Analysis
-
max time kernel
20s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 13:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe
-
Size
96KB
-
MD5
fec1ef428f3a9cd3e19d3a2d46fa44f2
-
SHA1
132d2c4fe49b23ce79115a52339e64ca33ccc3b1
-
SHA256
f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc
-
SHA512
9d0b0e122e4a1deb6846c98cf986460cf66243dbc62cca560247e002976c05ef2c656877dc36ea5ecaf73034df7b93316ed9ada0d8231d30aeadf236d1e2fef1
-
SSDEEP
1536:/fzrHl3/WB3nUIZ+08AVtCZw6i1zIz3y+WNLTGxCOM6bOLXi8PmCofGW:/fzRWO21TtCOj163hYexCDrLXfzoeW
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bgnaekil.exeFaonqiod.exeDgoakpjn.exeJoicje32.exeEoalpaaa.exeFljfdd32.exePbppqf32.exeDnlolhoo.exeObcgaill.exeAhllda32.exeBiikne32.exeLfedlb32.exeLpjiik32.exeGhmohcbl.exeMifmoa32.exeCjdkllec.exeKgmkef32.exeDflnkjhe.exeKknklg32.exeAjmhljip.exeDoapanne.exeDcfknooi.exeDjcpqidc.exeHpinagbm.exeDmiihjak.exeHbnqln32.exeFiopah32.exeIdnppjcj.exeKjchmclb.exeOlgboogb.exeImndmnob.exeKabobo32.exeMbehgabe.exeAjjeld32.exeBikhce32.exeEmncci32.exeKpbiempj.exeDamhmc32.exef9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exeHfajhblm.exeJdjioh32.exePhklcn32.exeCpbiolnl.exeKcnilhap.exeFhccoe32.exeOheieo32.exeFdekigip.exeGhnfci32.exeHigiih32.exeMkmmpg32.exePdamhocm.exeLdnbeokn.exeMibdcakk.exeHcnfjpib.exeQnagbc32.exeCbllph32.exeBmmgbbeq.exeDeajlf32.exeEpqhjdhc.exeIdepdhia.exeCkbccnji.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faonqiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgoakpjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joicje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoalpaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fljfdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbppqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnaekil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlolhoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obcgaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahllda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biikne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfedlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpjiik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmohcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjdkllec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgmkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflnkjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kknklg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmhljip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doapanne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcfknooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpinagbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmhljip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmiihjak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnqln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiopah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnppjcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjchmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olgboogb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imndmnob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbehgabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjeld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bikhce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emncci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbiempj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Damhmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfajhblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdjioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phklcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbiolnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcnilhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhccoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oheieo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdekigip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghnfci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Higiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkmmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdamhocm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnbeokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mibdcakk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnfjpib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnagbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbllph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmgbbeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deajlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emncci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epqhjdhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idepdhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckbccnji.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Hfajhblm.exeHpinagbm.exeHajkip32.exeIdnppjcj.exeIhkifi32.exeIadnon32.exeIlmool32.exeIfcbme32.exeJpndkj32.exeJkgelh32.exeJklnggjm.exeKknklg32.exeKdgoelnk.exeKjchmclb.exeKgghgg32.exeKnaqcabh.exeKcnilhap.exeKpbiempj.exeKlijjnen.exeKccbgh32.exeLhpkoo32.exeLojclibo.exeLhbhdnio.exeLkqdajhc.exeLqmliqfj.exeLkcqfifp.exeLjhngfkh.exeLdnbeokn.exeMmifiahi.exeMjmgbe32.exeMfchgflg.exeMibdcakk.exeMbjhlg32.exeMpnifkae.exeMifmoa32.exeMncfgh32.exeNiijdq32.exeNnfbmgcj.exeNjlcah32.exeNafknbqk.exeNdgdpn32.exeNmpiicdm.exeNdiaem32.exeNifjnd32.exeOdlnkmjg.exeOemjbe32.exeOlgboogb.exeOfmgmhgh.exeOhncdp32.exeObcgaill.exeOhppjpkc.exeObfdgiji.exeOedqcdim.exeOlnipn32.exeOolelj32.exeOheieo32.exePgopak32.exePpgdjqna.exePgamgken.exePjpicfdb.exePlneoace.exeQakmghbm.exeQhdfdb32.exeQkcbpn32.exepid Process 2096 Hfajhblm.exe 3008 Hpinagbm.exe 668 Hajkip32.exe 2996 Idnppjcj.exe 2884 Ihkifi32.exe 1656 Iadnon32.exe 2800 Ilmool32.exe 1224 Ifcbme32.exe 3040 Jpndkj32.exe 2812 Jkgelh32.exe 1672 Jklnggjm.exe 556 Kknklg32.exe 1840 Kdgoelnk.exe 2148 Kjchmclb.exe 2172 Kgghgg32.exe 1680 Knaqcabh.exe 1120 Kcnilhap.exe 1776 Kpbiempj.exe 2436 Klijjnen.exe 1428 Kccbgh32.exe 108 Lhpkoo32.exe 2504 Lojclibo.exe 1756 Lhbhdnio.exe 2620 Lkqdajhc.exe 892 Lqmliqfj.exe 756 Lkcqfifp.exe 2396 Ljhngfkh.exe 2196 Ldnbeokn.exe 2932 Mmifiahi.exe 3004 Mjmgbe32.exe 2960 Mfchgflg.exe 2736 Mibdcakk.exe 1236 Mbjhlg32.exe 2324 Mpnifkae.exe 2792 Mifmoa32.exe 2544 Mncfgh32.exe 2820 Niijdq32.exe 1496 Nnfbmgcj.exe 2260 Njlcah32.exe 1592 Nafknbqk.exe 2428 Ndgdpn32.exe 2516 Nmpiicdm.exe 744 Ndiaem32.exe 2536 Nifjnd32.exe 796 Odlnkmjg.exe 1980 Oemjbe32.exe 2588 Olgboogb.exe 112 Ofmgmhgh.exe 2560 Ohncdp32.exe 2804 Obcgaill.exe 2416 Ohppjpkc.exe 1164 Obfdgiji.exe 2748 Oedqcdim.exe 2888 Olnipn32.exe 2468 Oolelj32.exe 2752 Oheieo32.exe 2288 Pgopak32.exe 2816 Ppgdjqna.exe 1304 Pgamgken.exe 600 Pjpicfdb.exe 272 Plneoace.exe 1144 Qakmghbm.exe 788 Qhdfdb32.exe 2328 Qkcbpn32.exe -
Loads dropped DLL 64 IoCs
Processes:
f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exeHfajhblm.exeHpinagbm.exeHajkip32.exeIdnppjcj.exeIhkifi32.exeIadnon32.exeIlmool32.exeIfcbme32.exeJpndkj32.exeJkgelh32.exeJklnggjm.exeKknklg32.exeKdgoelnk.exeKjchmclb.exeKgghgg32.exeKnaqcabh.exeKcnilhap.exeKpbiempj.exeKlijjnen.exeKccbgh32.exeLhpkoo32.exeLojclibo.exeLhbhdnio.exeLkqdajhc.exeLqmliqfj.exeLkcqfifp.exeLjhngfkh.exeLdnbeokn.exeMmifiahi.exeMjmgbe32.exeMfchgflg.exepid Process 2100 f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe 2100 f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe 2096 Hfajhblm.exe 2096 Hfajhblm.exe 3008 Hpinagbm.exe 3008 Hpinagbm.exe 668 Hajkip32.exe 668 Hajkip32.exe 2996 Idnppjcj.exe 2996 Idnppjcj.exe 2884 Ihkifi32.exe 2884 Ihkifi32.exe 1656 Iadnon32.exe 1656 Iadnon32.exe 2800 Ilmool32.exe 2800 Ilmool32.exe 1224 Ifcbme32.exe 1224 Ifcbme32.exe 3040 Jpndkj32.exe 3040 Jpndkj32.exe 2812 Jkgelh32.exe 2812 Jkgelh32.exe 1672 Jklnggjm.exe 1672 Jklnggjm.exe 556 Kknklg32.exe 556 Kknklg32.exe 1840 Kdgoelnk.exe 1840 Kdgoelnk.exe 2148 Kjchmclb.exe 2148 Kjchmclb.exe 2172 Kgghgg32.exe 2172 Kgghgg32.exe 1680 Knaqcabh.exe 1680 Knaqcabh.exe 1120 Kcnilhap.exe 1120 Kcnilhap.exe 1776 Kpbiempj.exe 1776 Kpbiempj.exe 2436 Klijjnen.exe 2436 Klijjnen.exe 1428 Kccbgh32.exe 1428 Kccbgh32.exe 108 Lhpkoo32.exe 108 Lhpkoo32.exe 2504 Lojclibo.exe 2504 Lojclibo.exe 1756 Lhbhdnio.exe 1756 Lhbhdnio.exe 2620 Lkqdajhc.exe 2620 Lkqdajhc.exe 892 Lqmliqfj.exe 892 Lqmliqfj.exe 756 Lkcqfifp.exe 756 Lkcqfifp.exe 2396 Ljhngfkh.exe 2396 Ljhngfkh.exe 2196 Ldnbeokn.exe 2196 Ldnbeokn.exe 2932 Mmifiahi.exe 2932 Mmifiahi.exe 3004 Mjmgbe32.exe 3004 Mjmgbe32.exe 2960 Mfchgflg.exe 2960 Mfchgflg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ahioobed.exeCikdbhhi.exeBmjjmbgc.exeFcjqpm32.exeMpnifkae.exeCappnf32.exeJdjioh32.exeEhdpcahk.exeFaonqiod.exeKjchmclb.exeNdgdpn32.exeJffhec32.exeKiqdmm32.exeOhncdp32.exeAfffgjma.exeFepnhjdh.exeLfedlb32.exeEdkahbmo.exeBbfibj32.exeCcjbobnf.exeDaplmimi.exeEgfglocf.exeOfnppgbh.exeKapbmo32.exeMjgclcjh.exeNiaihojk.exeAcnpjj32.exeAjjeld32.exePgamgken.exeIeqbbl32.exeLjndga32.exeMkmmpg32.exeDjcpqidc.exeOemjbe32.exeObfdgiji.exeBfmlgi32.exeDbkolmia.exeDodlfmlb.exeAqgqid32.exeLpjiik32.exeLdnbeokn.exeQakmghbm.exeFnbhmlkk.exeHaejcj32.exeBiikne32.exePfgcff32.exeMbjhlg32.exeQamjmh32.exeOnbkle32.exeIbdclp32.exeIadnon32.exeEoalpaaa.exeGicpnhbb.exeEmncci32.exeFiopah32.exePlneoace.exeGhnfci32.exeCpbiolnl.exeFhfihd32.exeGhkbccdn.exedescription ioc Process File created C:\Windows\SysWOW64\Akhkkmdh.exe Ahioobed.exe File created C:\Windows\SysWOW64\Difcao32.dll Cikdbhhi.exe File created C:\Windows\SysWOW64\Bgpnjkgi.exe Bmjjmbgc.exe File created C:\Windows\SysWOW64\Hokemgkj.dll Fcjqpm32.exe File created C:\Windows\SysWOW64\Ghjajqph.dll Mpnifkae.exe File created C:\Windows\SysWOW64\Bojcalcl.dll Cappnf32.exe File opened for modification C:\Windows\SysWOW64\Jkdalb32.exe Jdjioh32.exe File created C:\Windows\SysWOW64\Mhnfqhnk.dll Ehdpcahk.exe File created C:\Windows\SysWOW64\Fdmjmenh.exe Faonqiod.exe File opened for modification C:\Windows\SysWOW64\Kgghgg32.exe Kjchmclb.exe File created C:\Windows\SysWOW64\Nmpiicdm.exe Ndgdpn32.exe File created C:\Windows\SysWOW64\Jmpqbnmp.exe Jffhec32.exe File created C:\Windows\SysWOW64\Kkaaee32.exe Kiqdmm32.exe File created C:\Windows\SysWOW64\Obcgaill.exe Ohncdp32.exe File opened for modification C:\Windows\SysWOW64\Aqljdclg.exe Afffgjma.exe File created C:\Windows\SysWOW64\Hpgbod32.dll Fepnhjdh.exe File created C:\Windows\SysWOW64\Lpjiik32.exe Lfedlb32.exe File opened for modification C:\Windows\SysWOW64\Eoqeekme.exe Edkahbmo.exe File created C:\Windows\SysWOW64\Bipaodah.exe Bbfibj32.exe File opened for modification C:\Windows\SysWOW64\Cjdkllec.exe Ccjbobnf.exe File created C:\Windows\SysWOW64\Dlepjbmo.exe Daplmimi.exe File created C:\Windows\SysWOW64\Jdbdjimf.dll Egfglocf.exe File created C:\Windows\SysWOW64\Omhhma32.exe Ofnppgbh.exe File created C:\Windows\SysWOW64\Hhbmghna.dll Kapbmo32.exe File created C:\Windows\SysWOW64\Nqakim32.exe Mjgclcjh.exe File created C:\Windows\SysWOW64\Nnnbqeib.exe Niaihojk.exe File created C:\Windows\SysWOW64\Eabgpg32.dll Acnpjj32.exe File created C:\Windows\SysWOW64\Bgnaekil.exe Ajjeld32.exe File opened for modification C:\Windows\SysWOW64\Pjpicfdb.exe Pgamgken.exe File opened for modification C:\Windows\SysWOW64\Ihooog32.exe Ieqbbl32.exe File opened for modification C:\Windows\SysWOW64\Lphlck32.exe Ljndga32.exe File created C:\Windows\SysWOW64\Jjagnhnk.dll Mkmmpg32.exe File created C:\Windows\SysWOW64\Pladek32.dll Djcpqidc.exe File created C:\Windows\SysWOW64\Ccnbppgg.dll Oemjbe32.exe File created C:\Windows\SysWOW64\Ofcbjj32.dll Obfdgiji.exe File created C:\Windows\SysWOW64\Pojihjam.dll Bfmlgi32.exe File created C:\Windows\SysWOW64\Gfoogjlk.dll Dbkolmia.exe File created C:\Windows\SysWOW64\Dendcg32.exe Dodlfmlb.exe File created C:\Windows\SysWOW64\Nhgelcoo.dll Aqgqid32.exe File created C:\Windows\SysWOW64\Lfgaaa32.exe Lpjiik32.exe File created C:\Windows\SysWOW64\Fbocnbmi.dll Ldnbeokn.exe File created C:\Windows\SysWOW64\Odmbgbpa.dll Qakmghbm.exe File opened for modification C:\Windows\SysWOW64\Fdlqjf32.exe Fnbhmlkk.exe File created C:\Windows\SysWOW64\Cgghbgfc.dll Haejcj32.exe File created C:\Windows\SysWOW64\Bcopkn32.exe Biikne32.exe File created C:\Windows\SysWOW64\Ckcpfp32.dll Pfgcff32.exe File created C:\Windows\SysWOW64\Ebhbna32.dll Mbjhlg32.exe File opened for modification C:\Windows\SysWOW64\Obcgaill.exe Ohncdp32.exe File created C:\Windows\SysWOW64\Qdkfic32.exe Qamjmh32.exe File opened for modification C:\Windows\SysWOW64\Oelcho32.exe Onbkle32.exe File created C:\Windows\SysWOW64\Ieaqnecd.dll Ibdclp32.exe File opened for modification C:\Windows\SysWOW64\Phhonn32.exe Pfgcff32.exe File created C:\Windows\SysWOW64\Bnagimbb.dll Iadnon32.exe File opened for modification C:\Windows\SysWOW64\Eigpmjqg.exe Eoalpaaa.exe File created C:\Windows\SysWOW64\Gomhkb32.exe Gicpnhbb.exe File created C:\Windows\SysWOW64\Edicfeme.dll Gicpnhbb.exe File created C:\Windows\SysWOW64\Eplood32.exe Emncci32.exe File created C:\Windows\SysWOW64\Pofmbbjl.dll Emncci32.exe File created C:\Windows\SysWOW64\Fialggcl.exe Fiopah32.exe File created C:\Windows\SysWOW64\Qakmghbm.exe Plneoace.exe File created C:\Windows\SysWOW64\Elfcoj32.dll Ghnfci32.exe File opened for modification C:\Windows\SysWOW64\Cacegd32.exe Cpbiolnl.exe File opened for modification C:\Windows\SysWOW64\Faonqiod.exe Fhfihd32.exe File opened for modification C:\Windows\SysWOW64\Ghmohcbl.exe Ghkbccdn.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process 2084 4724 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Lhhjcmpj.exeCncmei32.exeNjlcah32.exeOedqcdim.exeNafknbqk.exePjpicfdb.exeCabldeik.exeEoqeekme.exeKgghgg32.exeLphlck32.exeDlfina32.exeKknklg32.exeCllmdcej.exeOfmgmhgh.exeCgjhkpbj.exeFaikbkhj.exeMkmmpg32.exeOlgboogb.exeIbdclp32.exeJilkbn32.exeCgmndokg.exeJklnggjm.exeNmpiicdm.exeOheieo32.exePpgdjqna.exeCghkepdm.exeDegobhjg.exeEenabkfk.exeFagnmkjm.exeKaliaphd.exeNnkekfkd.exeOnbkle32.exeCpbiolnl.exeOhppjpkc.exeGfmmanif.exeMgfjjh32.exeDeajlf32.exeGafcahil.exeKdgoelnk.exeOlnipn32.exePgamgken.exeAhioobed.exeOiqegb32.exeBgpnjkgi.exeGhmohcbl.exeMbjhlg32.exeAjmhljip.exeGndebkii.exePknakhig.exeClkfjman.exeMncfgh32.exeAmnanefa.exeElgioe32.exeFepnhjdh.exeFdekigip.exeJhahcjcf.exef9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exeIlmool32.exeAaogbh32.exeAgaifnhi.exeBfkobj32.exeCfoellgb.exeEpjbienl.exeQamjmh32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhjcmpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncmei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlcah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oedqcdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafknbqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpicfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabldeik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoqeekme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgghgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfina32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kknklg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllmdcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmgmhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjhkpbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faikbkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmmpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgboogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibdclp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilkbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmndokg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklnggjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpiicdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheieo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgdjqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cghkepdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degobhjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenabkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagnmkjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaliaphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkekfkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbiolnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohppjpkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmmanif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfjjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deajlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gafcahil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgoelnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgamgken.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahioobed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqegb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpnjkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmohcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjhlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmhljip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndebkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknakhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkfjman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mncfgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnanefa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgioe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepnhjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdekigip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahcjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaogbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agaifnhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfoellgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjbienl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qamjmh32.exe -
Modifies registry class 64 IoCs
Processes:
Degobhjg.exeEchoepmo.exeFdlqjf32.exeHcajjf32.exeQnagbc32.exeHdapggln.exeNdiaem32.exeCcjbobnf.exeCedbmi32.exeEhonebqq.exeDeajlf32.exeAhioobed.exeAfffgjma.exePbnckg32.exeQhdfdb32.exeHaejcj32.exeAcnpjj32.exeBebiifka.exeGofajcog.exeNnnbqeib.exeOhppjpkc.exeKejahn32.exeBgnaekil.exeNnfbmgcj.exeMkmmpg32.exeDlfina32.exeJmpqbnmp.exeJgpklb32.exeGicpnhbb.exeAgaifnhi.exeBnhqll32.exeFialggcl.exeNjlcah32.exeNdgdpn32.exeFkocfa32.exeFaonqiod.exeCnacbj32.exeGndebkii.exeHnikmnho.exeFagnmkjm.exeGkoodd32.exePdamhocm.exeOdlnkmjg.exeBmbkid32.exeEoalpaaa.exeGhnfci32.exeLphlck32.exeMgodjico.exePgopak32.exeCcdnipal.exeGfbfln32.exeMjgclcjh.exeAjjeld32.exeFnbhmlkk.exeMgfjjh32.exeCifdmbib.exeClkfjman.exeIeqbbl32.exeJfkbqcam.exeJhahcjcf.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjnebll.dll" Degobhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Echoepmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdlqjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiqpab32.dll" Hcajjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnagbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndiaem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccjbobnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cedbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehonebqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deajlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmlah32.dll" Ahioobed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afffgjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnefm32.dll" Pbnckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajingaej.dll" Qhdfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haejcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acnpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bebiifka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gofajcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqemkl32.dll" Nnnbqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohppjpkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kejahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgehmk32.dll" Nnfbmgcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkmmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlfina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmpqbnmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgpklb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gicpnhbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agaifnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnhqll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acnpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fialggcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhqpmc32.dll" Njlcah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndgdpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkocfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakmlgcg.dll" Faonqiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afffgjma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnacbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gndebkii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnikmnho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fagnmkjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkoodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdamhocm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odlnkmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljiqml32.dll" Bmbkid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoalpaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghnfci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lphlck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgodjico.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgopak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdlqjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccdnipal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfbfln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjgclcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajjeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gekdej32.dll" Fnbhmlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaihlf32.dll" Gndebkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkpid32.dll" Mgfjjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cifdmbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clkfjman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieqbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfkbqcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhahcjcf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exeHfajhblm.exeHpinagbm.exeHajkip32.exeIdnppjcj.exeIhkifi32.exeIadnon32.exeIlmool32.exeIfcbme32.exeJpndkj32.exeJkgelh32.exeJklnggjm.exeKknklg32.exeKdgoelnk.exeKjchmclb.exeKgghgg32.exedescription pid Process procid_target PID 2100 wrote to memory of 2096 2100 f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe 30 PID 2100 wrote to memory of 2096 2100 f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe 30 PID 2100 wrote to memory of 2096 2100 f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe 30 PID 2100 wrote to memory of 2096 2100 f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe 30 PID 2096 wrote to memory of 3008 2096 Hfajhblm.exe 31 PID 2096 wrote to memory of 3008 2096 Hfajhblm.exe 31 PID 2096 wrote to memory of 3008 2096 Hfajhblm.exe 31 PID 2096 wrote to memory of 3008 2096 Hfajhblm.exe 31 PID 3008 wrote to memory of 668 3008 Hpinagbm.exe 32 PID 3008 wrote to memory of 668 3008 Hpinagbm.exe 32 PID 3008 wrote to memory of 668 3008 Hpinagbm.exe 32 PID 3008 wrote to memory of 668 3008 Hpinagbm.exe 32 PID 668 wrote to memory of 2996 668 Hajkip32.exe 33 PID 668 wrote to memory of 2996 668 Hajkip32.exe 33 PID 668 wrote to memory of 2996 668 Hajkip32.exe 33 PID 668 wrote to memory of 2996 668 Hajkip32.exe 33 PID 2996 wrote to memory of 2884 2996 Idnppjcj.exe 34 PID 2996 wrote to memory of 2884 2996 Idnppjcj.exe 34 PID 2996 wrote to memory of 2884 2996 Idnppjcj.exe 34 PID 2996 wrote to memory of 2884 2996 Idnppjcj.exe 34 PID 2884 wrote to memory of 1656 2884 Ihkifi32.exe 35 PID 2884 wrote to memory of 1656 2884 Ihkifi32.exe 35 PID 2884 wrote to memory of 1656 2884 Ihkifi32.exe 35 PID 2884 wrote to memory of 1656 2884 Ihkifi32.exe 35 PID 1656 wrote to memory of 2800 1656 Iadnon32.exe 36 PID 1656 wrote to memory of 2800 1656 Iadnon32.exe 36 PID 1656 wrote to memory of 2800 1656 Iadnon32.exe 36 PID 1656 wrote to memory of 2800 1656 Iadnon32.exe 36 PID 2800 wrote to memory of 1224 2800 Ilmool32.exe 37 PID 2800 wrote to memory of 1224 2800 Ilmool32.exe 37 PID 2800 wrote to memory of 1224 2800 Ilmool32.exe 37 PID 2800 wrote to memory of 1224 2800 Ilmool32.exe 37 PID 1224 wrote to memory of 3040 1224 Ifcbme32.exe 38 PID 1224 wrote to memory of 3040 1224 Ifcbme32.exe 38 PID 1224 wrote to memory of 3040 1224 Ifcbme32.exe 38 PID 1224 wrote to memory of 3040 1224 Ifcbme32.exe 38 PID 3040 wrote to memory of 2812 3040 Jpndkj32.exe 39 PID 3040 wrote to memory of 2812 3040 Jpndkj32.exe 39 PID 3040 wrote to memory of 2812 3040 Jpndkj32.exe 39 PID 3040 wrote to memory of 2812 3040 Jpndkj32.exe 39 PID 2812 wrote to memory of 1672 2812 Jkgelh32.exe 40 PID 2812 wrote to memory of 1672 2812 Jkgelh32.exe 40 PID 2812 wrote to memory of 1672 2812 Jkgelh32.exe 40 PID 2812 wrote to memory of 1672 2812 Jkgelh32.exe 40 PID 1672 wrote to memory of 556 1672 Jklnggjm.exe 41 PID 1672 wrote to memory of 556 1672 Jklnggjm.exe 41 PID 1672 wrote to memory of 556 1672 Jklnggjm.exe 41 PID 1672 wrote to memory of 556 1672 Jklnggjm.exe 41 PID 556 wrote to memory of 1840 556 Kknklg32.exe 42 PID 556 wrote to memory of 1840 556 Kknklg32.exe 42 PID 556 wrote to memory of 1840 556 Kknklg32.exe 42 PID 556 wrote to memory of 1840 556 Kknklg32.exe 42 PID 1840 wrote to memory of 2148 1840 Kdgoelnk.exe 43 PID 1840 wrote to memory of 2148 1840 Kdgoelnk.exe 43 PID 1840 wrote to memory of 2148 1840 Kdgoelnk.exe 43 PID 1840 wrote to memory of 2148 1840 Kdgoelnk.exe 43 PID 2148 wrote to memory of 2172 2148 Kjchmclb.exe 44 PID 2148 wrote to memory of 2172 2148 Kjchmclb.exe 44 PID 2148 wrote to memory of 2172 2148 Kjchmclb.exe 44 PID 2148 wrote to memory of 2172 2148 Kjchmclb.exe 44 PID 2172 wrote to memory of 1680 2172 Kgghgg32.exe 45 PID 2172 wrote to memory of 1680 2172 Kgghgg32.exe 45 PID 2172 wrote to memory of 1680 2172 Kgghgg32.exe 45 PID 2172 wrote to memory of 1680 2172 Kgghgg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe"C:\Users\Admin\AppData\Local\Temp\f9925815c97b38b3afa9b3ff563d89f4ebde8ce7f8e16364be1e091f1f1405fc.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Hajkip32.exeC:\Windows\system32\Hajkip32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Idnppjcj.exeC:\Windows\system32\Idnppjcj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ihkifi32.exeC:\Windows\system32\Ihkifi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Iadnon32.exeC:\Windows\system32\Iadnon32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ifcbme32.exeC:\Windows\system32\Ifcbme32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Jkgelh32.exeC:\Windows\system32\Jkgelh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Jklnggjm.exeC:\Windows\system32\Jklnggjm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Kknklg32.exeC:\Windows\system32\Kknklg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Kdgoelnk.exeC:\Windows\system32\Kdgoelnk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Kgghgg32.exeC:\Windows\system32\Kgghgg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Kcnilhap.exeC:\Windows\system32\Kcnilhap.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1120 -
C:\Windows\SysWOW64\Kpbiempj.exeC:\Windows\system32\Kpbiempj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Klijjnen.exeC:\Windows\system32\Klijjnen.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Lhpkoo32.exeC:\Windows\system32\Lhpkoo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Lqmliqfj.exeC:\Windows\system32\Lqmliqfj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Mjmgbe32.exeC:\Windows\system32\Mjmgbe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Mfchgflg.exeC:\Windows\system32\Mfchgflg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Mpnifkae.exeC:\Windows\system32\Mpnifkae.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Mncfgh32.exeC:\Windows\system32\Mncfgh32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Niijdq32.exeC:\Windows\system32\Niijdq32.exe38⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Njlcah32.exeC:\Windows\system32\Njlcah32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe45⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:112 -
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe56⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Qkcbpn32.exeC:\Windows\system32\Qkcbpn32.exe65⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe67⤵PID:2696
-
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe68⤵
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Ahioobed.exeC:\Windows\system32\Ahioobed.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe70⤵PID:1892
-
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe71⤵PID:2952
-
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe74⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe76⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe77⤵PID:1748
-
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe79⤵PID:2368
-
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe80⤵PID:2144
-
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe81⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe82⤵PID:2584
-
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe83⤵
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Bcopkn32.exeC:\Windows\system32\Bcopkn32.exe85⤵PID:2664
-
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe86⤵
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Bikhce32.exeC:\Windows\system32\Bikhce32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe88⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe89⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe90⤵PID:2388
-
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe91⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe92⤵PID:1676
-
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe93⤵PID:3012
-
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe94⤵PID:1316
-
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Cjdkllec.exeC:\Windows\system32\Cjdkllec.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Cmbghgdg.exeC:\Windows\system32\Cmbghgdg.exe97⤵PID:1312
-
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe98⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe99⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Cappnf32.exeC:\Windows\system32\Cappnf32.exe100⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Cgjhkpbj.exeC:\Windows\system32\Cgjhkpbj.exe101⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Cikdbhhi.exeC:\Windows\system32\Cikdbhhi.exe102⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe103⤵
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe104⤵
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Cllmdcej.exeC:\Windows\system32\Cllmdcej.exe105⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Cbfeam32.exeC:\Windows\system32\Cbfeam32.exe106⤵PID:3052
-
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe107⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe108⤵PID:2424
-
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe110⤵PID:2408
-
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe111⤵
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe112⤵PID:1472
-
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1072 -
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe114⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Dlepjbmo.exeC:\Windows\system32\Dlepjbmo.exe115⤵PID:2184
-
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe116⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Dendcg32.exeC:\Windows\system32\Dendcg32.exe117⤵PID:1904
-
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:640 -
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe120⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Ekmjanpd.exeC:\Windows\system32\Ekmjanpd.exe121⤵PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-