Analysis
-
max time kernel
88s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:00
Behavioral task
behavioral1
Sample
bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe
Resource
win10v2004-20241007-en
General
-
Target
bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe
-
Size
272KB
-
MD5
bc0169f674755d5a0501125d17fe3e80
-
SHA1
942eebaaf3250d47cc181e620f5fad012bb0fc1a
-
SHA256
bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13
-
SHA512
08b1074a23179a2e637c4a14657f3caded77b83d9492c89ba326333462b6cab9e9d91d2cf23b407a673aa767d41d09574286c07a831a29f8e64c691e802e506e
-
SSDEEP
6144:lCBashpTBV+ByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R:ChpT6ByvNv54B9f01ZmHByvNv5
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kijkje32.exeHjaeba32.exeNdicnb32.exeJelhmlgm.exeJkimpfmg.exeJeaahk32.exeLophacfl.exeGhofam32.exePcdldknm.exeMkacfiga.exeBpcfcddp.exeMhdpnm32.exePlpqim32.exeIgoomk32.exePjoklkie.exeObjmgd32.exeFmnopp32.exeFdiqpigl.exeGgfbpaeo.exePpdfimji.exeEpnkip32.exeIjibng32.exePjihmmbk.exeIjaaae32.exePadjmfdg.exeGoiafp32.exeCjoilfek.exeEcnpdnho.exeNjpihk32.exeMoeeelhn.exeCbpbgk32.exeObhpad32.exeDppigchi.exeCglalbbi.exeGajqbakc.exeNkobpmlo.exeFpmned32.exeJoblkegc.exeNnmlcp32.exeHieiqo32.exeHgkfal32.exeIgmbgk32.exeMbnocipg.exePdhpdq32.exeEaqkcimg.exeNnodgbed.exeFcmdnfad.exeGdhdkn32.exeJdhifooi.exeLnjldf32.exeLplbjm32.exeMojbaham.exeKfggkc32.exeMhhiiloh.exeBfdenafn.exeEjcofica.exeAifjgdkj.exeIchmgl32.exeJgmaog32.exeMehpga32.exeMobaef32.exeMhkfnlme.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kijkje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjaeba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndicnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jelhmlgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkimpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeaahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lophacfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghofam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdldknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkacfiga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcfcddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdpnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjoklkie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmnopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggfbpaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdfimji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Padjmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Goiafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecnpdnho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moeeelhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbpbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhpad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dppigchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkobpmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndicnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpcfcddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joblkegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hieiqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkfal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbnocipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdhpdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eaqkcimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcmdnfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdhdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojbaham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfggkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhiiloh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcofica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aifjgdkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgmaog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehpga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobaef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhkfnlme.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Knmdeioh.exeKpkpadnl.exeLcjlnpmo.exeLocjhqpa.exeLgqkbb32.exeLgchgb32.exeMkqqnq32.exeMggabaea.exeMfmndn32.exeMqbbagjo.exeNbflno32.exeNnmlcp32.exeNbjeinje.exeNnafnopi.exeNapbjjom.exeNenkqi32.exeOfadnq32.exeOaghki32.exeOjomdoof.exeOlpilg32.exeOffmipej.exeOmpefj32.exeObmnna32.exeOiffkkbk.exeOemgplgo.exePhlclgfc.exePepcelel.exePkmlmbcd.exePhqmgg32.exePkoicb32.exePaiaplin.exePidfdofi.exePghfnc32.exePifbjn32.exeQppkfhlc.exeQndkpmkm.exeQjklenpa.exeAohdmdoh.exeApgagg32.exeAfdiondb.exeAakjdo32.exeAlqnah32.exeAficjnpm.exeAhgofi32.exeAoagccfn.exeAndgop32.exeBkhhhd32.exeBqeqqk32.exeBccmmf32.exeBniajoic.exeBdcifi32.exeBfdenafn.exeBoljgg32.exeBffbdadk.exeBmpkqklh.exeBcjcme32.exeBigkel32.exeBkegah32.exeCmedlk32.exeCocphf32.exeCfmhdpnc.exeCileqlmg.exeCkjamgmk.exeCbdiia32.exepid Process 2340 Knmdeioh.exe 572 Kpkpadnl.exe 2904 Lcjlnpmo.exe 2844 Locjhqpa.exe 3016 Lgqkbb32.exe 2704 Lgchgb32.exe 892 Mkqqnq32.exe 2004 Mggabaea.exe 1588 Mfmndn32.exe 1292 Mqbbagjo.exe 1664 Nbflno32.exe 468 Nnmlcp32.exe 2940 Nbjeinje.exe 2212 Nnafnopi.exe 2168 Napbjjom.exe 1004 Nenkqi32.exe 1968 Ofadnq32.exe 2052 Oaghki32.exe 2304 Ojomdoof.exe 1708 Olpilg32.exe 956 Offmipej.exe 2108 Ompefj32.exe 2332 Obmnna32.exe 1964 Oiffkkbk.exe 2568 Oemgplgo.exe 296 Phlclgfc.exe 3060 Pepcelel.exe 1940 Pkmlmbcd.exe 600 Phqmgg32.exe 2836 Pkoicb32.exe 2872 Paiaplin.exe 2384 Pidfdofi.exe 1060 Pghfnc32.exe 1212 Pifbjn32.exe 276 Qppkfhlc.exe 928 Qndkpmkm.exe 1988 Qjklenpa.exe 2000 Aohdmdoh.exe 852 Apgagg32.exe 1884 Afdiondb.exe 544 Aakjdo32.exe 328 Alqnah32.exe 644 Aficjnpm.exe 1368 Ahgofi32.exe 1728 Aoagccfn.exe 692 Andgop32.exe 824 Bkhhhd32.exe 2596 Bqeqqk32.exe 1440 Bccmmf32.exe 2676 Bniajoic.exe 2100 Bdcifi32.exe 2524 Bfdenafn.exe 2984 Boljgg32.exe 2988 Bffbdadk.exe 2880 Bmpkqklh.exe 2136 Bcjcme32.exe 1408 Bigkel32.exe 1996 Bkegah32.exe 1620 Cmedlk32.exe 772 Cocphf32.exe 3028 Cfmhdpnc.exe 580 Cileqlmg.exe 2024 Ckjamgmk.exe 1468 Cbdiia32.exe -
Loads dropped DLL 64 IoCs
Processes:
bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exeKnmdeioh.exeKpkpadnl.exeLcjlnpmo.exeLocjhqpa.exeLgqkbb32.exeLgchgb32.exeMkqqnq32.exeMggabaea.exeMfmndn32.exeMqbbagjo.exeNbflno32.exeNnmlcp32.exeNbjeinje.exeNnafnopi.exeNapbjjom.exeNenkqi32.exeOfadnq32.exeOaghki32.exeOjomdoof.exeOlpilg32.exeOffmipej.exeOmpefj32.exeObmnna32.exeOiffkkbk.exeOemgplgo.exePhlclgfc.exePepcelel.exePkmlmbcd.exePhqmgg32.exePkoicb32.exePaiaplin.exepid Process 2316 bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe 2316 bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe 2340 Knmdeioh.exe 2340 Knmdeioh.exe 572 Kpkpadnl.exe 572 Kpkpadnl.exe 2904 Lcjlnpmo.exe 2904 Lcjlnpmo.exe 2844 Locjhqpa.exe 2844 Locjhqpa.exe 3016 Lgqkbb32.exe 3016 Lgqkbb32.exe 2704 Lgchgb32.exe 2704 Lgchgb32.exe 892 Mkqqnq32.exe 892 Mkqqnq32.exe 2004 Mggabaea.exe 2004 Mggabaea.exe 1588 Mfmndn32.exe 1588 Mfmndn32.exe 1292 Mqbbagjo.exe 1292 Mqbbagjo.exe 1664 Nbflno32.exe 1664 Nbflno32.exe 468 Nnmlcp32.exe 468 Nnmlcp32.exe 2940 Nbjeinje.exe 2940 Nbjeinje.exe 2212 Nnafnopi.exe 2212 Nnafnopi.exe 2168 Napbjjom.exe 2168 Napbjjom.exe 1004 Nenkqi32.exe 1004 Nenkqi32.exe 1968 Ofadnq32.exe 1968 Ofadnq32.exe 2052 Oaghki32.exe 2052 Oaghki32.exe 2304 Ojomdoof.exe 2304 Ojomdoof.exe 1708 Olpilg32.exe 1708 Olpilg32.exe 956 Offmipej.exe 956 Offmipej.exe 2108 Ompefj32.exe 2108 Ompefj32.exe 2332 Obmnna32.exe 2332 Obmnna32.exe 1964 Oiffkkbk.exe 1964 Oiffkkbk.exe 2568 Oemgplgo.exe 2568 Oemgplgo.exe 296 Phlclgfc.exe 296 Phlclgfc.exe 3060 Pepcelel.exe 3060 Pepcelel.exe 1940 Pkmlmbcd.exe 1940 Pkmlmbcd.exe 600 Phqmgg32.exe 600 Phqmgg32.exe 2836 Pkoicb32.exe 2836 Pkoicb32.exe 2872 Paiaplin.exe 2872 Paiaplin.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pjihmmbk.exeEmoldlmc.exeLafahdcc.exeKlkfdi32.exeOdmckcmq.exeQobdgo32.exeDfhdnn32.exePaiche32.exeBnlphh32.exeCmmcpi32.exeFgjjad32.exeKfaalh32.exeOqojhp32.exeAjamfh32.exeBigkel32.exePebbcdkn.exeBheaiekc.exeBmpkqklh.exeJpgmpk32.exeIianmlfn.exeGecpnp32.exeCodbqonk.exeDgqion32.exeBkegah32.exeGlchpp32.exeAnjnnk32.exeLidgcclp.exeMoeeelhn.exeFbngfo32.exeBedamd32.exeHdecea32.exeEinlmkhp.exeJoppeeif.exeDkeoongd.exeJeclebja.exeIgceej32.exeAkfnkmei.exeBlnpddeo.exePdhpdq32.exeMoenkf32.exePbepkh32.exeHieiqo32.exeKocpbfei.exeEaebeoan.exeIqhfnifq.exeDqinhcoc.exeFcmdnfad.exeDafoikjb.exeNomkfk32.exeOfafgipc.exePndalkgf.exeCegoqlof.exeHinbppna.exeHokhbj32.exeLegaoehg.exeMhjcec32.exeBnochnpm.exeGcjmmdbf.exePhehko32.exeObecld32.exeOmpefj32.exeEbnabb32.exeHfhfhbce.exeIaimipjl.exedescription ioc Process File created C:\Windows\SysWOW64\Faiboc32.dll Pjihmmbk.exe File opened for modification C:\Windows\SysWOW64\Epnhpglg.exe Emoldlmc.exe File opened for modification C:\Windows\SysWOW64\Mdendpbg.exe Lafahdcc.exe File created C:\Windows\SysWOW64\Imjjki32.dll Klkfdi32.exe File created C:\Windows\SysWOW64\Ojglhm32.exe Odmckcmq.exe File opened for modification C:\Windows\SysWOW64\Qhkipdeb.exe Qobdgo32.exe File created C:\Windows\SysWOW64\Difqji32.exe Dfhdnn32.exe File created C:\Windows\SysWOW64\Pdhpdq32.exe Paiche32.exe File opened for modification C:\Windows\SysWOW64\Blnpddeo.exe Bnlphh32.exe File opened for modification C:\Windows\SysWOW64\Ccgklc32.exe Cmmcpi32.exe File created C:\Windows\SysWOW64\Fpbnjjkm.exe Fgjjad32.exe File created C:\Windows\SysWOW64\Kmkihbho.exe Kfaalh32.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Oqojhp32.exe File created C:\Windows\SysWOW64\Olqdoelc.dll Ajamfh32.exe File created C:\Windows\SysWOW64\Bnjdhe32.dll Bigkel32.exe File created C:\Windows\SysWOW64\Olqhfa32.dll Pebbcdkn.exe File created C:\Windows\SysWOW64\Nmmgbn32.dll Bheaiekc.exe File opened for modification C:\Windows\SysWOW64\Bcjcme32.exe Bmpkqklh.exe File created C:\Windows\SysWOW64\Iddpheep.dll Jpgmpk32.exe File opened for modification C:\Windows\SysWOW64\Iqhfnifq.exe Iianmlfn.exe File created C:\Windows\SysWOW64\Ghbljk32.exe Gecpnp32.exe File opened for modification C:\Windows\SysWOW64\Cfnkmi32.exe Codbqonk.exe File created C:\Windows\SysWOW64\Acpchmhl.dll Dgqion32.exe File created C:\Windows\SysWOW64\Lmajfk32.dll Bkegah32.exe File created C:\Windows\SysWOW64\Gqodqodl.exe Glchpp32.exe File created C:\Windows\SysWOW64\Addfkeid.exe Anjnnk32.exe File opened for modification C:\Windows\SysWOW64\Lpnopm32.exe Lidgcclp.exe File opened for modification C:\Windows\SysWOW64\Mfpmbf32.exe Moeeelhn.exe File created C:\Windows\SysWOW64\Lceeqk32.dll Fbngfo32.exe File opened for modification C:\Windows\SysWOW64\Blniinac.exe Bedamd32.exe File created C:\Windows\SysWOW64\Kjdepgcg.dll Hdecea32.exe File opened for modification C:\Windows\SysWOW64\Ephdjeol.exe Einlmkhp.exe File opened for modification C:\Windows\SysWOW64\Jfjhbo32.exe Joppeeif.exe File created C:\Windows\SysWOW64\Doqkpl32.exe Dkeoongd.exe File created C:\Windows\SysWOW64\Jhahanie.exe Jeclebja.exe File created C:\Windows\SysWOW64\Ijaaae32.exe Igceej32.exe File created C:\Windows\SysWOW64\Bapfhg32.exe Akfnkmei.exe File opened for modification C:\Windows\SysWOW64\Bfgdmjlp.exe Blnpddeo.exe File created C:\Windows\SysWOW64\Gknfqppk.dll Pdhpdq32.exe File opened for modification C:\Windows\SysWOW64\Mnhnfckm.exe Moenkf32.exe File created C:\Windows\SysWOW64\Piohgbng.exe Pbepkh32.exe File created C:\Windows\SysWOW64\Eldhjg32.dll Hieiqo32.exe File created C:\Windows\SysWOW64\Kdphjm32.exe Kocpbfei.exe File created C:\Windows\SysWOW64\Ephbal32.exe Eaebeoan.exe File created C:\Windows\SysWOW64\Landhm32.dll Iqhfnifq.exe File opened for modification C:\Windows\SysWOW64\Efffpjmk.exe Dqinhcoc.exe File created C:\Windows\SysWOW64\Fhjmfnok.exe Fcmdnfad.exe File opened for modification C:\Windows\SysWOW64\Deakjjbk.exe Dafoikjb.exe File created C:\Windows\SysWOW64\Nffccejb.exe Nomkfk32.exe File created C:\Windows\SysWOW64\Omlncc32.exe Ofafgipc.exe File created C:\Windows\SysWOW64\Plhaeofp.exe Pndalkgf.exe File created C:\Windows\SysWOW64\Cfhkhd32.exe Cegoqlof.exe File opened for modification C:\Windows\SysWOW64\Hohkmj32.exe Hinbppna.exe File opened for modification C:\Windows\SysWOW64\Hnnhngjf.exe Hokhbj32.exe File created C:\Windows\SysWOW64\Okjejkao.dll Legaoehg.exe File created C:\Windows\SysWOW64\Mqehjecl.exe Mhjcec32.exe File created C:\Windows\SysWOW64\Egjeoijn.dll Bnochnpm.exe File created C:\Windows\SysWOW64\Kfeaomqq.dll Gcjmmdbf.exe File opened for modification C:\Windows\SysWOW64\Qmbqcf32.exe Phehko32.exe File created C:\Windows\SysWOW64\Ogbldk32.exe Obecld32.exe File opened for modification C:\Windows\SysWOW64\Obmnna32.exe Ompefj32.exe File created C:\Windows\SysWOW64\Eihjolae.exe Ebnabb32.exe File opened for modification C:\Windows\SysWOW64\Hqnjek32.exe Hfhfhbce.exe File created C:\Windows\SysWOW64\Igceej32.exe Iaimipjl.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 7332 1984 WerFault.exe 817 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Opialpld.exeGagmbkik.exeJoblkegc.exeAdblnnbk.exeBkegah32.exeGkalhgfd.exeHegpjaac.exeDmgmpnhl.exeFhjmfnok.exeEiciig32.exeKhohkamc.exeAddfkeid.exeJpgmpk32.exeOibohdmd.exeGcmcebkc.exeLgqkbb32.exeApgagg32.exeIbipmiek.exeLijiaabk.exeMnblhddb.exeDjicmk32.exeQjklenpa.exeCocphf32.exeLhlqjone.exePadjmfdg.exeEfmckpko.exeHhmhcigh.exeBfjkphjd.exePbgjgomc.exeMakkcc32.exeOepjoa32.exePimkbbpi.exeEjcofica.exeEhjqgjmp.exeIkjhki32.exeLaahme32.exeAcnlgajg.exeGqdgom32.exeAkdafn32.exeGmidlmcd.exeKiofnm32.exeNbflno32.exeGdcjpncm.exeJbbccgmp.exePpdfimji.exeApilcoho.exeAifjgdkj.exeEikimeff.exeEpeekmjk.exeImaapa32.exeBapfhg32.exeQjfalj32.exeAfmbak32.exeDonojm32.exeJigbebhb.exePaaddgkj.exeJfohgepi.exeGlchpp32.exeJlqjkk32.exeMaoalb32.exeJbphgpfg.exeDaaenlng.exeEpeoaffo.exeJnofgg32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opialpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblkegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adblnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkalhgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegpjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmpnhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjmfnok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiciig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khohkamc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addfkeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgmpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibohdmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibipmiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijiaabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnblhddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djicmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlqjone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padjmfdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmckpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmhcigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjkphjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgjgomc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Makkcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepjoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimkbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcofica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laahme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgajg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmidlmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiofnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcjpncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbccgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdfimji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apilcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifjgdkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikimeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeekmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaapa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapfhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfalj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmbak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigbebhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paaddgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfohgepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glchpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqjkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbphgpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeoaffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnofgg32.exe -
Modifies registry class 64 IoCs
Processes:
Lnjldf32.exeAcicla32.exeMainndaq.exeGgdekbgb.exeDoqkpl32.exeOniebmda.exeAkpkmo32.exeIjcngenj.exePiadma32.exeIgceej32.exePglojj32.exeOiffkkbk.exeKmkihbho.exeLdbaopdj.exeOmbddbah.exeCfnkmi32.exeCaifjn32.exeOnnnml32.exeNgjlpmnn.exeGcppkbia.exeCbjnqh32.exeJokqnhpa.exeEkghcq32.exeOemgplgo.exeQiflohqk.exeBkbdabog.exeEbnabb32.exeIfmocb32.exeEfmckpko.exeElgfkhpi.exeKfnnlboi.exeJbbccgmp.exeJbhebfck.exeKocpbfei.exeEbockkal.exeMlafkb32.exeBdkhjgeh.exeCjoilfek.exeBfdenafn.exeBkegah32.exeFeggob32.exeEifmimch.exeLhimji32.exeApgagg32.exeBlkjkflb.exeNfjildbp.exeClnehado.exeAknngo32.exeGigkbm32.exeLpfnckhe.exeMgbcfdmo.exeIbcphc32.exeLifcib32.exeAblbjj32.exeEfljhq32.exeHnhgha32.exeLafahdcc.exeOcefpnom.exeFfgfancd.exeLpdankjg.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnjldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdecfn32.dll" Acicla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mainndaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnqffif.dll" Ggdekbgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhalbm32.dll" Doqkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oniebmda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akpkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijcngenj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piadma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaiqn32.dll" Oiffkkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldbaopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afoochol.dll" Ombddbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfnkmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejilio32.dll" Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngjlpmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ombddbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbigm32.dll" Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jokqnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiabmg32.dll" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahildbb.dll" Qiflohqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkbdabog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efmckpko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qiflohqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnljbp.dll" Kfnnlboi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbbccgmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll" Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll" Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdkhjgeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqbnn32.dll" Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhohnoea.dll" Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhimji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbccb32.dll" Blkjkflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggdekbgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbldk32.dll" Clnehado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccboal32.dll" Gigkbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpfnckhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjkhlkg.dll" Mgbcfdmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibcphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdaehpn.dll" Ablbjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpkfe32.dll" Hnhgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lafahdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eencfjlb.dll" Ocefpnom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qccnpi32.dll" Ffgfancd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpdankjg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exeKnmdeioh.exeKpkpadnl.exeLcjlnpmo.exeLocjhqpa.exeLgqkbb32.exeLgchgb32.exeMkqqnq32.exeMggabaea.exeMfmndn32.exeMqbbagjo.exeNbflno32.exeNnmlcp32.exeNbjeinje.exeNnafnopi.exeNapbjjom.exedescription pid Process procid_target PID 2316 wrote to memory of 2340 2316 bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe 31 PID 2316 wrote to memory of 2340 2316 bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe 31 PID 2316 wrote to memory of 2340 2316 bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe 31 PID 2316 wrote to memory of 2340 2316 bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe 31 PID 2340 wrote to memory of 572 2340 Knmdeioh.exe 32 PID 2340 wrote to memory of 572 2340 Knmdeioh.exe 32 PID 2340 wrote to memory of 572 2340 Knmdeioh.exe 32 PID 2340 wrote to memory of 572 2340 Knmdeioh.exe 32 PID 572 wrote to memory of 2904 572 Kpkpadnl.exe 33 PID 572 wrote to memory of 2904 572 Kpkpadnl.exe 33 PID 572 wrote to memory of 2904 572 Kpkpadnl.exe 33 PID 572 wrote to memory of 2904 572 Kpkpadnl.exe 33 PID 2904 wrote to memory of 2844 2904 Lcjlnpmo.exe 34 PID 2904 wrote to memory of 2844 2904 Lcjlnpmo.exe 34 PID 2904 wrote to memory of 2844 2904 Lcjlnpmo.exe 34 PID 2904 wrote to memory of 2844 2904 Lcjlnpmo.exe 34 PID 2844 wrote to memory of 3016 2844 Locjhqpa.exe 35 PID 2844 wrote to memory of 3016 2844 Locjhqpa.exe 35 PID 2844 wrote to memory of 3016 2844 Locjhqpa.exe 35 PID 2844 wrote to memory of 3016 2844 Locjhqpa.exe 35 PID 3016 wrote to memory of 2704 3016 Lgqkbb32.exe 36 PID 3016 wrote to memory of 2704 3016 Lgqkbb32.exe 36 PID 3016 wrote to memory of 2704 3016 Lgqkbb32.exe 36 PID 3016 wrote to memory of 2704 3016 Lgqkbb32.exe 36 PID 2704 wrote to memory of 892 2704 Lgchgb32.exe 37 PID 2704 wrote to memory of 892 2704 Lgchgb32.exe 37 PID 2704 wrote to memory of 892 2704 Lgchgb32.exe 37 PID 2704 wrote to memory of 892 2704 Lgchgb32.exe 37 PID 892 wrote to memory of 2004 892 Mkqqnq32.exe 38 PID 892 wrote to memory of 2004 892 Mkqqnq32.exe 38 PID 892 wrote to memory of 2004 892 Mkqqnq32.exe 38 PID 892 wrote to memory of 2004 892 Mkqqnq32.exe 38 PID 2004 wrote to memory of 1588 2004 Mggabaea.exe 39 PID 2004 wrote to memory of 1588 2004 Mggabaea.exe 39 PID 2004 wrote to memory of 1588 2004 Mggabaea.exe 39 PID 2004 wrote to memory of 1588 2004 Mggabaea.exe 39 PID 1588 wrote to memory of 1292 1588 Mfmndn32.exe 40 PID 1588 wrote to memory of 1292 1588 Mfmndn32.exe 40 PID 1588 wrote to memory of 1292 1588 Mfmndn32.exe 40 PID 1588 wrote to memory of 1292 1588 Mfmndn32.exe 40 PID 1292 wrote to memory of 1664 1292 Mqbbagjo.exe 41 PID 1292 wrote to memory of 1664 1292 Mqbbagjo.exe 41 PID 1292 wrote to memory of 1664 1292 Mqbbagjo.exe 41 PID 1292 wrote to memory of 1664 1292 Mqbbagjo.exe 41 PID 1664 wrote to memory of 468 1664 Nbflno32.exe 42 PID 1664 wrote to memory of 468 1664 Nbflno32.exe 42 PID 1664 wrote to memory of 468 1664 Nbflno32.exe 42 PID 1664 wrote to memory of 468 1664 Nbflno32.exe 42 PID 468 wrote to memory of 2940 468 Nnmlcp32.exe 43 PID 468 wrote to memory of 2940 468 Nnmlcp32.exe 43 PID 468 wrote to memory of 2940 468 Nnmlcp32.exe 43 PID 468 wrote to memory of 2940 468 Nnmlcp32.exe 43 PID 2940 wrote to memory of 2212 2940 Nbjeinje.exe 44 PID 2940 wrote to memory of 2212 2940 Nbjeinje.exe 44 PID 2940 wrote to memory of 2212 2940 Nbjeinje.exe 44 PID 2940 wrote to memory of 2212 2940 Nbjeinje.exe 44 PID 2212 wrote to memory of 2168 2212 Nnafnopi.exe 45 PID 2212 wrote to memory of 2168 2212 Nnafnopi.exe 45 PID 2212 wrote to memory of 2168 2212 Nnafnopi.exe 45 PID 2212 wrote to memory of 2168 2212 Nnafnopi.exe 45 PID 2168 wrote to memory of 1004 2168 Napbjjom.exe 46 PID 2168 wrote to memory of 1004 2168 Napbjjom.exe 46 PID 2168 wrote to memory of 1004 2168 Napbjjom.exe 46 PID 2168 wrote to memory of 1004 2168 Napbjjom.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe"C:\Users\Admin\AppData\Local\Temp\bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe33⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe34⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe35⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe36⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe37⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe39⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe41⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe42⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe43⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe44⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe45⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe46⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe47⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe48⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe49⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe50⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe51⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe52⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe54⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe55⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe57⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe60⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe62⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe63⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe64⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe65⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe66⤵PID:944
-
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe67⤵PID:2368
-
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe68⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe69⤵PID:2608
-
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe70⤵PID:1668
-
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe71⤵PID:2788
-
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe72⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe73⤵PID:2816
-
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe74⤵PID:2876
-
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe75⤵PID:2832
-
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe76⤵PID:1484
-
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe77⤵PID:2060
-
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe78⤵PID:1460
-
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe79⤵PID:1560
-
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe80⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe81⤵PID:3036
-
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe82⤵PID:1320
-
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe83⤵PID:1836
-
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe84⤵PID:1720
-
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe85⤵PID:2408
-
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe86⤵PID:2188
-
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe87⤵PID:2648
-
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe88⤵PID:2856
-
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe89⤵PID:2900
-
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe90⤵PID:2728
-
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe91⤵PID:2220
-
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe92⤵PID:1476
-
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe93⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe94⤵PID:1500
-
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe95⤵PID:2744
-
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe96⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe97⤵PID:3032
-
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe98⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe99⤵PID:1480
-
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe100⤵PID:1228
-
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe101⤵PID:1016
-
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe102⤵PID:1536
-
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe103⤵PID:3000
-
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe104⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe106⤵PID:1248
-
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe107⤵PID:1956
-
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe109⤵
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe110⤵PID:2256
-
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe111⤵PID:2480
-
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe112⤵PID:1264
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe113⤵PID:2092
-
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe114⤵PID:2468
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe115⤵
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe117⤵PID:1820
-
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe118⤵PID:1824
-
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe119⤵PID:856
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe120⤵PID:2476
-
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe122⤵
- System Location Discovery: System Language Discovery
PID:968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-