjl32.exeIcmegf32.exeIdnaoohk.exeIleiplhn.exeJnffgd32.exeJhljdm32.exeJofbag32.exeJdbkjn32.exeJjpcbe32.exeJqilooij.exepid Process 2220 91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe 2220 91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe 2248 Efcfga32.exe 2248 Efcfga32.exe 2708 Emnndlod.exe 2708 Emnndlod.exe 2668 Fpcqaf32.exe 2668 Fpcqaf32.exe 2720 Febfomdd.exe 2720 Febfomdd.exe 2608 Gpncej32.exe 2608 Gpncej32.exe 2424 Gmbdnn32.exe 2424 Gmbdnn32.exe 816 Gbcfadgl.exe 816 Gbcfadgl.exe 2884 Hbfbgd32.exe 2884 Hbfbgd32.exe 2536 Heihnoph.exe 2536 Heihnoph.exe 2320 Hapicp32.exe 2320 Hapicp32.exe 2640 Hgmalg32.exe 2640 Hgmalg32.exe 1792 Hmfjha32.exe 1792 Hmfjha32.exe 2188 Hdqbekcm.exe 2188 Hdqbekcm.exe 3048 Ikkjbe32.exe 3048 Ikkjbe32.exe 316 Illgimph.exe 316 Illgimph.exe 2920 Igakgfpn.exe 2920 Igakgfpn.exe 2956 Ipjoplgo.exe 2956 Ipjoplgo.exe 1752 Igchlf32.exe 1752 Igchlf32.exe 1720 Iheddndj.exe 1720 Iheddndj.exe 1876 Icjhagdp.exe 1876 Icjhagdp.exe 908 Ieidmbcc.exe 908 Ieidmbcc.exe 1976 Ilcmjl32.exe 1976 Ilcmjl32.exe 1740 Icmegf32.exe 1740 Icmegf32.exe 2312 Idnaoohk.exe 2312 Idnaoohk.exe 2420 Ileiplhn.exe 2420 Ileiplhn.exe 2656 Jnffgd32.exe 2656 Jnffgd32.exe 2916 Jhljdm32.exe 2916 Jhljdm32.exe 2776 Jofbag32.exe 2776 Jofbag32.exe 2712 Jdbkjn32.exe 2712 Jdbkjn32.exe 2688 Jjpcbe32.exe 2688 Jjpcbe32.exe 2252 Jqilooij.exe 2252 Jqilooij.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bplhnoej.exeKhabghdl.exeJdhifooi.exeDaqamj32.exeFoafdoag.exeKpgffe32.exeOioggmmc.exeAdcdbl32.exeFhljkm32.exeFakdcnhh.exeFmhjni32.exeDlndnacm.exeOlophhjd.exeOhfqmi32.exeEkkjheja.exeNqbaic32.exeBphbeplm.exeJbjpom32.exeMploiq32.exeApdhjq32.exeFkdaqa32.exeEmifeqid.exeDafoikjb.exeOonldcih.exeGaihob32.exeMqnifg32.exeGoqnae32.exeKmfpmc32.exeMdldeo32.exeMokilo32.exeKmmebm32.exeLpnmgdli.exeFhgppnan.exeQflhbhgg.exeCcigfn32.exeJagnlkjd.exeJmfcop32.exePhpjnnki.exeDpjbgh32.exeHbkqdepm.exeHhkopj32.exeJnofgg32.exeGjlgfaco.exeKbaglpee.exePgcmbcih.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Bffpki32.exe Bplhnoej.exe File opened for modification C:\Windows\SysWOW64\Kkoncdcp.exe Khabghdl.exe File created C:\Windows\SysWOW64\Jieaofmp.exe Jdhifooi.exe File created C:\Windows\SysWOW64\Ddomif32.exe Daqamj32.exe File created C:\Windows\SysWOW64\Aakepajf.dll Foafdoag.exe File created C:\Windows\SysWOW64\Kgqocoin.exe Kpgffe32.exe File created C:\Windows\SysWOW64\Ehmpeb32.exe File opened for modification C:\Windows\SysWOW64\Lilfgq32.exe File created C:\Windows\SysWOW64\Mqpkpl32.dll File created C:\Windows\SysWOW64\Nnoiph32.dll Oioggmmc.exe File created C:\Windows\SysWOW64\Agbpnh32.exe Adcdbl32.exe File opened for modification C:\Windows\SysWOW64\Fnibcd32.exe Fhljkm32.exe File created C:\Windows\SysWOW64\Fggmldfp.exe Fakdcnhh.exe File created C:\Windows\SysWOW64\Hghdjn32.exe File created C:\Windows\SysWOW64\Nckmpicl.exe File opened for modification C:\Windows\SysWOW64\Alaccj32.exe File opened for modification C:\Windows\SysWOW64\Fqcfnhjb.exe Fmhjni32.exe File created C:\Windows\SysWOW64\Dakmfh32.exe Dlndnacm.exe File opened for modification C:\Windows\SysWOW64\Oonldcih.exe Olophhjd.exe File created C:\Windows\SysWOW64\Okdmjdol.exe Ohfqmi32.exe File created C:\Windows\SysWOW64\Geldbhjk.dll Ekkjheja.exe File opened for modification C:\Windows\SysWOW64\Ncamen32.exe Nqbaic32.exe File opened for modification C:\Windows\SysWOW64\Bbgnak32.exe Bphbeplm.exe File opened for modification C:\Windows\SysWOW64\Jehlkhig.exe Jbjpom32.exe File created C:\Windows\SysWOW64\Mgegfk32.exe Mploiq32.exe File opened for modification C:\Windows\SysWOW64\Ccqhdmbc.exe File created C:\Windows\SysWOW64\Emokgnoa.dll File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe Apdhjq32.exe File opened for modification C:\Windows\SysWOW64\Fcpfedki.exe Fkdaqa32.exe File created C:\Windows\SysWOW64\Ccdbdc32.dll Emifeqid.exe File created C:\Windows\SysWOW64\Deakjjbk.exe Dafoikjb.exe File created C:\Windows\SysWOW64\Floeof32.exe File created C:\Windows\SysWOW64\Mgfiocfl.exe File created C:\Windows\SysWOW64\Ohfqmi32.exe Oonldcih.exe File created C:\Windows\SysWOW64\Jokbld32.dll Gaihob32.exe File created C:\Windows\SysWOW64\Fapgblob.exe File opened for modification C:\Windows\SysWOW64\Mjfnomde.exe Mqnifg32.exe File created C:\Windows\SysWOW64\Gaojnq32.exe Goqnae32.exe File created C:\Windows\SysWOW64\Jpnghhmn.dll Kmfpmc32.exe File opened for modification C:\Windows\SysWOW64\Mgjpaj32.exe Mdldeo32.exe File created C:\Windows\SysWOW64\Gcmcebkc.exe File created C:\Windows\SysWOW64\Piipgfbo.dll File opened for modification C:\Windows\SysWOW64\Mhcmedli.exe Mokilo32.exe File created C:\Windows\SysWOW64\Kjaelaok.exe Kmmebm32.exe File created C:\Windows\SysWOW64\Ljfapjbi.exe Lpnmgdli.exe File created C:\Windows\SysWOW64\Ddmidgbj.dll Fhgppnan.exe File created C:\Windows\SysWOW64\Qboikm32.exe File created C:\Windows\SysWOW64\Lldpji32.dll File created C:\Windows\SysWOW64\Jqkelimm.dll File created C:\Windows\SysWOW64\Nacehmno.dll Qflhbhgg.exe File created C:\Windows\SysWOW64\Dcjpqlpe.dll Ccigfn32.exe File opened for modification C:\Windows\SysWOW64\Jdejhfig.exe Jagnlkjd.exe File created C:\Windows\SysWOW64\Oiahkhpo.dll Jmfcop32.exe File created C:\Windows\SysWOW64\Lbjjekhl.exe File opened for modification C:\Windows\SysWOW64\Nmogpj32.exe File created C:\Windows\SysWOW64\Pnmcfeia.exe Phpjnnki.exe File opened for modification C:\Windows\SysWOW64\Eakooqih.exe Dpjbgh32.exe File created C:\Windows\SysWOW64\Hejmpqop.exe Hbkqdepm.exe File created C:\Windows\SysWOW64\Gckobc32.dll Hhkopj32.exe File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe Jnofgg32.exe File opened for modification C:\Windows\SysWOW64\Fdnlcakk.exe File created C:\Windows\SysWOW64\Dkefga32.dll Gjlgfaco.exe File created C:\Windows\SysWOW64\Hlpklbcl.dll Kbaglpee.exe File created C:\Windows\SysWOW64\Pmmeon32.exe Pgcmbcih.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 1796 4008 1606 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mapccndn.exeCjmopkla.exeDgoopkgh.exeIibfajdc.exeLgqkbb32.exeDaplkmbg.exeFeachqgb.exeOhfqmi32.exeGkbcbn32.exePhlclgfc.exeJoidhh32.exeGkgoff32.exeJdbkjn32.exeNidkmojn.exeMfdopp32.exeIcafgmbe.exeMclgklel.exeAbeemhkh.exeLeopgo32.exeEkdchf32.exeJhjbqo32.exeDanmmd32.exeFkmqdpce.exeAqonbm32.exeMjfnomde.exeCpfmmf32.exeLjigih32.exeBpbmqe32.exePmkhjncg.exeElkofg32.exeFdjidgfa.exeBadnhbce.exeNmcmgm32.exeHnmacpfj.exeOdjbdb32.exeOmnipjni.exeKjfjbdle.exeCfhiplmp.exeOhhmcinf.exeFdekgjno.exeHgflflqg.exeLhnmoo32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapccndn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmopkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgoopkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibfajdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daplkmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feachqgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joidhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbkjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidkmojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icafgmbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclgklel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abeemhkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leopgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdchf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjbqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmqdpce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqonbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfnomde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljigih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbmqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkofg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjidgfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badnhbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcmgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjbdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnipjni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjfjbdle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhiplmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhmcinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdekgjno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgflflqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnmoo32.exe -
Modifies registry class 64 IoCs
Processes:
Bigimdjh.exeNlqmmd32.exeOiafee32.exeMbeiefff.exeNlilqbgp.exeEakhdj32.exeEccpoo32.exeIiecgjba.exeQoeamo32.exeDjocbqpb.exeJpdnbbah.exeHieiqo32.exeDciceaoe.exeGpcoib32.exeHhhgcc32.exeHnheohcl.exeNigome32.exeLfmbek32.exeNpjlhcmd.exeBfpnmj32.exeKmgbdo32.exeQkibcg32.exeMploiq32.exeOaiibg32.exeJdkjnl32.exeBnfblgca.exeLfpeeqig.exeGildahhp.exeLpnmgdli.exeDlljaj32.exeDbfbnddq.exeBdmddc32.exeLkakicam.exeMihdgkpp.exePphkbj32.exeIfdlng32.exeMlkjne32.exeBacihmoo.exeAgbpnh32.exeHboddk32.exePhlclgfc.exeNeqnqofm.exePljcllqe.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bigimdjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippbdn32.dll" Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfchh32.dll" Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplffidh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgfhpob.dll" Mbeiefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlilqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhoogoe.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eccpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iiecgjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibigbjj.dll" Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onepbd32.dll" Djocbqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpdnbbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hieiqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dciceaoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpcoib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doadcepg.dll" Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfpnmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmgbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmbnbgf.dll" Qkibcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mploiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaiibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdkjnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnfblgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfpeeqig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gildahhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibgpofm.dll" Dlljaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiicbbm.dll" Dbfbnddq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgaajh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll" Bdmddc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knakol32.dll" Mihdgkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnfblgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlkjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppiidm32.dll" Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahnapmie.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hboddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neqnqofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pljcllqe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exeEfcfga32.exeEmnndlod.exeFpcqaf32.exeFebfomdd.exeGpncej32.exeGmbdnn32.exeGbcfadgl.exeHbfbgd32.exeHeihnoph.exeHapicp32.exeHgmalg32.exeHmfjha32.exeHdqbekcm.exeIkkjbe32.exeIllgimph.exedescription pid Process procid_target PID 2220 wrote to memory of 2248 2220 91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe 30 PID 2220 wrote to memory of 2248 2220 91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe 30 PID 2220 wrote to memory of 2248 2220 91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe 30 PID 2220 wrote to memory of 2248 2220 91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe 30 PID 2248 wrote to memory of 2708 2248 Efcfga32.exe 31 PID 2248 wrote to memory of 2708 2248 Efcfga32.exe 31 PID 2248 wrote to memory of 2708 2248 Efcfga32.exe 31 PID 2248 wrote to memory of 2708 2248 Efcfga32.exe 31 PID 2708 wrote to memory of 2668 2708 Emnndlod.exe 32 PID 2708 wrote to memory of 2668 2708 Emnndlod.exe 32 PID 2708 wrote to memory of 2668 2708 Emnndlod.exe 32 PID 2708 wrote to memory of 2668 2708 Emnndlod.exe 32 PID 2668 wrote to memory of 2720 2668 Fpcqaf32.exe 33 PID 2668 wrote to memory of 2720 2668 Fpcqaf32.exe 33 PID 2668 wrote to memory of 2720 2668 Fpcqaf32.exe 33 PID 2668 wrote to memory of 2720 2668 Fpcqaf32.exe 33 PID 2720 wrote to memory of 2608 2720 Febfomdd.exe 34 PID 2720 wrote to memory of 2608 2720 Febfomdd.exe 34 PID 2720 wrote to memory of 2608 2720 Febfomdd.exe 34 PID 2720 wrote to memory of 2608 2720 Febfomdd.exe 34 PID 2608 wrote to memory of 2424 2608 Gpncej32.exe 35 PID 2608 wrote to memory of 2424 2608 Gpncej32.exe 35 PID 2608 wrote to memory of 2424 2608 Gpncej32.exe 35 PID 2608 wrote to memory of 2424 2608 Gpncej32.exe 35 PID 2424 wrote to memory of 816 2424 Gmbdnn32.exe 36 PID 2424 wrote to memory of 816 2424 Gmbdnn32.exe 36 PID 2424 wrote to memory of 816 2424 Gmbdnn32.exe 36 PID 2424 wrote to memory of 816 2424 Gmbdnn32.exe 36 PID 816 wrote to memory of 2884 816 Gbcfadgl.exe 37 PID 816 wrote to memory of 2884 816 Gbcfadgl.exe 37 PID 816 wrote to memory of 2884 816 Gbcfadgl.exe 37 PID 816 wrote to memory of 2884 816 Gbcfadgl.exe 37 PID 2884 wrote to memory of 2536 2884 Hbfbgd32.exe 38 PID 2884 wrote to memory of 2536 2884 Hbfbgd32.exe 38 PID 2884 wrote to memory of 2536 2884 Hbfbgd32.exe 38 PID 2884 wrote to memory of 2536 2884 Hbfbgd32.exe 38 PID 2536 wrote to memory of 2320 2536 Heihnoph.exe 39 PID 2536 wrote to memory of 2320 2536 Heihnoph.exe 39 PID 2536 wrote to memory of 2320 2536 Heihnoph.exe 39 PID 2536 wrote to memory of 2320 2536 Heihnoph.exe 39 PID 2320 wrote to memory of 2640 2320 Hapicp32.exe 40 PID 2320 wrote to memory of 2640 2320 Hapicp32.exe 40 PID 2320 wrote to memory of 2640 2320 Hapicp32.exe 40 PID 2320 wrote to memory of 2640 2320 Hapicp32.exe 40 PID 2640 wrote to memory of 1792 2640 Hgmalg32.exe 41 PID 2640 wrote to memory of 1792 2640 Hgmalg32.exe 41 PID 2640 wrote to memory of 1792 2640 Hgmalg32.exe 41 PID 2640 wrote to memory of 1792 2640 Hgmalg32.exe 41 PID 1792 wrote to memory of 2188 1792 Hmfjha32.exe 42 PID 1792 wrote to memory of 2188 1792 Hmfjha32.exe 42 PID 1792 wrote to memory of 2188 1792 Hmfjha32.exe 42 PID 1792 wrote to memory of 2188 1792 Hmfjha32.exe 42 PID 2188 wrote to memory of 3048 2188 Hdqbekcm.exe 43 PID 2188 wrote to memory of 3048 2188 Hdqbekcm.exe 43 PID 2188 wrote to memory of 3048 2188 Hdqbekcm.exe 43 PID 2188 wrote to memory of 3048 2188 Hdqbekcm.exe 43 PID 3048 wrote to memory of 316 3048 Ikkjbe32.exe 44 PID 3048 wrote to memory of 316 3048 Ikkjbe32.exe 44 PID 3048 wrote to memory of 316 3048 Ikkjbe32.exe 44 PID 3048 wrote to memory of 316 3048 Ikkjbe32.exe 44 PID 316 wrote to memory of 2920 316 Illgimph.exe 45 PID 316 wrote to memory of 2920 316 Illgimph.exe 45 PID 316 wrote to memory of 2920 316 Illgimph.exe 45 PID 316 wrote to memory of 2920 316 Illgimph.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe"C:\Users\Admin\AppData\Local\Temp\91f072cde304fb6142b551fb1d922c08c39b2b10aa629b6fedd21ce253b2d6e7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe33⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe34⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe35⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe36⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe37⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe39⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe41⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe42⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe43⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe44⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe46⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe47⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe48⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe49⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe50⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe51⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe52⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Okanklik.exeC:\Windows\system32\Okanklik.exe54⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe55⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe57⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe58⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe59⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe60⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe61⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe62⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe63⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Pdaheq32.exeC:\Windows\system32\Pdaheq32.exe64⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe65⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe66⤵PID:2756
-
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe67⤵PID:2556
-
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe68⤵PID:2672
-
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe69⤵PID:772
-
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe70⤵PID:1764
-
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe71⤵PID:1264
-
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe72⤵PID:1660
-
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe73⤵PID:2940
-
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe74⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe75⤵PID:1436
-
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe76⤵PID:2352
-
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe77⤵PID:2084
-
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe78⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe79⤵PID:2184
-
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe80⤵PID:1352
-
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe81⤵PID:536
-
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe82⤵PID:2744
-
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe83⤵PID:896
-
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe84⤵PID:1548
-
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe85⤵PID:2628
-
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe86⤵PID:1088
-
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe87⤵PID:1952
-
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe88⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe89⤵PID:2040
-
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe90⤵
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe91⤵PID:2448
-
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe92⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe93⤵PID:2900
-
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe94⤵PID:1016
-
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe95⤵PID:2636
-
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe96⤵PID:2416
-
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe97⤵PID:1804
-
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe98⤵PID:2864
-
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe99⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe100⤵PID:2572
-
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe101⤵PID:476
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe102⤵PID:2588
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe103⤵PID:1520
-
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe104⤵PID:1312
-
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe105⤵PID:856
-
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe106⤵PID:2888
-
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe107⤵PID:2880
-
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe108⤵
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe109⤵PID:888
-
C:\Windows\SysWOW64\Chfpoeja.exeC:\Windows\system32\Chfpoeja.exe110⤵PID:308
-
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe111⤵PID:2548
-
C:\Windows\SysWOW64\Candgk32.exeC:\Windows\system32\Candgk32.exe112⤵PID:2848
-
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe113⤵PID:2296
-
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe114⤵
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe115⤵PID:1212
-
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe116⤵PID:2464
-
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe118⤵PID:2936
-
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe119⤵PID:1544
-
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe120⤵PID:1700
-
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe121⤵PID:2532
-
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe122⤵PID:2772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-