Analysis
-
max time kernel
114s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 12:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe
-
Size
374KB
-
MD5
a84c1c3792c8c92b3a43336a48d90e57
-
SHA1
10889bb462e45bdd8199d4ea29bd17e7dd7c656f
-
SHA256
f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f
-
SHA512
52ca851d0b754fe4c832ab7d2c0ef40ad07fa8594b14c12514862b1810e3b5028eae7927c1b86929a3ee63619e1d760113b1594a9e6b8ed58ef1508f561f0499
-
SSDEEP
6144:0YLn4MvAwR+Eu6QnFw5+0pU8oStTf3runG/qoxfIkeI1SHkF63lngMBdkw8ZF+Y:0mQYE6uidyzwr6AxfLeI1Su63lgMBdID
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Elgioe32.exeEkppjmia.exeQeakmg32.exeCondfo32.exeDnbfkh32.exePlnhbk32.exeBcbedm32.exeKifgllbc.exeMooppe32.exeHnocgnoc.exeBjlnaghp.exePkbcjn32.exeHmfjda32.exePifdog32.exePghmeikh.exeDndahokk.exeFnnbfjmp.exeLcjamb32.exeFclmem32.exeMkqbhf32.exeOqibjq32.exeOljbil32.exeIilalc32.exeInfhmmhi.exeKcpcjl32.exeDbgknc32.exeHnimgcjd.exeHeqfdh32.exeEghcckld.exeIgcnfhob.exeEmailhfb.exeNbaafocg.exeBpieli32.exeCdpdpl32.exeBdnmda32.exeJjfiap32.exeLcbbidgl.exePabidiko.exeObbbbhkf.exeMjeholco.exeAnonqq32.exeCddqod32.exeKneflplf.exeOiniaboi.exeGqkqbe32.exePhphgf32.exeQmlief32.exeAkldhi32.exeObpflhmi.exeBflghh32.exeKelqff32.exeKffblb32.exeOkkfoikl.exeQokjcc32.exeIpnigl32.exePmcjceam.exeFkdoii32.exeGpiadq32.exeIeglfd32.exeMdkcgk32.exeFkgemh32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekppjmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeakmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Condfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbfkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plnhbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcbedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifgllbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mooppe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnocgnoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjlnaghp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmfjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pifdog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pghmeikh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndahokk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnbfjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fclmem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqbhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqibjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oljbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iilalc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infhmmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcpcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbgknc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnimgcjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heqfdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghcckld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcnfhob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emailhfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbaafocg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpieli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdpdpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdnmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjfiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcbbidgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabidiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obbbbhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeholco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndahokk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anonqq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddqod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneflplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiniaboi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqkqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phphgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmlief32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akldhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obpflhmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kelqff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okkfoikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qokjcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipnigl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcjceam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkdoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpiadq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieglfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkgemh32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cakfcfoc.exeCancif32.exeDmljnfll.exeDoocln32.exeDbmlal32.exeDodlfmlb.exeDofilm32.exeElgioe32.exeFjdpgnee.exeFjfllm32.exeGfdcbmbn.exeGbkdgn32.exeHeqfdh32.exeHcfceeff.exeIpcjje32.exeIagchmjn.exeJpajdi32.exeKphpdhdh.exeKeehmobp.exeKegebn32.exeKneflplf.exeKhjkiikl.exeLnipgp32.exeLcfhpf32.exeLlainlje.exeLhhjcmpj.exeLhjghlng.exeMkkpjg32.exeMgaqohql.exeMkpieggc.exeMflgkd32.exeNbbhpegc.exeNpfhjifm.exeNfbmlckg.exeNpkaei32.exeOaaghp32.exeOiniaboi.exeObgmjh32.exeOfefqf32.exePieobaiq.exePbnckg32.exePkihpi32.exePkkeeikj.exePdffcn32.exeQicoleno.exeQkbkfh32.exeAellfe32.exeApapcnaf.exeAjjeld32.exeAaeiqf32.exeAlknnodh.exeAkpkok32.exeAnngkg32.exeBblpae32.exeBgihjl32.exeBqambacb.exeBjjakg32.exeBcbedm32.exeBjlnaghp.exeBgpnjkgi.exeBjnjfffm.exeCihqbb32.exeCkijdm32.exeCnjbfhqa.exepid Process 2276 Cakfcfoc.exe 2868 Cancif32.exe 2876 Dmljnfll.exe 2764 Doocln32.exe 2788 Dbmlal32.exe 2564 Dodlfmlb.exe 1748 Dofilm32.exe 2784 Elgioe32.exe 2176 Fjdpgnee.exe 1952 Fjfllm32.exe 1028 Gfdcbmbn.exe 1756 Gbkdgn32.exe 2412 Heqfdh32.exe 2336 Hcfceeff.exe 1392 Ipcjje32.exe 824 Iagchmjn.exe 1808 Jpajdi32.exe 2468 Kphpdhdh.exe 552 Keehmobp.exe 1660 Kegebn32.exe 2164 Kneflplf.exe 1048 Khjkiikl.exe 2796 Lnipgp32.exe 2392 Lcfhpf32.exe 2380 Llainlje.exe 1572 Lhhjcmpj.exe 2976 Lhjghlng.exe 2136 Mkkpjg32.exe 2620 Mgaqohql.exe 2560 Mkpieggc.exe 1308 Mflgkd32.exe 2256 Nbbhpegc.exe 2948 Npfhjifm.exe 2920 Nfbmlckg.exe 2300 Npkaei32.exe 1868 Oaaghp32.exe 1240 Oiniaboi.exe 2272 Obgmjh32.exe 2104 Ofefqf32.exe 2408 Pieobaiq.exe 2244 Pbnckg32.exe 2168 Pkihpi32.exe 1428 Pkkeeikj.exe 1556 Pdffcn32.exe 1656 Qicoleno.exe 1288 Qkbkfh32.exe 1676 Aellfe32.exe 520 Apapcnaf.exe 2376 Ajjeld32.exe 2968 Aaeiqf32.exe 2724 Alknnodh.exe 2756 Akpkok32.exe 2884 Anngkg32.exe 2828 Bblpae32.exe 2712 Bgihjl32.exe 2900 Bqambacb.exe 2212 Bjjakg32.exe 1248 Bcbedm32.exe 1088 Bjlnaghp.exe 2060 Bgpnjkgi.exe 572 Bjnjfffm.exe 2456 Cihqbb32.exe 1600 Ckijdm32.exe 2404 Cnjbfhqa.exe -
Loads dropped DLL 64 IoCs
Processes:
f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exeCakfcfoc.exeCancif32.exeDmljnfll.exeDoocln32.exeDbmlal32.exeDodlfmlb.exeDofilm32.exeElgioe32.exeFjdpgnee.exeFjfllm32.exeGfdcbmbn.exeGbkdgn32.exeHeqfdh32.exeHcfceeff.exeIpcjje32.exeIagchmjn.exeJpajdi32.exeKphpdhdh.exeKeehmobp.exeKegebn32.exeKneflplf.exeKhjkiikl.exeLnipgp32.exeLcfhpf32.exeLlainlje.exeLhhjcmpj.exeLhjghlng.exeMkkpjg32.exeMgaqohql.exeMkpieggc.exeMflgkd32.exepid Process 2172 f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe 2172 f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe 2276 Cakfcfoc.exe 2276 Cakfcfoc.exe 2868 Cancif32.exe 2868 Cancif32.exe 2876 Dmljnfll.exe 2876 Dmljnfll.exe 2764 Doocln32.exe 2764 Doocln32.exe 2788 Dbmlal32.exe 2788 Dbmlal32.exe 2564 Dodlfmlb.exe 2564 Dodlfmlb.exe 1748 Dofilm32.exe 1748 Dofilm32.exe 2784 Elgioe32.exe 2784 Elgioe32.exe 2176 Fjdpgnee.exe 2176 Fjdpgnee.exe 1952 Fjfllm32.exe 1952 Fjfllm32.exe 1028 Gfdcbmbn.exe 1028 Gfdcbmbn.exe 1756 Gbkdgn32.exe 1756 Gbkdgn32.exe 2412 Heqfdh32.exe 2412 Heqfdh32.exe 2336 Hcfceeff.exe 2336 Hcfceeff.exe 1392 Ipcjje32.exe 1392 Ipcjje32.exe 824 Iagchmjn.exe 824 Iagchmjn.exe 1808 Jpajdi32.exe 1808 Jpajdi32.exe 2468 Kphpdhdh.exe 2468 Kphpdhdh.exe 552 Keehmobp.exe 552 Keehmobp.exe 1660 Kegebn32.exe 1660 Kegebn32.exe 2164 Kneflplf.exe 2164 Kneflplf.exe 1048 Khjkiikl.exe 1048 Khjkiikl.exe 2796 Lnipgp32.exe 2796 Lnipgp32.exe 2392 Lcfhpf32.exe 2392 Lcfhpf32.exe 2380 Llainlje.exe 2380 Llainlje.exe 1572 Lhhjcmpj.exe 1572 Lhhjcmpj.exe 2976 Lhjghlng.exe 2976 Lhjghlng.exe 2136 Mkkpjg32.exe 2136 Mkkpjg32.exe 2620 Mgaqohql.exe 2620 Mgaqohql.exe 2560 Mkpieggc.exe 2560 Mkpieggc.exe 1308 Mflgkd32.exe 1308 Mflgkd32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Aihmhe32.exeQokhjjbk.exeCagpldqg.exeEakkkdnm.exeMdkcgk32.exeKcpcjl32.exePcgnfl32.exePblkgh32.exeMjgfol32.exeImgmonga.exeDggbeb32.exeLaokdekd.exeHkifld32.exeAfaieb32.exeDglmmf32.exeIldjlmfb.exeBmpooiji.exeEhphdf32.exeLokpcekn.exeMdidhfdp.exeLlainlje.exeFlbehbqm.exeCkamihfm.exeLkahbkgk.exeKcflbpnn.exeBiegpl32.exeJihgdd32.exeMhfckc32.exeDlfbck32.exeAnbcio32.exeFnhnnc32.exeGbhpidak.exeHnocgnoc.exeOnhnjclg.exeHhjhgpcn.exeLcbbidgl.exeNgecbndm.exeNbnajcig.exeGnfajgbg.exeFieiephm.exeAdmnob32.exeFkdoii32.exeDcijmhdj.exeJgaikb32.exeJgihopao.exeCofaad32.exePqlhbo32.exeHmhgjahb.exeMoijkk32.exeIhmene32.exeJdlefd32.exeLcecpe32.exeKeehmobp.exeNodnmb32.exeLooahi32.exeFpecddpi.exeAkpkok32.exeFeeldk32.exeQhnnfc32.exeDffmgqcp.exeNihedodm.exeKpiihgoh.exedescription ioc Process File created C:\Windows\SysWOW64\Abaaakob.exe Aihmhe32.exe File opened for modification C:\Windows\SysWOW64\Aomdpj32.exe Qokhjjbk.exe File created C:\Windows\SysWOW64\Dhihnldi.dll Cagpldqg.exe File created C:\Windows\SysWOW64\Fcmlpd32.dll Eakkkdnm.exe File opened for modification C:\Windows\SysWOW64\Nglmifca.exe Mdkcgk32.exe File opened for modification C:\Windows\SysWOW64\Laccdp32.exe Kcpcjl32.exe File created C:\Windows\SysWOW64\Jmhdamkj.dll Pcgnfl32.exe File created C:\Windows\SysWOW64\Pfjdmggb.exe Pblkgh32.exe File opened for modification C:\Windows\SysWOW64\Mgkghp32.exe Mjgfol32.exe File opened for modification C:\Windows\SysWOW64\Jinmco32.exe Imgmonga.exe File opened for modification C:\Windows\SysWOW64\Dekcng32.exe Dggbeb32.exe File created C:\Windows\SysWOW64\Laahjdib.exe Laokdekd.exe File opened for modification C:\Windows\SysWOW64\Hacoio32.exe Hkifld32.exe File opened for modification C:\Windows\SysWOW64\Bakjfp32.exe Afaieb32.exe File created C:\Windows\SysWOW64\Ekifcd32.exe Dglmmf32.exe File created C:\Windows\SysWOW64\Inecnh32.exe Ildjlmfb.exe File created C:\Windows\SysWOW64\Bpahad32.exe Bmpooiji.exe File opened for modification C:\Windows\SysWOW64\Enomam32.exe Ehphdf32.exe File created C:\Windows\SysWOW64\Bbkgbo32.dll Lokpcekn.exe File created C:\Windows\SysWOW64\Ipgngg32.dll Mdidhfdp.exe File created C:\Windows\SysWOW64\Aaplgfio.dll Llainlje.exe File created C:\Windows\SysWOW64\Fclmem32.exe Flbehbqm.exe File created C:\Windows\SysWOW64\Hibkkjpb.dll Ckamihfm.exe File created C:\Windows\SysWOW64\Phfjkcad.dll Lkahbkgk.exe File created C:\Windows\SysWOW64\Feoqpaij.dll Kcflbpnn.exe File created C:\Windows\SysWOW64\Bfjhippb.exe Biegpl32.exe File created C:\Windows\SysWOW64\Nnmqbaeq.exe File created C:\Windows\SysWOW64\Adfmcn32.dll Jihgdd32.exe File created C:\Windows\SysWOW64\Pjkedoid.dll Mhfckc32.exe File opened for modification C:\Windows\SysWOW64\Bnbkgech.exe File opened for modification C:\Windows\SysWOW64\Flhkhnel.exe Dlfbck32.exe File created C:\Windows\SysWOW64\Djieql32.dll Anbcio32.exe File opened for modification C:\Windows\SysWOW64\Fklohgie.exe Fnhnnc32.exe File created C:\Windows\SysWOW64\Hiahfo32.exe Gbhpidak.exe File created C:\Windows\SysWOW64\Gckcpl32.dll Hnocgnoc.exe File opened for modification C:\Windows\SysWOW64\Obffpa32.exe Onhnjclg.exe File created C:\Windows\SysWOW64\Emoghm32.dll Hhjhgpcn.exe File created C:\Windows\SysWOW64\Hpldgohk.dll Lcbbidgl.exe File opened for modification C:\Windows\SysWOW64\Nqngkcjm.exe Ngecbndm.exe File created C:\Windows\SysWOW64\Gkdjec32.dll Nbnajcig.exe File opened for modification C:\Windows\SysWOW64\Gceghn32.exe Gnfajgbg.exe File opened for modification C:\Windows\SysWOW64\Fkgemh32.exe Fieiephm.exe File opened for modification C:\Windows\SysWOW64\Ajlcmigj.exe Admnob32.exe File created C:\Windows\SysWOW64\Gkfkoi32.exe Fkdoii32.exe File created C:\Windows\SysWOW64\Mgapfkgp.dll Dcijmhdj.exe File created C:\Windows\SysWOW64\Beojma32.dll Jgaikb32.exe File created C:\Windows\SysWOW64\Jgleep32.exe Jgihopao.exe File created C:\Windows\SysWOW64\Hnoeplld.dll Cofaad32.exe File created C:\Windows\SysWOW64\Hhcidhoj.dll Pqlhbo32.exe File created C:\Windows\SysWOW64\Olfgom32.dll Hmhgjahb.exe File created C:\Windows\SysWOW64\Nefejg32.dll Moijkk32.exe File created C:\Windows\SysWOW64\Hpjodn32.dll Ihmene32.exe File created C:\Windows\SysWOW64\Ngolkmca.dll Jdlefd32.exe File opened for modification C:\Windows\SysWOW64\Ledplq32.exe Lcecpe32.exe File created C:\Windows\SysWOW64\Kegebn32.exe Keehmobp.exe File created C:\Windows\SysWOW64\Nogjbbma.exe Nodnmb32.exe File opened for modification C:\Windows\SysWOW64\Ldljqpli.exe Looahi32.exe File created C:\Windows\SysWOW64\Bdfpdj32.dll Fpecddpi.exe File created C:\Windows\SysWOW64\Gqgkjc32.dll Akpkok32.exe File opened for modification C:\Windows\SysWOW64\Fjbdmbmb.exe Feeldk32.exe File created C:\Windows\SysWOW64\Pafepjhh.dll Qhnnfc32.exe File opened for modification C:\Windows\SysWOW64\Ddjmaebi.exe Dffmgqcp.exe File created C:\Windows\SysWOW64\Pdcjba32.dll Nihedodm.exe File created C:\Windows\SysWOW64\Cdkklgcn.dll Kpiihgoh.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 3008 4552 1100 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fnleqj32.exeHjjknfin.exeMflgkd32.exeKfbjjjci.exeEchpaecj.exeCefpmiji.exeAlknnodh.exeKifgllbc.exeJkjbml32.exeQhnlmjie.exeEfaiobkc.exeBoohgk32.exeJmigke32.exeKfknpj32.exeJnhblp32.exeAihmhe32.exeMfpaqdnk.exeJeenip32.exeMokgqjaa.exeGogipbln.exeGknjecab.exeOiniaboi.exePlpehj32.exePhibbk32.exeDmobpn32.exeCagpldqg.exeNimcallo.exeHkbagjfi.exeHnocgnoc.exeJekoljgo.exeCkamihfm.exeDeimaa32.exeHmhgjahb.exeMfmpifdf.exeIejkel32.exeLgfpfi32.exeGfdcbmbn.exeBickkl32.exeHjggnp32.exeBlpibghg.exeGbbbld32.exeOdpghiqc.exeNomdfjpo.exeFeklja32.exeJbkhcg32.exeLaidie32.exeAclhap32.exeBhoikfbb.exeMedggj32.exeLhabemgi.exeBfjmkn32.exeEhphdf32.exeMgnmao32.exeDbeqalkp.exeFkdoii32.exeOfcldoef.exeDophid32.exeIoonfaed.exeJdlefd32.exeGokmnlcf.exeHojbbiae.exePokkkgpo.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnleqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjknfin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflgkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbjjjci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echpaecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefpmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alknnodh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifgllbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjbml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhnlmjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efaiobkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boohgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmigke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfknpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhblp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihmhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfpaqdnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeenip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokgqjaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gogipbln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknjecab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiniaboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phibbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmobpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagpldqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimcallo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbagjfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnocgnoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekoljgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckamihfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deimaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmhgjahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmpifdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iejkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfpfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdcbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bickkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjggnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blpibghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpghiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomdfjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feklja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbkhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laidie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclhap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhoikfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medggj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhabemgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjmkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehphdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnmao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbeqalkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdoii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcldoef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dophid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioonfaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokmnlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojbbiae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pokkkgpo.exe -
Modifies registry class 64 IoCs
Processes:
Fkhkha32.exeBopbeopi.exeLkeeqckl.exeBdbfpafn.exeFqdong32.exeNldbbbno.exePmqkellk.exeDklkkoqf.exeAgpamd32.exeEmailhfb.exeKelqff32.exeBlpibghg.exeOqibjq32.exeCldolj32.exeJdipnedn.exeLpnlid32.exePpacfg32.exeNimcallo.exeHcjpcmjg.exeCcngkphk.exeLbgkhoml.exeMkiemqdo.exeKcpcjl32.exeJchjqc32.exeAomdpj32.exeDkggel32.exeIihhmhng.exeCjbccb32.exeJmhile32.exeEngnno32.exeMbfbfe32.exeDcedfe32.exeGcnleahm.exeOadnlc32.exeGqbaqccn.exeDglmmf32.exeGknjecab.exeMgomoboc.exeMdkcgk32.exeMpcjfa32.exeFeeldk32.exeKckeno32.exeLjbmdmfc.exeDfcigk32.exeBelfldoh.exeDcdlpklh.exeNmaialjp.exeIidajaiq.exeMoqkgmol.exeFkdoii32.exeOcmbmnio.exeGncblo32.exeDhadhakp.exeHiieqd32.exeHmhgjahb.exeFlhkhnel.exeNodnmb32.exeCaajmilh.exeDkojjgfg.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmiiaba.dll" Fkhkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bopbeopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkeeqckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdbfpafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqdong32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nldbbbno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmqkellk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimlpcke.dll" Dklkkoqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agpamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklhjo32.dll" Emailhfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kelqff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdqfaiab.dll" Blpibghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqibjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cldolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdipnedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcffnnq.dll" Lpnlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkjpcin.dll" Ppacfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeckce32.dll" Nimcallo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcjpcmjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkhkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccngkphk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbgkhoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkiemqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjchlqo.dll" Kcpcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jchjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aomdpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkggel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpoindi.dll" Iihhmhng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjbccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigngdee.dll" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjijo32.dll" Kelqff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmbdbbl.dll" Engnno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbfbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgklpnpf.dll" Dcedfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbhbi32.dll" Gcnleahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahomebko.dll" Oadnlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiojjk32.dll" Gqbaqccn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dglmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gknjecab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgomoboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll" Mdkcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjbmidh.dll" Mpcjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feeldk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kckeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljbmdmfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfcigk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cldolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldomncbm.dll" Belfldoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcdlpklh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmaialjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iihhmhng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iidajaiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moqkgmol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkdoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkeobofn.dll" Ocmbmnio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gncblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhadhakp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiieqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmhgjahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfgom32.dll" Hmhgjahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flhkhnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcbdmon.dll" Nodnmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caajmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncobnogd.dll" Dkojjgfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exeCakfcfoc.exeCancif32.exeDmljnfll.exeDoocln32.exeDbmlal32.exeDodlfmlb.exeDofilm32.exeElgioe32.exeFjdpgnee.exeFjfllm32.exeGfdcbmbn.exeGbkdgn32.exeHeqfdh32.exeHcfceeff.exeIpcjje32.exedescription pid Process procid_target PID 2172 wrote to memory of 2276 2172 f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe 29 PID 2172 wrote to memory of 2276 2172 f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe 29 PID 2172 wrote to memory of 2276 2172 f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe 29 PID 2172 wrote to memory of 2276 2172 f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe 29 PID 2276 wrote to memory of 2868 2276 Cakfcfoc.exe 30 PID 2276 wrote to memory of 2868 2276 Cakfcfoc.exe 30 PID 2276 wrote to memory of 2868 2276 Cakfcfoc.exe 30 PID 2276 wrote to memory of 2868 2276 Cakfcfoc.exe 30 PID 2868 wrote to memory of 2876 2868 Cancif32.exe 31 PID 2868 wrote to memory of 2876 2868 Cancif32.exe 31 PID 2868 wrote to memory of 2876 2868 Cancif32.exe 31 PID 2868 wrote to memory of 2876 2868 Cancif32.exe 31 PID 2876 wrote to memory of 2764 2876 Dmljnfll.exe 32 PID 2876 wrote to memory of 2764 2876 Dmljnfll.exe 32 PID 2876 wrote to memory of 2764 2876 Dmljnfll.exe 32 PID 2876 wrote to memory of 2764 2876 Dmljnfll.exe 32 PID 2764 wrote to memory of 2788 2764 Doocln32.exe 33 PID 2764 wrote to memory of 2788 2764 Doocln32.exe 33 PID 2764 wrote to memory of 2788 2764 Doocln32.exe 33 PID 2764 wrote to memory of 2788 2764 Doocln32.exe 33 PID 2788 wrote to memory of 2564 2788 Dbmlal32.exe 34 PID 2788 wrote to memory of 2564 2788 Dbmlal32.exe 34 PID 2788 wrote to memory of 2564 2788 Dbmlal32.exe 34 PID 2788 wrote to memory of 2564 2788 Dbmlal32.exe 34 PID 2564 wrote to memory of 1748 2564 Dodlfmlb.exe 35 PID 2564 wrote to memory of 1748 2564 Dodlfmlb.exe 35 PID 2564 wrote to memory of 1748 2564 Dodlfmlb.exe 35 PID 2564 wrote to memory of 1748 2564 Dodlfmlb.exe 35 PID 1748 wrote to memory of 2784 1748 Dofilm32.exe 36 PID 1748 wrote to memory of 2784 1748 Dofilm32.exe 36 PID 1748 wrote to memory of 2784 1748 Dofilm32.exe 36 PID 1748 wrote to memory of 2784 1748 Dofilm32.exe 36 PID 2784 wrote to memory of 2176 2784 Elgioe32.exe 37 PID 2784 wrote to memory of 2176 2784 Elgioe32.exe 37 PID 2784 wrote to memory of 2176 2784 Elgioe32.exe 37 PID 2784 wrote to memory of 2176 2784 Elgioe32.exe 37 PID 2176 wrote to memory of 1952 2176 Fjdpgnee.exe 38 PID 2176 wrote to memory of 1952 2176 Fjdpgnee.exe 38 PID 2176 wrote to memory of 1952 2176 Fjdpgnee.exe 38 PID 2176 wrote to memory of 1952 2176 Fjdpgnee.exe 38 PID 1952 wrote to memory of 1028 1952 Fjfllm32.exe 39 PID 1952 wrote to memory of 1028 1952 Fjfllm32.exe 39 PID 1952 wrote to memory of 1028 1952 Fjfllm32.exe 39 PID 1952 wrote to memory of 1028 1952 Fjfllm32.exe 39 PID 1028 wrote to memory of 1756 1028 Gfdcbmbn.exe 40 PID 1028 wrote to memory of 1756 1028 Gfdcbmbn.exe 40 PID 1028 wrote to memory of 1756 1028 Gfdcbmbn.exe 40 PID 1028 wrote to memory of 1756 1028 Gfdcbmbn.exe 40 PID 1756 wrote to memory of 2412 1756 Gbkdgn32.exe 41 PID 1756 wrote to memory of 2412 1756 Gbkdgn32.exe 41 PID 1756 wrote to memory of 2412 1756 Gbkdgn32.exe 41 PID 1756 wrote to memory of 2412 1756 Gbkdgn32.exe 41 PID 2412 wrote to memory of 2336 2412 Heqfdh32.exe 42 PID 2412 wrote to memory of 2336 2412 Heqfdh32.exe 42 PID 2412 wrote to memory of 2336 2412 Heqfdh32.exe 42 PID 2412 wrote to memory of 2336 2412 Heqfdh32.exe 42 PID 2336 wrote to memory of 1392 2336 Hcfceeff.exe 43 PID 2336 wrote to memory of 1392 2336 Hcfceeff.exe 43 PID 2336 wrote to memory of 1392 2336 Hcfceeff.exe 43 PID 2336 wrote to memory of 1392 2336 Hcfceeff.exe 43 PID 1392 wrote to memory of 824 1392 Ipcjje32.exe 44 PID 1392 wrote to memory of 824 1392 Ipcjje32.exe 44 PID 1392 wrote to memory of 824 1392 Ipcjje32.exe 44 PID 1392 wrote to memory of 824 1392 Ipcjje32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe"C:\Users\Admin\AppData\Local\Temp\f8a454bc351ff2a4ff782523f4e32fd47eed1b089083b0dc2507f744ec6c2e4f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Cancif32.exeC:\Windows\system32\Cancif32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Dmljnfll.exeC:\Windows\system32\Dmljnfll.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Doocln32.exeC:\Windows\system32\Doocln32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Dofilm32.exeC:\Windows\system32\Dofilm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Fjdpgnee.exeC:\Windows\system32\Fjdpgnee.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Fjfllm32.exeC:\Windows\system32\Fjfllm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Gfdcbmbn.exeC:\Windows\system32\Gfdcbmbn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Gbkdgn32.exeC:\Windows\system32\Gbkdgn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Heqfdh32.exeC:\Windows\system32\Heqfdh32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Hcfceeff.exeC:\Windows\system32\Hcfceeff.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Kphpdhdh.exeC:\Windows\system32\Kphpdhdh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Mkpieggc.exeC:\Windows\system32\Mkpieggc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe33⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe34⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Nfbmlckg.exeC:\Windows\system32\Nfbmlckg.exe35⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe36⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe37⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe39⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe40⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe41⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Pbnckg32.exeC:\Windows\system32\Pbnckg32.exe42⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Pkihpi32.exeC:\Windows\system32\Pkihpi32.exe43⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe44⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe45⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe46⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe47⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Aellfe32.exeC:\Windows\system32\Aellfe32.exe48⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe49⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Ajjeld32.exeC:\Windows\system32\Ajjeld32.exe50⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe51⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Akpkok32.exeC:\Windows\system32\Akpkok32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe54⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe55⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Bgihjl32.exeC:\Windows\system32\Bgihjl32.exe56⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Bqambacb.exeC:\Windows\system32\Bqambacb.exe57⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe58⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Bcbedm32.exeC:\Windows\system32\Bcbedm32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Bgpnjkgi.exeC:\Windows\system32\Bgpnjkgi.exe61⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe62⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Cihqbb32.exeC:\Windows\system32\Cihqbb32.exe63⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ckijdm32.exeC:\Windows\system32\Ckijdm32.exe64⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Cnjbfhqa.exeC:\Windows\system32\Cnjbfhqa.exe65⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Dnlolhoo.exeC:\Windows\system32\Dnlolhoo.exe66⤵PID:1364
-
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe67⤵PID:1040
-
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe68⤵PID:2652
-
C:\Windows\SysWOW64\Ddnaonia.exeC:\Windows\system32\Ddnaonia.exe69⤵PID:2428
-
C:\Windows\SysWOW64\Deajlf32.exeC:\Windows\system32\Deajlf32.exe70⤵PID:2984
-
C:\Windows\SysWOW64\Eahkag32.exeC:\Windows\system32\Eahkag32.exe71⤵PID:2996
-
C:\Windows\SysWOW64\Ekppjmia.exeC:\Windows\system32\Ekppjmia.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Egimdmmc.exeC:\Windows\system32\Egimdmmc.exe74⤵PID:684
-
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe75⤵PID:2100
-
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe76⤵PID:2732
-
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe77⤵PID:3040
-
C:\Windows\SysWOW64\Fmjkbfnh.exeC:\Windows\system32\Fmjkbfnh.exe78⤵PID:2676
-
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe79⤵PID:1824
-
C:\Windows\SysWOW64\Fcjqpm32.exeC:\Windows\system32\Fcjqpm32.exe80⤵PID:2356
-
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe81⤵
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Fclmem32.exeC:\Windows\system32\Fclmem32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe83⤵PID:2204
-
C:\Windows\SysWOW64\Gpfggeai.exeC:\Windows\system32\Gpfggeai.exe84⤵PID:1768
-
C:\Windows\SysWOW64\Gjolpkhj.exeC:\Windows\system32\Gjolpkhj.exe85⤵PID:1700
-
C:\Windows\SysWOW64\Gqkqbe32.exeC:\Windows\system32\Gqkqbe32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe87⤵PID:264
-
C:\Windows\SysWOW64\Gqmmhdka.exeC:\Windows\system32\Gqmmhdka.exe88⤵PID:1536
-
C:\Windows\SysWOW64\Hmdnme32.exeC:\Windows\system32\Hmdnme32.exe89⤵PID:3028
-
C:\Windows\SysWOW64\Hikobfgj.exeC:\Windows\system32\Hikobfgj.exe90⤵PID:2736
-
C:\Windows\SysWOW64\Hfookk32.exeC:\Windows\system32\Hfookk32.exe91⤵PID:2836
-
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe92⤵PID:2776
-
C:\Windows\SysWOW64\Hkndiabh.exeC:\Windows\system32\Hkndiabh.exe93⤵PID:2892
-
C:\Windows\SysWOW64\Hkpaoape.exeC:\Windows\system32\Hkpaoape.exe94⤵PID:2572
-
C:\Windows\SysWOW64\Iggbdb32.exeC:\Windows\system32\Iggbdb32.exe95⤵PID:2472
-
C:\Windows\SysWOW64\Inajql32.exeC:\Windows\system32\Inajql32.exe96⤵PID:580
-
C:\Windows\SysWOW64\Incgfl32.exeC:\Windows\system32\Incgfl32.exe97⤵PID:1688
-
C:\Windows\SysWOW64\Iimhfj32.exeC:\Windows\system32\Iimhfj32.exe98⤵PID:1512
-
C:\Windows\SysWOW64\Icbldbgi.exeC:\Windows\system32\Icbldbgi.exe99⤵PID:1516
-
C:\Windows\SysWOW64\Ijmdql32.exeC:\Windows\system32\Ijmdql32.exe100⤵PID:1992
-
C:\Windows\SysWOW64\Ifceemdj.exeC:\Windows\system32\Ifceemdj.exe101⤵PID:2008
-
C:\Windows\SysWOW64\Jplinckj.exeC:\Windows\system32\Jplinckj.exe102⤵PID:2236
-
C:\Windows\SysWOW64\Jpnfdbig.exeC:\Windows\system32\Jpnfdbig.exe103⤵PID:2844
-
C:\Windows\SysWOW64\Jekoljgo.exeC:\Windows\system32\Jekoljgo.exe104⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Jaaoakmc.exeC:\Windows\system32\Jaaoakmc.exe105⤵PID:2608
-
C:\Windows\SysWOW64\Kpiihgoh.exeC:\Windows\system32\Kpiihgoh.exe106⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Kifgllbc.exeC:\Windows\system32\Kifgllbc.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Kldchgag.exeC:\Windows\system32\Kldchgag.exe108⤵PID:1360
-
C:\Windows\SysWOW64\Kbokda32.exeC:\Windows\system32\Kbokda32.exe109⤵PID:468
-
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe110⤵PID:2200
-
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe111⤵PID:976
-
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe112⤵PID:2540
-
C:\Windows\SysWOW64\Mgomoboc.exeC:\Windows\system32\Mgomoboc.exe113⤵
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Mojaceln.exeC:\Windows\system32\Mojaceln.exe114⤵PID:2592
-
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Mhdcbjal.exeC:\Windows\system32\Mhdcbjal.exe116⤵PID:2820
-
C:\Windows\SysWOW64\Mdkcgk32.exeC:\Windows\system32\Mdkcgk32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Nglmifca.exeC:\Windows\system32\Nglmifca.exe118⤵PID:2928
-
C:\Windows\SysWOW64\Nbaafocg.exeC:\Windows\system32\Nbaafocg.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Ngoinfao.exeC:\Windows\system32\Ngoinfao.exe120⤵PID:840
-
C:\Windows\SysWOW64\Ndbjgjqh.exeC:\Windows\system32\Ndbjgjqh.exe121⤵PID:1584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-