Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 18:57
Static task
static1
Behavioral task
behavioral1
Sample
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe
Resource
win10v2004-20241007-en
General
-
Target
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe
-
Size
96KB
-
MD5
33a143bd0956dcb6eddb6fef60d65f4c
-
SHA1
b4c359334756b104f2dd682a3563506d71600a83
-
SHA256
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f
-
SHA512
3a2df9e26d97e70c52d5202e4ccbd5d306a0e735b07cc2b344500b8d223b695b6f5517fd20047b38fa9c5431f3ccaa591c3fdf450e012a8abda5b1f14d454ad0
-
SSDEEP
1536:6nQm4PK4iGyOnBaHiLU82JR+IbFFfUN1Avhw6JCMt:6nQmFGyc4Cm+IbFFfUrQlM2
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Cdpdnpif.exePbblkaea.exeOpqdcgib.exePkhdnh32.exeMlhmkbhb.exeQmahog32.exeObonfj32.exeOafhmf32.exeJfbinf32.exeJgpklb32.exeEmceag32.exeFlphccbp.exeHkndiabh.exeKjihci32.exeMidqiaih.exeLcfhpf32.exeMejoei32.exeOomlfpdi.exeAphehidc.exeGbdlnf32.exeCfgehn32.exeKpblne32.exeOmqjgl32.exeKfgjdlme.exeLfnlcnih.exeBlgeahoo.exeNkfkidmk.exeFppmcmah.exeAfbpnlcd.exeLnambeed.exeFagnmkjm.exeHjbhgolp.exeOelcho32.exeMalmllfb.exeAcadchoo.exeGkimff32.exeGddpndhp.exeInkcem32.exeNphpng32.exeHngngo32.exeFialggcl.exeHibebeqb.exePkmmigjo.exeBpengf32.exeNphbfplf.exeMhbflj32.exeEebibf32.exeGbjpem32.exeLfkfkopk.exeMkfojakp.exeCgmndokg.exeIpgpcc32.exeJfadoaih.exeOjlife32.exeHganjo32.exeKgjjndeq.exeGddobpbe.exeJgmlmj32.exeGjemoi32.exeNhpabdqd.exeKkhdml32.exeQdhqpe32.exeOfmiea32.exeLefikg32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbblkaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opqdcgib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhdnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlhmkbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmahog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obonfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oafhmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfbinf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emceag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flphccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkndiabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjihci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midqiaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mejoei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oomlfpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbdlnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfgehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omqjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfgjdlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfnlcnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgeahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkfkidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fppmcmah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbpnlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnambeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fagnmkjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjbhgolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oelcho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malmllfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acadchoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkimff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gddpndhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkcem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphpng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngngo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fialggcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibebeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkmmigjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpengf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nphbfplf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eebibf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfkfkopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfojakp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmndokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgpcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfadoaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojlife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hganjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgjjndeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddobpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgmlmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjemoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhpabdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkhdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdhqpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofmiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lefikg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cnflae32.exeCdpdnpif.exeChbihc32.exeDonojm32.exeDboglhna.exeDkgldm32.exeDjmiejji.exeDqinhcoc.exeEmpomd32.exeEmbkbdce.exeEepmlf32.exeEebibf32.exeFefcmehe.exeFjckelfm.exeFappgflg.exeFdqiiaih.exeGipngg32.exeGfcopl32.exeGbjpem32.exeGlbdnbpk.exeHememgdi.exeHofjem32.exeHganjo32.exeHibgkjee.exeIhiabfhk.exeIcoepohq.exeIlgjhena.exeInkcem32.exeIhpgce32.exeIkapdqoc.exeJqnhmgmk.exeJfmnkn32.exeJqbbhg32.exeJipcbidn.exeJibpghbk.exeKgjjndeq.exeKabngjla.exeKgocid32.exeKaggbihl.exeLbkaoalg.exeLdjmidcj.exeLfkfkopk.exeLofkoamf.exeLepclldc.exeMagdam32.exeMeemgk32.exeMkaeob32.exeMalmllfb.exeMheeif32.exeMkfojakp.exeMcacochk.exeNmggllha.exeNinhamne.exeNphpng32.exeNloachkf.exeNommodjj.exeNdjfgkha.exeNkdndeon.exeNkfkidmk.exeOapcfo32.exeOgmkne32.exeOabplobe.exeOjndpqpq.exeOqgmmk32.exepid Process 2920 Cnflae32.exe 2916 Cdpdnpif.exe 1860 Chbihc32.exe 2688 Donojm32.exe 2380 Dboglhna.exe 1888 Dkgldm32.exe 108 Djmiejji.exe 2544 Dqinhcoc.exe 3008 Empomd32.exe 2484 Embkbdce.exe 760 Eepmlf32.exe 2144 Eebibf32.exe 2360 Fefcmehe.exe 2504 Fjckelfm.exe 680 Fappgflg.exe 732 Fdqiiaih.exe 804 Gipngg32.exe 568 Gfcopl32.exe 1812 Gbjpem32.exe 1692 Glbdnbpk.exe 2352 Hememgdi.exe 1808 Hofjem32.exe 1008 Hganjo32.exe 1072 Hibgkjee.exe 2800 Ihiabfhk.exe 2820 Icoepohq.exe 2896 Ilgjhena.exe 2780 Inkcem32.exe 2744 Ihpgce32.exe 2172 Ikapdqoc.exe 920 Jqnhmgmk.exe 1500 Jfmnkn32.exe 1880 Jqbbhg32.exe 2952 Jipcbidn.exe 2132 Jibpghbk.exe 1460 Kgjjndeq.exe 700 Kabngjla.exe 2064 Kgocid32.exe 2548 Kaggbihl.exe 2516 Lbkaoalg.exe 2128 Ldjmidcj.exe 2016 Lfkfkopk.exe 2272 Lofkoamf.exe 548 Lepclldc.exe 324 Magdam32.exe 1204 Meemgk32.exe 340 Mkaeob32.exe 1048 Malmllfb.exe 1988 Mheeif32.exe 2268 Mkfojakp.exe 1556 Mcacochk.exe 1668 Nmggllha.exe 1420 Ninhamne.exe 2004 Nphpng32.exe 2412 Nloachkf.exe 3000 Nommodjj.exe 2020 Ndjfgkha.exe 2220 Nkdndeon.exe 2192 Nkfkidmk.exe 936 Oapcfo32.exe 1712 Ogmkne32.exe 1976 Oabplobe.exe 1548 Ojndpqpq.exe 2336 Oqgmmk32.exe -
Loads dropped DLL 64 IoCs
Processes:
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exeCnflae32.exeCdpdnpif.exeChbihc32.exeDonojm32.exeDboglhna.exeDkgldm32.exeDjmiejji.exeDqinhcoc.exeEmpomd32.exeEmbkbdce.exeEepmlf32.exeEebibf32.exeFefcmehe.exeFjckelfm.exeFappgflg.exeFdqiiaih.exeGipngg32.exeGfcopl32.exeGbjpem32.exeGlbdnbpk.exeHememgdi.exeHofjem32.exeHganjo32.exeHibgkjee.exeIhiabfhk.exeIcoepohq.exeIlgjhena.exeInkcem32.exeIhpgce32.exeIkapdqoc.exeJqnhmgmk.exepid Process 2776 c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe 2776 c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe 2920 Cnflae32.exe 2920 Cnflae32.exe 2916 Cdpdnpif.exe 2916 Cdpdnpif.exe 1860 Chbihc32.exe 1860 Chbihc32.exe 2688 Donojm32.exe 2688 Donojm32.exe 2380 Dboglhna.exe 2380 Dboglhna.exe 1888 Dkgldm32.exe 1888 Dkgldm32.exe 108 Djmiejji.exe 108 Djmiejji.exe 2544 Dqinhcoc.exe 2544 Dqinhcoc.exe 3008 Empomd32.exe 3008 Empomd32.exe 2484 Embkbdce.exe 2484 Embkbdce.exe 760 Eepmlf32.exe 760 Eepmlf32.exe 2144 Eebibf32.exe 2144 Eebibf32.exe 2360 Fefcmehe.exe 2360 Fefcmehe.exe 2504 Fjckelfm.exe 2504 Fjckelfm.exe 680 Fappgflg.exe 680 Fappgflg.exe 732 Fdqiiaih.exe 732 Fdqiiaih.exe 804 Gipngg32.exe 804 Gipngg32.exe 568 Gfcopl32.exe 568 Gfcopl32.exe 1812 Gbjpem32.exe 1812 Gbjpem32.exe 1692 Glbdnbpk.exe 1692 Glbdnbpk.exe 2352 Hememgdi.exe 2352 Hememgdi.exe 1808 Hofjem32.exe 1808 Hofjem32.exe 1008 Hganjo32.exe 1008 Hganjo32.exe 1072 Hibgkjee.exe 1072 Hibgkjee.exe 2800 Ihiabfhk.exe 2800 Ihiabfhk.exe 2820 Icoepohq.exe 2820 Icoepohq.exe 2896 Ilgjhena.exe 2896 Ilgjhena.exe 2780 Inkcem32.exe 2780 Inkcem32.exe 2744 Ihpgce32.exe 2744 Ihpgce32.exe 2172 Ikapdqoc.exe 2172 Ikapdqoc.exe 920 Jqnhmgmk.exe 920 Jqnhmgmk.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jfmnkn32.exeNloachkf.exeFcilnl32.exeIhooog32.exeNmeohnil.exeMgomoboc.exeNkhhie32.exeNkfkidmk.exeOmqjgl32.exeAbldccka.exeFokfqflb.exeIjjgkmqh.exeGjpddigo.exeHhogaamj.exeKmfklepl.exeMejoei32.exeCooddbfh.exeGlaiak32.exeAicipgqe.exePllhib32.exeBnqcaffa.exeBdmhcp32.exeKabngjla.exeMagdam32.exeOapcfo32.exeEqcjaa32.exeAcggbffj.exeOegdcj32.exeEgikle32.exeNmkbfmpf.exeDonojm32.exeBhmmcjjd.exeBmnofp32.exePgjdmc32.exeOheieo32.exeHdapggln.exePigklmqc.exeKjihci32.exeMnffnd32.exeMfchgflg.exeOlioeoeo.exeIecohl32.exeMkaeob32.exeGahpkd32.exeGhbhhnhk.exeBcoffd32.exeJgpklb32.exeBiakbc32.exeCbllph32.exeDamhmc32.exeNkdndeon.exeDnnkec32.exeCmocha32.exeBakdjn32.exeOmjbihpn.exeFqfipj32.exeFmofjj32.exeQfifmghc.exeNbbhpegc.exeLpnobi32.exeNndhpqma.exeOmddmkhl.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Jqbbhg32.exe Jfmnkn32.exe File created C:\Windows\SysWOW64\Iinalc32.dll Nloachkf.exe File opened for modification C:\Windows\SysWOW64\Fppmcmah.exe Fcilnl32.exe File created C:\Windows\SysWOW64\Iecohl32.exe Ihooog32.exe File opened for modification C:\Windows\SysWOW64\Nbbhpegc.exe Nmeohnil.exe File created C:\Windows\SysWOW64\Dpmmdfgc.dll Mgomoboc.exe File created C:\Windows\SysWOW64\Nccmng32.exe Nkhhie32.exe File created C:\Windows\SysWOW64\Hjgkgm32.dll Nkfkidmk.exe File opened for modification C:\Windows\SysWOW64\Ofiopaap.exe Omqjgl32.exe File created C:\Windows\SysWOW64\Kcmelmkh.dll Abldccka.exe File opened for modification C:\Windows\SysWOW64\Fmofjj32.exe Fokfqflb.exe File created C:\Windows\SysWOW64\Ipgpcc32.exe Ijjgkmqh.exe File created C:\Windows\SysWOW64\Goplnb32.dll Gjpddigo.exe File created C:\Windows\SysWOW64\Jpbbmmhm.dll Hhogaamj.exe File created C:\Windows\SysWOW64\Jdfipdll.dll Kmfklepl.exe File created C:\Windows\SysWOW64\Mbopon32.exe Mejoei32.exe File created C:\Windows\SysWOW64\Mbiamkii.dll Cooddbfh.exe File created C:\Windows\SysWOW64\Gbkaneao.exe Glaiak32.exe File created C:\Windows\SysWOW64\Ablmilgf.exe Aicipgqe.exe File opened for modification C:\Windows\SysWOW64\Pedmbg32.exe Pllhib32.exe File created C:\Windows\SysWOW64\Bgihjl32.exe Bnqcaffa.exe File created C:\Windows\SysWOW64\Hpmmdj32.dll Bdmhcp32.exe File created C:\Windows\SysWOW64\Kgocid32.exe Kabngjla.exe File opened for modification C:\Windows\SysWOW64\Meemgk32.exe Magdam32.exe File created C:\Windows\SysWOW64\Iagiph32.dll Oapcfo32.exe File created C:\Windows\SysWOW64\Efpbih32.exe Eqcjaa32.exe File created C:\Windows\SysWOW64\Kdegnfli.dll Acggbffj.exe File opened for modification C:\Windows\SysWOW64\Oophlpag.exe Oegdcj32.exe File created C:\Windows\SysWOW64\Ajegbonq.dll Egikle32.exe File created C:\Windows\SysWOW64\Nnknqpgi.exe Nmkbfmpf.exe File created C:\Windows\SysWOW64\Dboglhna.exe Donojm32.exe File created C:\Windows\SysWOW64\Bmjekahk.exe Bhmmcjjd.exe File created C:\Windows\SysWOW64\Cbkgog32.exe Bmnofp32.exe File created C:\Windows\SysWOW64\Holldk32.exe Hhogaamj.exe File opened for modification C:\Windows\SysWOW64\Pmfmej32.exe Pgjdmc32.exe File opened for modification C:\Windows\SysWOW64\Pmabmf32.exe Oheieo32.exe File opened for modification C:\Windows\SysWOW64\Hogddpld.exe Hdapggln.exe File created C:\Windows\SysWOW64\Gdnipekj.dll Pigklmqc.exe File created C:\Windows\SysWOW64\Alggph32.dll Kjihci32.exe File opened for modification C:\Windows\SysWOW64\Mipgnbnn.exe Mnffnd32.exe File opened for modification C:\Windows\SysWOW64\Mpllpl32.exe Mfchgflg.exe File created C:\Windows\SysWOW64\Oafhmf32.exe Olioeoeo.exe File created C:\Windows\SysWOW64\Ieelnkpd.exe Iecohl32.exe File opened for modification C:\Windows\SysWOW64\Malmllfb.exe Mkaeob32.exe File opened for modification C:\Windows\SysWOW64\Ghbhhnhk.exe Gahpkd32.exe File opened for modification C:\Windows\SysWOW64\Gjpddigo.exe Ghbhhnhk.exe File opened for modification C:\Windows\SysWOW64\Bgmolb32.exe Bcoffd32.exe File created C:\Windows\SysWOW64\Jhahcjcf.exe Jgpklb32.exe File opened for modification C:\Windows\SysWOW64\Cfekkgla.exe Biakbc32.exe File opened for modification C:\Windows\SysWOW64\Cncmei32.exe Cbllph32.exe File opened for modification C:\Windows\SysWOW64\Dlfina32.exe Damhmc32.exe File created C:\Windows\SysWOW64\Hogddpld.exe Hdapggln.exe File created C:\Windows\SysWOW64\Qchjfo32.dll Nkdndeon.exe File created C:\Windows\SysWOW64\Lmedeaio.dll Dnnkec32.exe File opened for modification C:\Windows\SysWOW64\Cbllph32.exe Cmocha32.exe File opened for modification C:\Windows\SysWOW64\Cooddbfh.exe Bakdjn32.exe File created C:\Windows\SysWOW64\Kcipdg32.dll Omjbihpn.exe File created C:\Windows\SysWOW64\Dhgahphj.dll Fqfipj32.exe File opened for modification C:\Windows\SysWOW64\Ffhkcpal.exe Fmofjj32.exe File created C:\Windows\SysWOW64\Acmbambf.dll Qfifmghc.exe File opened for modification C:\Windows\SysWOW64\Nlklik32.exe Nbbhpegc.exe File created C:\Windows\SysWOW64\Lnaokn32.exe Lpnobi32.exe File opened for modification C:\Windows\SysWOW64\Nkhhie32.exe Nndhpqma.exe File created C:\Windows\SysWOW64\Hdfjnimm.dll Omddmkhl.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1956 3176 WerFault.exe 575 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pobeao32.exeOpbopn32.exeFlphccbp.exePqgbah32.exeNhljpmlm.exeIjjgkmqh.exeOddmokoo.exeBknfeege.exeEgkehllh.exeCihedpcg.exeNfhpjaba.exeJqbbhg32.exePkmmigjo.exeKhjkiikl.exeMkaeob32.exePlffkc32.exeDpdfemkm.exeMpqjmh32.exePbblkaea.exeQghgigkn.exeHdhnal32.exeEcgeba32.exeJilkbn32.exeHpghfn32.exeOmjbihpn.exeQdhqpe32.exeJfmnkn32.exeDfbbpd32.exeCgobcd32.exeKjebjjck.exeQkcbpn32.exeKkdnke32.exeGjpddigo.exePqplqile.exeLhpmhgbf.exeHpdbmooo.exeFlmidkmn.exeLnmcge32.exeJgpklb32.exeMcendc32.exeLofkoamf.exePkhdnh32.exeBfmqigba.exeEeeanm32.exeEopcmb32.exeOiqegb32.exeJiaaaicm.exeGnicoh32.exeGdihmo32.exeLpapgnpb.exeIcdhnn32.exeKfjibdbf.exeKfmehdpc.exeMpllpl32.exeIhooog32.exeQnpcpa32.exeOomlfpdi.exeIbgglfdl.exeOgjhnp32.exeOqmokioh.exeImkeneja.exeJcocgkbp.exeBghfacem.exeEepmlf32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbopn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flphccbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqgbah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhljpmlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjgkmqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddmokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknfeege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkehllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihedpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhpjaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqbbhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmmigjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjkiikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkaeob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plffkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdfemkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbblkaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qghgigkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhnal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilkbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpghfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjbihpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhqpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmnkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbbpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgobcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjebjjck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkcbpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpddigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqplqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpmhgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdbmooo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmidkmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcendc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofkoamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhdnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmqigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeeanm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopcmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqegb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiaaaicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnicoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdihmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpapgnpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfjibdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmehdpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpllpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihooog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomlfpdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibgglfdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjhnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmokioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkeneja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcocgkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bghfacem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepmlf32.exe -
Modifies registry class 64 IoCs
Processes:
Egdjfo32.exeKaillp32.exeBiakbc32.exeKaieai32.exePmabmf32.exeHjmolp32.exeJhahcjcf.exeGopnca32.exeIkapdqoc.exeFcilnl32.exeDjmknb32.exeBjnhnn32.exeIeelnkpd.exeMkkpjg32.exeMgaqohql.exeCnflae32.exeLdfldpqf.exeHajdniep.exeHibidc32.exeMajcoepi.exeEeeanm32.exeMhbflj32.exeNkfkidmk.exeAicfgn32.exeGnicoh32.exeJddqgdii.exeFbipdi32.exeGjemoi32.exeBpengf32.exeGlaiak32.exeKaggbihl.exeMkaeob32.exeMheeif32.exeCpjklo32.exeOegdcj32.exeAblmilgf.exeIbejfffo.exeGkchpcoc.exeBghfacem.exeKhjkiikl.exeChbihc32.exeDonojm32.exePcqebd32.exeLqjfpbmm.exeOheieo32.exeHkiknb32.exec935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exeOgmkne32.exeLiekddkh.exeOkailkhd.exeNhcgkbja.exeMjmiknng.exeJibpghbk.exePigklmqc.exeLefikg32.exeOoemcb32.exeLnmcge32.exeOddmokoo.exeGnmdfi32.exeFnoiocfj.exeJgpklb32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egdjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaillp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cngjeack.dll" Biakbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmabmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnnlmn32.dll" Hjmolp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhahcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omnmmc32.dll" Gopnca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcfncko.dll" Ikapdqoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcilnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djmknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfoppcf.dll" Bjnhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieelnkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebhjc32.dll" Mkkpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnflae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldfldpqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akjlgc32.dll" Pmabmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hajdniep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hibidc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Majcoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeeanm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcboqhc.dll" Mhbflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgkgm32.dll" Nkfkidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjqnkk32.dll" Aicfgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnicoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jddqgdii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbipdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijehm32.dll" Gjemoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpengf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilfchel.dll" Glaiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaggbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkaeob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mheeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpjklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodinj32.dll" Oegdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcfcjo32.dll" Ablmilgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibejfffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkchpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhogeg.dll" Bghfacem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bghfacem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khjkiikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chbihc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Donojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcqebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjfgc32.dll" Lqjfpbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbeejlb.dll" Oheieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkiknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogmkne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liekddkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okailkhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhcgkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjmiknng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jibpghbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdnipekj.dll" Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnhgnpbp.dll" Lefikg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpboioea.dll" Ooemcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnmcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejina32.dll" Oddmokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnmdfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnoiocfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgpklb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnmdfi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exeCnflae32.exeCdpdnpif.exeChbihc32.exeDonojm32.exeDboglhna.exeDkgldm32.exeDjmiejji.exeDqinhcoc.exeEmpomd32.exeEmbkbdce.exeEepmlf32.exeEebibf32.exeFefcmehe.exeFjckelfm.exeFappgflg.exedescription pid Process procid_target PID 2776 wrote to memory of 2920 2776 c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe 30 PID 2776 wrote to memory of 2920 2776 c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe 30 PID 2776 wrote to memory of 2920 2776 c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe 30 PID 2776 wrote to memory of 2920 2776 c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe 30 PID 2920 wrote to memory of 2916 2920 Cnflae32.exe 31 PID 2920 wrote to memory of 2916 2920 Cnflae32.exe 31 PID 2920 wrote to memory of 2916 2920 Cnflae32.exe 31 PID 2920 wrote to memory of 2916 2920 Cnflae32.exe 31 PID 2916 wrote to memory of 1860 2916 Cdpdnpif.exe 32 PID 2916 wrote to memory of 1860 2916 Cdpdnpif.exe 32 PID 2916 wrote to memory of 1860 2916 Cdpdnpif.exe 32 PID 2916 wrote to memory of 1860 2916 Cdpdnpif.exe 32 PID 1860 wrote to memory of 2688 1860 Chbihc32.exe 33 PID 1860 wrote to memory of 2688 1860 Chbihc32.exe 33 PID 1860 wrote to memory of 2688 1860 Chbihc32.exe 33 PID 1860 wrote to memory of 2688 1860 Chbihc32.exe 33 PID 2688 wrote to memory of 2380 2688 Donojm32.exe 34 PID 2688 wrote to memory of 2380 2688 Donojm32.exe 34 PID 2688 wrote to memory of 2380 2688 Donojm32.exe 34 PID 2688 wrote to memory of 2380 2688 Donojm32.exe 34 PID 2380 wrote to memory of 1888 2380 Dboglhna.exe 35 PID 2380 wrote to memory of 1888 2380 Dboglhna.exe 35 PID 2380 wrote to memory of 1888 2380 Dboglhna.exe 35 PID 2380 wrote to memory of 1888 2380 Dboglhna.exe 35 PID 1888 wrote to memory of 108 1888 Dkgldm32.exe 36 PID 1888 wrote to memory of 108 1888 Dkgldm32.exe 36 PID 1888 wrote to memory of 108 1888 Dkgldm32.exe 36 PID 1888 wrote to memory of 108 1888 Dkgldm32.exe 36 PID 108 wrote to memory of 2544 108 Djmiejji.exe 37 PID 108 wrote to memory of 2544 108 Djmiejji.exe 37 PID 108 wrote to memory of 2544 108 Djmiejji.exe 37 PID 108 wrote to memory of 2544 108 Djmiejji.exe 37 PID 2544 wrote to memory of 3008 2544 Dqinhcoc.exe 38 PID 2544 wrote to memory of 3008 2544 Dqinhcoc.exe 38 PID 2544 wrote to memory of 3008 2544 Dqinhcoc.exe 38 PID 2544 wrote to memory of 3008 2544 Dqinhcoc.exe 38 PID 3008 wrote to memory of 2484 3008 Empomd32.exe 39 PID 3008 wrote to memory of 2484 3008 Empomd32.exe 39 PID 3008 wrote to memory of 2484 3008 Empomd32.exe 39 PID 3008 wrote to memory of 2484 3008 Empomd32.exe 39 PID 2484 wrote to memory of 760 2484 Embkbdce.exe 40 PID 2484 wrote to memory of 760 2484 Embkbdce.exe 40 PID 2484 wrote to memory of 760 2484 Embkbdce.exe 40 PID 2484 wrote to memory of 760 2484 Embkbdce.exe 40 PID 760 wrote to memory of 2144 760 Eepmlf32.exe 41 PID 760 wrote to memory of 2144 760 Eepmlf32.exe 41 PID 760 wrote to memory of 2144 760 Eepmlf32.exe 41 PID 760 wrote to memory of 2144 760 Eepmlf32.exe 41 PID 2144 wrote to memory of 2360 2144 Eebibf32.exe 42 PID 2144 wrote to memory of 2360 2144 Eebibf32.exe 42 PID 2144 wrote to memory of 2360 2144 Eebibf32.exe 42 PID 2144 wrote to memory of 2360 2144 Eebibf32.exe 42 PID 2360 wrote to memory of 2504 2360 Fefcmehe.exe 43 PID 2360 wrote to memory of 2504 2360 Fefcmehe.exe 43 PID 2360 wrote to memory of 2504 2360 Fefcmehe.exe 43 PID 2360 wrote to memory of 2504 2360 Fefcmehe.exe 43 PID 2504 wrote to memory of 680 2504 Fjckelfm.exe 44 PID 2504 wrote to memory of 680 2504 Fjckelfm.exe 44 PID 2504 wrote to memory of 680 2504 Fjckelfm.exe 44 PID 2504 wrote to memory of 680 2504 Fjckelfm.exe 44 PID 680 wrote to memory of 732 680 Fappgflg.exe 45 PID 680 wrote to memory of 732 680 Fappgflg.exe 45 PID 680 wrote to memory of 732 680 Fappgflg.exe 45 PID 680 wrote to memory of 732 680 Fappgflg.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe"C:\Users\Admin\AppData\Local\Temp\c935af05d7d81e1ca2bc544b08910aba6ee718e81ff666ac5af654eca0f2429f.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:732 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Gfcopl32.exeC:\Windows\system32\Gfcopl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Ihpgce32.exeC:\Windows\system32\Ihpgce32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe35⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Jibpghbk.exeC:\Windows\system32\Jibpghbk.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Kgjjndeq.exeC:\Windows\system32\Kgjjndeq.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Kabngjla.exeC:\Windows\system32\Kabngjla.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe39⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe41⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe42⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Lofkoamf.exeC:\Windows\system32\Lofkoamf.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe45⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Meemgk32.exeC:\Windows\system32\Meemgk32.exe47⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Malmllfb.exeC:\Windows\system32\Malmllfb.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Mheeif32.exeC:\Windows\system32\Mheeif32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Mpqjmh32.exeC:\Windows\system32\Mpqjmh32.exe51⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe53⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Nmggllha.exeC:\Windows\system32\Nmggllha.exe54⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ninhamne.exeC:\Windows\system32\Ninhamne.exe55⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Nloachkf.exeC:\Windows\system32\Nloachkf.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Nommodjj.exeC:\Windows\system32\Nommodjj.exe58⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ndjfgkha.exeC:\Windows\system32\Ndjfgkha.exe59⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Nkfkidmk.exeC:\Windows\system32\Nkfkidmk.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Oapcfo32.exeC:\Windows\system32\Oapcfo32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe64⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe65⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Oqgmmk32.exeC:\Windows\system32\Oqgmmk32.exe66⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ogaeieoj.exeC:\Windows\system32\Ogaeieoj.exe67⤵PID:1968
-
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe68⤵PID:2508
-
C:\Windows\SysWOW64\Ofgbkacb.exeC:\Windows\system32\Ofgbkacb.exe69⤵PID:2872
-
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Ofiopaap.exeC:\Windows\system32\Ofiopaap.exe71⤵PID:2836
-
C:\Windows\SysWOW64\Pigklmqc.exeC:\Windows\system32\Pigklmqc.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe73⤵PID:2972
-
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\SysWOW64\Pbblkaea.exeC:\Windows\system32\Pbblkaea.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Pgodcich.exeC:\Windows\system32\Pgodcich.exe76⤵PID:1944
-
C:\Windows\SysWOW64\Pqgilnji.exeC:\Windows\system32\Pqgilnji.exe77⤵PID:524
-
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe79⤵PID:1292
-
C:\Windows\SysWOW64\Pnnfkb32.exeC:\Windows\system32\Pnnfkb32.exe80⤵PID:788
-
C:\Windows\SysWOW64\Pegnglnm.exeC:\Windows\system32\Pegnglnm.exe81⤵PID:1512
-
C:\Windows\SysWOW64\Qnpcpa32.exeC:\Windows\system32\Qnpcpa32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Qghgigkn.exeC:\Windows\system32\Qghgigkn.exe83⤵
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Qjgcecja.exeC:\Windows\system32\Qjgcecja.exe84⤵PID:2324
-
C:\Windows\SysWOW64\Acohnhab.exeC:\Windows\system32\Acohnhab.exe85⤵PID:2580
-
C:\Windows\SysWOW64\Ailqfooi.exeC:\Windows\system32\Ailqfooi.exe86⤵PID:2864
-
C:\Windows\SysWOW64\Acadchoo.exeC:\Windows\system32\Acadchoo.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Aebakp32.exeC:\Windows\system32\Aebakp32.exe88⤵PID:2076
-
C:\Windows\SysWOW64\Aphehidc.exeC:\Windows\system32\Aphehidc.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:432 -
C:\Windows\SysWOW64\Ahcjmkbo.exeC:\Windows\system32\Ahcjmkbo.exe90⤵PID:2212
-
C:\Windows\SysWOW64\Aicfgn32.exeC:\Windows\system32\Aicfgn32.exe91⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Alaccj32.exeC:\Windows\system32\Alaccj32.exe92⤵PID:1188
-
C:\Windows\SysWOW64\Ahhchk32.exeC:\Windows\system32\Ahhchk32.exe93⤵PID:2356
-
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe94⤵PID:2632
-
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe95⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Bhmmcjjd.exeC:\Windows\system32\Bhmmcjjd.exe96⤵
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe97⤵PID:2480
-
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe98⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Bbikig32.exeC:\Windows\system32\Bbikig32.exe99⤵PID:2904
-
C:\Windows\SysWOW64\Bmnofp32.exeC:\Windows\system32\Bmnofp32.exe100⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe101⤵PID:1952
-
C:\Windows\SysWOW64\Ceickb32.exeC:\Windows\system32\Ceickb32.exe102⤵PID:1924
-
C:\Windows\SysWOW64\Cpjklo32.exeC:\Windows\system32\Cpjklo32.exe103⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Dnnkec32.exeC:\Windows\system32\Dnnkec32.exe104⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe105⤵PID:2584
-
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe106⤵PID:1144
-
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe107⤵PID:2340
-
C:\Windows\SysWOW64\Doijcjde.exeC:\Windows\system32\Doijcjde.exe108⤵PID:1720
-
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe110⤵PID:864
-
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe111⤵PID:2756
-
C:\Windows\SysWOW64\Ekbhnkhf.exeC:\Windows\system32\Ekbhnkhf.exe112⤵PID:2912
-
C:\Windows\SysWOW64\Eqopfbfn.exeC:\Windows\system32\Eqopfbfn.exe113⤵PID:2732
-
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe114⤵PID:2188
-
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe115⤵PID:2524
-
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe116⤵
- System Location Discovery: System Language Discovery
PID:648 -
C:\Windows\SysWOW64\Eqcjaa32.exeC:\Windows\system32\Eqcjaa32.exe117⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe118⤵PID:2608
-
C:\Windows\SysWOW64\Fcdbcloi.exeC:\Windows\system32\Fcdbcloi.exe119⤵PID:816
-
C:\Windows\SysWOW64\Ffboohnm.exeC:\Windows\system32\Ffboohnm.exe120⤵PID:1816
-
C:\Windows\SysWOW64\Fqhclqnc.exeC:\Windows\system32\Fqhclqnc.exe121⤵PID:1620
-
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe122⤵
- Modifies registry class
PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-