Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 02:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
-
Size
844KB
-
MD5
d14fe515ac440987f89411f798eab847
-
SHA1
b485628572c6a26cd3f20b31dcb8bee265923003
-
SHA256
b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440
-
SHA512
0aa36545e7649121d81011fc1909533a5cdad62a33b16429039191a1e66feb6cb8b3b6769fc354b22f5b3b739f7bc6eecd13b6de81cbf388c2e13a3615962256
-
SSDEEP
24576:/uhH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:/MH5W3TbQihw+cdX2x46uhqllMi
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jacibm32.exeKppldhla.exeQifnhaho.exeHjohmbpd.exeCkhfpp32.exeIlcalnii.exeLohelidp.exeMpkhoj32.exeBakaaepk.exeFjfhkl32.exeFckhhgcf.exeIejkhlip.exePnnfkb32.exeHhfmbq32.exeJcciqi32.exeNgjlpmnn.exeBplijcle.exePbblkaea.exeDpmgao32.exeEbnmpemq.exeKoflgf32.exeQnqjkh32.exeDpklkgoj.exeNcmglp32.exeDmkcil32.exeIcbipe32.exeJgkdigfa.exeMjlejl32.exePicojhcm.exeGkebafoa.exeQaapcj32.exeAfliclij.exeNbhkmg32.exeLdbjdj32.exePjpmdd32.exeKckjmpko.exeMdadjd32.exeNnjicjbf.exeLmhdph32.exeNjmfhe32.exeNmnojp32.exeCapdpcge.exeMkdffoij.exeGefmcp32.exeKcginj32.exeFpmpnmck.exeKeoabo32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jacibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kppldhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjohmbpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhfpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lohelidp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bakaaepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhhgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejkhlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnnfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhfmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcciqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjlpmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bplijcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbblkaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebnmpemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnqjkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpklkgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icbipe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjlejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picojhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaapcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afliclij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjpmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kckjmpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdadjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjicjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njmfhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Capdpcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gefmcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcginj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpmpnmck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoabo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Neiaeiii.exeNlcibc32.exeOadkej32.exeOhncbdbd.exeOidiekdn.exeOpnbbe32.exeObmnna32.exeOekjjl32.exePkoicb32.exePdgmlhha.exeQndkpmkm.exeQdncmgbj.exeAlnalh32.exeAomnhd32.exeAdifpk32.exeBhjlli32.exeBdqlajbb.exeBchfhfeh.exeBffbdadk.exeBieopm32.exeCcmpce32.exeCkhdggom.exeCbblda32.exeCagienkb.exeCbffoabe.exeCgcnghpl.exeCjakccop.exeCcjoli32.exeDmepkn32.exeDbaice32.exeDljmlj32.exeDfpaic32.exeDmijfmfi.exeDokfme32.exeDfbnoc32.exeDbiocd32.exeEanldqgf.exeEdlhqlfi.exeEdoefl32.exeEodicd32.exeEabepp32.exeEkkjheja.exeEkmfne32.exeFpjofl32.exeFmnopp32.exeFplllkdc.exeFckhhgcf.exeFeiddbbj.exeFlclam32.exeFcmdnfad.exeFelajbpg.exeFkhibino.exeFcpacf32.exeFdqnkoep.exeFofbhgde.exeFadndbci.exeGdcjpncm.exeGdegfn32.exeGhacfmic.exeGkoobhhg.exeGnnlocgk.exeGdhdkn32.exeGgfpgi32.exeGnphdceh.exepid Process 1964 Neiaeiii.exe 1904 Nlcibc32.exe 2680 Oadkej32.exe 2696 Ohncbdbd.exe 2584 Oidiekdn.exe 2596 Opnbbe32.exe 2616 Obmnna32.exe 2016 Oekjjl32.exe 1008 Pkoicb32.exe 1448 Pdgmlhha.exe 2932 Qndkpmkm.exe 1748 Qdncmgbj.exe 1376 Alnalh32.exe 1928 Aomnhd32.exe 2528 Adifpk32.exe 372 Bhjlli32.exe 1368 Bdqlajbb.exe 2400 Bchfhfeh.exe 2100 Bffbdadk.exe 2436 Bieopm32.exe 388 Ccmpce32.exe 2224 Ckhdggom.exe 1000 Cbblda32.exe 2020 Cagienkb.exe 1640 Cbffoabe.exe 2364 Cgcnghpl.exe 2772 Cjakccop.exe 2260 Ccjoli32.exe 2728 Dmepkn32.exe 2580 Dbaice32.exe 640 Dljmlj32.exe 2860 Dfpaic32.exe 776 Dmijfmfi.exe 1212 Dokfme32.exe 2512 Dfbnoc32.exe 2360 Dbiocd32.exe 2080 Eanldqgf.exe 448 Edlhqlfi.exe 2056 Edoefl32.exe 952 Eodicd32.exe 1648 Eabepp32.exe 1500 Ekkjheja.exe 1468 Ekmfne32.exe 2484 Fpjofl32.exe 1620 Fmnopp32.exe 1052 Fplllkdc.exe 1784 Fckhhgcf.exe 892 Feiddbbj.exe 2372 Flclam32.exe 3016 Fcmdnfad.exe 2708 Felajbpg.exe 2568 Fkhibino.exe 2536 Fcpacf32.exe 2764 Fdqnkoep.exe 2944 Fofbhgde.exe 836 Fadndbci.exe 1652 Gdcjpncm.exe 2956 Gdegfn32.exe 1312 Ghacfmic.exe 1956 Gkoobhhg.exe 2984 Gnnlocgk.exe 1700 Gdhdkn32.exe 1676 Ggfpgi32.exe 580 Gnphdceh.exe -
Loads dropped DLL 64 IoCs
Processes:
b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exeNeiaeiii.exeNlcibc32.exeOadkej32.exeOhncbdbd.exeOidiekdn.exeOpnbbe32.exeObmnna32.exeOekjjl32.exePkoicb32.exePdgmlhha.exeQndkpmkm.exeQdncmgbj.exeAlnalh32.exeAomnhd32.exeAdifpk32.exeBhjlli32.exeBdqlajbb.exeBchfhfeh.exeBffbdadk.exeBieopm32.exeCcmpce32.exeCkhdggom.exeCbblda32.exeCagienkb.exeCbffoabe.exeCgcnghpl.exeCjakccop.exeCcjoli32.exeDmepkn32.exeDbaice32.exeDljmlj32.exepid Process 2444 b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe 2444 b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe 1964 Neiaeiii.exe 1964 Neiaeiii.exe 1904 Nlcibc32.exe 1904 Nlcibc32.exe 2680 Oadkej32.exe 2680 Oadkej32.exe 2696 Ohncbdbd.exe 2696 Ohncbdbd.exe 2584 Oidiekdn.exe 2584 Oidiekdn.exe 2596 Opnbbe32.exe 2596 Opnbbe32.exe 2616 Obmnna32.exe 2616 Obmnna32.exe 2016 Oekjjl32.exe 2016 Oekjjl32.exe 1008 Pkoicb32.exe 1008 Pkoicb32.exe 1448 Pdgmlhha.exe 1448 Pdgmlhha.exe 2932 Qndkpmkm.exe 2932 Qndkpmkm.exe 1748 Qdncmgbj.exe 1748 Qdncmgbj.exe 1376 Alnalh32.exe 1376 Alnalh32.exe 1928 Aomnhd32.exe 1928 Aomnhd32.exe 2528 Adifpk32.exe 2528 Adifpk32.exe 372 Bhjlli32.exe 372 Bhjlli32.exe 1368 Bdqlajbb.exe 1368 Bdqlajbb.exe 2400 Bchfhfeh.exe 2400 Bchfhfeh.exe 2100 Bffbdadk.exe 2100 Bffbdadk.exe 2436 Bieopm32.exe 2436 Bieopm32.exe 388 Ccmpce32.exe 388 Ccmpce32.exe 2224 Ckhdggom.exe 2224 Ckhdggom.exe 1000 Cbblda32.exe 1000 Cbblda32.exe 2020 Cagienkb.exe 2020 Cagienkb.exe 1640 Cbffoabe.exe 1640 Cbffoabe.exe 2364 Cgcnghpl.exe 2364 Cgcnghpl.exe 2772 Cjakccop.exe 2772 Cjakccop.exe 2260 Ccjoli32.exe 2260 Ccjoli32.exe 2728 Dmepkn32.exe 2728 Dmepkn32.exe 2580 Dbaice32.exe 2580 Dbaice32.exe 640 Dljmlj32.exe 640 Dljmlj32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Qkghgpfi.exeEmdeok32.exeMpkhoj32.exeAblbjj32.exeHaleefoe.exeNnjicjbf.exeDnqlmq32.exeAepbmhpl.exeChggdoee.exeChjmmnnb.exeBhndnpnp.exeJqhdfe32.exeEbnabb32.exeJfcabd32.exeMjlejl32.exeIipejmko.exeApkihofl.exeKoflgf32.exeNjmfhe32.exeIoefdpne.exeGnphdceh.exeEgcfdn32.exeHhnnnbaj.exeAomnhd32.exeEppefg32.exeAbfoll32.exeIpdolbbj.exeMhkfnlme.exeEjabqi32.exeEbockkal.exeMmdkfmjc.exeFjnkpf32.exeIdbnmgll.exeOmqjgl32.exeNdbile32.exeCagienkb.exeAjldkhjh.exeGjbqjiem.exeIphgln32.exeGhgfekpn.exeKhjgel32.exeGlijnmdj.exeGqdgom32.exeOfilgh32.exeBmlbaqfh.exeNdcapd32.exeFakdcnhh.exeGcgqgd32.exeHqgddm32.exeKbmome32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Qbnphngk.exe Qkghgpfi.exe File created C:\Windows\SysWOW64\Eikfdl32.exe Emdeok32.exe File opened for modification C:\Windows\SysWOW64\Maldfbjn.exe Mpkhoj32.exe File opened for modification C:\Windows\SysWOW64\Neghdg32.exe File created C:\Windows\SysWOW64\Aejnfe32.exe Ablbjj32.exe File created C:\Windows\SysWOW64\Hehafe32.exe Haleefoe.exe File created C:\Windows\SysWOW64\Abeghmmn.exe File created C:\Windows\SysWOW64\Ndcapd32.exe Nnjicjbf.exe File opened for modification C:\Windows\SysWOW64\Difqji32.exe Dnqlmq32.exe File created C:\Windows\SysWOW64\Amgjnepn.exe Aepbmhpl.exe File opened for modification C:\Windows\SysWOW64\Cgjgol32.exe Chggdoee.exe File created C:\Windows\SysWOW64\Jchbfbij.dll Chjmmnnb.exe File created C:\Windows\SysWOW64\Fnicaj32.dll Bhndnpnp.exe File created C:\Windows\SysWOW64\Najgacfg.dll Jqhdfe32.exe File created C:\Windows\SysWOW64\Imfdhdkf.dll File created C:\Windows\SysWOW64\Eihjolae.exe Ebnabb32.exe File opened for modification C:\Windows\SysWOW64\Jibnop32.exe Jfcabd32.exe File created C:\Windows\SysWOW64\Kpqfpd32.dll Mjlejl32.exe File created C:\Windows\SysWOW64\Cbloen32.dll File created C:\Windows\SysWOW64\Bgcmiq32.dll Iipejmko.exe File opened for modification C:\Windows\SysWOW64\Adgein32.exe Apkihofl.exe File created C:\Windows\SysWOW64\Mbiamkii.dll File opened for modification C:\Windows\SysWOW64\Kmimcbja.exe Koflgf32.exe File created C:\Windows\SysWOW64\Dqjjfh32.dll Njmfhe32.exe File created C:\Windows\SysWOW64\Ojoppamn.dll Ioefdpne.exe File created C:\Windows\SysWOW64\Ehgaknbp.exe File created C:\Windows\SysWOW64\Gdjqamme.exe Gnphdceh.exe File created C:\Windows\SysWOW64\Jcmfjeap.dll Egcfdn32.exe File opened for modification C:\Windows\SysWOW64\Hipkfkgh.exe Hhnnnbaj.exe File created C:\Windows\SysWOW64\Adifpk32.exe Aomnhd32.exe File created C:\Windows\SysWOW64\Ldaomc32.dll Eppefg32.exe File created C:\Windows\SysWOW64\Jibnop32.exe Jfcabd32.exe File created C:\Windows\SysWOW64\Gpccle32.dll Abfoll32.exe File created C:\Windows\SysWOW64\Hihpflaf.dll Ipdolbbj.exe File created C:\Windows\SysWOW64\Egfokakc.dll Aomnhd32.exe File opened for modification C:\Windows\SysWOW64\Oacbdg32.exe File created C:\Windows\SysWOW64\Qnnhcknd.exe File opened for modification C:\Windows\SysWOW64\Mgnfji32.exe Mhkfnlme.exe File opened for modification C:\Windows\SysWOW64\Deiipp32.exe File created C:\Windows\SysWOW64\Empomd32.exe Ejabqi32.exe File created C:\Windows\SysWOW64\Ejfllhao.exe Ebockkal.exe File opened for modification C:\Windows\SysWOW64\Mcacochk.exe Mmdkfmjc.exe File created C:\Windows\SysWOW64\Fmlglb32.exe Fjnkpf32.exe File opened for modification C:\Windows\SysWOW64\Enkdda32.exe File opened for modification C:\Windows\SysWOW64\Jjkiie32.exe File created C:\Windows\SysWOW64\Inkcem32.exe Idbnmgll.exe File created C:\Windows\SysWOW64\Ockbdebl.exe Omqjgl32.exe File opened for modification C:\Windows\SysWOW64\Nklaipbj.exe Ndbile32.exe File opened for modification C:\Windows\SysWOW64\Ajcldpkd.exe File opened for modification C:\Windows\SysWOW64\Cbffoabe.exe Cagienkb.exe File created C:\Windows\SysWOW64\Apilcoho.exe Ajldkhjh.exe File created C:\Windows\SysWOW64\Gamifcmi.exe Gjbqjiem.exe File opened for modification C:\Windows\SysWOW64\Ifbphh32.exe Iphgln32.exe File created C:\Windows\SysWOW64\Gkebafoa.exe Ghgfekpn.exe File opened for modification C:\Windows\SysWOW64\Kocpbfei.exe Khjgel32.exe File created C:\Windows\SysWOW64\Gngfjicn.exe Glijnmdj.exe File opened for modification C:\Windows\SysWOW64\Hgnokgcc.exe Gqdgom32.exe File created C:\Windows\SysWOW64\Oighcd32.exe Ofilgh32.exe File created C:\Windows\SysWOW64\Jggdmb32.dll Bmlbaqfh.exe File created C:\Windows\SysWOW64\Nkgcpnbh.dll Ndcapd32.exe File created C:\Windows\SysWOW64\Fooembgb.exe Fakdcnhh.exe File created C:\Windows\SysWOW64\Gefmcp32.exe Gcgqgd32.exe File opened for modification C:\Windows\SysWOW64\Hcepqh32.exe Hqgddm32.exe File created C:\Windows\SysWOW64\Khjgel32.exe Kbmome32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 5840 7164 1322 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Iichjc32.exeEihjolae.exeKngekdnf.exeMgnfji32.exeHbdjcffd.exeQjddgj32.exeImogcj32.exeHeedqe32.exeGconbj32.exeAanibhoh.exeHgiked32.exeFcdbcloi.exeFpjofl32.exeHiclkp32.exeOjbbmnhc.exeGmidlmcd.exeEbappk32.exeBmelpa32.exeGdjqamme.exeObecld32.exeEgcfdn32.exeDqddmd32.exeDpmgao32.exeCcjoli32.exeBjjaikoa.exeCjljnn32.exeHoqjqhjf.exeAinkcf32.exeLophacfl.exeLjjhdm32.exeDoijcjde.exeCagienkb.exeEanldqgf.exePnchhllf.exePcnfdl32.exeApilcoho.exeJkopndcb.exeOpnbbe32.exeNqeapo32.exeNnleiipc.exeNjeccjcd.exeEfedga32.exeHgfheodo.exeGhmnmo32.exePdgmlhha.exeIndnnfdn.exeDpfkeb32.exeJgkdigfa.exeIjfqfj32.exeKpoejbhe.exePlpopddd.exeDgnjqe32.exeLgfjggll.exeKgjjndeq.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iichjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihjolae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngekdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjcffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjddgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imogcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heedqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gconbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanibhoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcdbcloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiclkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbbmnhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmidlmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebappk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjqamme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obecld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcfdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqddmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmgao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjaikoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainkcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lophacfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doijcjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eanldqgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnchhllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apilcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkopndcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqeapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfheodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmnmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgmlhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indnnfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpfkeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdigfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfqfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoejbhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpopddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnjqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfjggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjjndeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Fpjofl32.exeJnagmc32.exeKngekdnf.exeGmcikd32.exeFappgflg.exeDkdmfe32.exeMokkegmm.exeDkbbinig.exeCkhfpp32.exeBldpiifb.exeFlclam32.exePpdfimji.exeIaaekl32.exeFdqnkoep.exeIfpcchai.exeJajocl32.exeEppefg32.exeDoqkpl32.exeAiaoclgl.exeHmefad32.exeAadobccg.exeLdbjdj32.exeFllaopcg.exeLjplkonl.exePdgmlhha.exeBdqlajbb.exeEqcjaa32.exeAfmbak32.exeGgfbpaeo.exeHgfheodo.exeIkicikap.exeQdncmgbj.exeOjbbmnhc.exeBllcnega.exeBdfooh32.exeBngfmhbj.exePmfjmake.exeCapdpcge.exeDcbnpgkh.exeHpcpdfhj.exeOabplobe.exeQbnphngk.exeLmalgq32.exeBmelpa32.exeHhdqma32.exeHiqoeplo.exeJoggci32.exeLhhkapeh.exeHpgfmeag.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqbnn32.dll" Fpjofl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnagmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kngekdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmcikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkdmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mokkegmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkbbinig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelafcdj.dll" Ckhfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjdb32.dll" Bldpiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclafh32.dll" Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmbdjfi.dll" Fdqnkoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhgkj32.dll" Ifpcchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnenhj32.dll" Jajocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldaomc32.dll" Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnbekph.dll" Doqkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoobkci.dll" Aiaoclgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmefad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldbjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljplkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqcjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmahec32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieqili32.dll" Afmbak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggfbpaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abfdhg32.dll" Hgfheodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikicikap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonfjjge.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll" Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkbipak.dll" Bllcnega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhjoc32.dll" Bdfooh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bngfmhbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmfjmake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll" Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcbnpgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpcpdfhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oabplobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhnce32.dll" Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonkgg32.dll" Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qooohcdo.dll" Hhdqma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiqoeplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joggci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpgfmeag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exeNeiaeiii.exeNlcibc32.exeOadkej32.exeOhncbdbd.exeOidiekdn.exeOpnbbe32.exeObmnna32.exeOekjjl32.exePkoicb32.exePdgmlhha.exeQndkpmkm.exeQdncmgbj.exeAlnalh32.exeAomnhd32.exeAdifpk32.exedescription pid Process procid_target PID 2444 wrote to memory of 1964 2444 b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe 31 PID 2444 wrote to memory of 1964 2444 b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe 31 PID 2444 wrote to memory of 1964 2444 b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe 31 PID 2444 wrote to memory of 1964 2444 b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe 31 PID 1964 wrote to memory of 1904 1964 Neiaeiii.exe 32 PID 1964 wrote to memory of 1904 1964 Neiaeiii.exe 32 PID 1964 wrote to memory of 1904 1964 Neiaeiii.exe 32 PID 1964 wrote to memory of 1904 1964 Neiaeiii.exe 32 PID 1904 wrote to memory of 2680 1904 Nlcibc32.exe 33 PID 1904 wrote to memory of 2680 1904 Nlcibc32.exe 33 PID 1904 wrote to memory of 2680 1904 Nlcibc32.exe 33 PID 1904 wrote to memory of 2680 1904 Nlcibc32.exe 33 PID 2680 wrote to memory of 2696 2680 Oadkej32.exe 34 PID 2680 wrote to memory of 2696 2680 Oadkej32.exe 34 PID 2680 wrote to memory of 2696 2680 Oadkej32.exe 34 PID 2680 wrote to memory of 2696 2680 Oadkej32.exe 34 PID 2696 wrote to memory of 2584 2696 Ohncbdbd.exe 35 PID 2696 wrote to memory of 2584 2696 Ohncbdbd.exe 35 PID 2696 wrote to memory of 2584 2696 Ohncbdbd.exe 35 PID 2696 wrote to memory of 2584 2696 Ohncbdbd.exe 35 PID 2584 wrote to memory of 2596 2584 Oidiekdn.exe 36 PID 2584 wrote to memory of 2596 2584 Oidiekdn.exe 36 PID 2584 wrote to memory of 2596 2584 Oidiekdn.exe 36 PID 2584 wrote to memory of 2596 2584 Oidiekdn.exe 36 PID 2596 wrote to memory of 2616 2596 Opnbbe32.exe 37 PID 2596 wrote to memory of 2616 2596 Opnbbe32.exe 37 PID 2596 wrote to memory of 2616 2596 Opnbbe32.exe 37 PID 2596 wrote to memory of 2616 2596 Opnbbe32.exe 37 PID 2616 wrote to memory of 2016 2616 Obmnna32.exe 38 PID 2616 wrote to memory of 2016 2616 Obmnna32.exe 38 PID 2616 wrote to memory of 2016 2616 Obmnna32.exe 38 PID 2616 wrote to memory of 2016 2616 Obmnna32.exe 38 PID 2016 wrote to memory of 1008 2016 Oekjjl32.exe 39 PID 2016 wrote to memory of 1008 2016 Oekjjl32.exe 39 PID 2016 wrote to memory of 1008 2016 Oekjjl32.exe 39 PID 2016 wrote to memory of 1008 2016 Oekjjl32.exe 39 PID 1008 wrote to memory of 1448 1008 Pkoicb32.exe 40 PID 1008 wrote to memory of 1448 1008 Pkoicb32.exe 40 PID 1008 wrote to memory of 1448 1008 Pkoicb32.exe 40 PID 1008 wrote to memory of 1448 1008 Pkoicb32.exe 40 PID 1448 wrote to memory of 2932 1448 Pdgmlhha.exe 41 PID 1448 wrote to memory of 2932 1448 Pdgmlhha.exe 41 PID 1448 wrote to memory of 2932 1448 Pdgmlhha.exe 41 PID 1448 wrote to memory of 2932 1448 Pdgmlhha.exe 41 PID 2932 wrote to memory of 1748 2932 Qndkpmkm.exe 42 PID 2932 wrote to memory of 1748 2932 Qndkpmkm.exe 42 PID 2932 wrote to memory of 1748 2932 Qndkpmkm.exe 42 PID 2932 wrote to memory of 1748 2932 Qndkpmkm.exe 42 PID 1748 wrote to memory of 1376 1748 Qdncmgbj.exe 43 PID 1748 wrote to memory of 1376 1748 Qdncmgbj.exe 43 PID 1748 wrote to memory of 1376 1748 Qdncmgbj.exe 43 PID 1748 wrote to memory of 1376 1748 Qdncmgbj.exe 43 PID 1376 wrote to memory of 1928 1376 Alnalh32.exe 44 PID 1376 wrote to memory of 1928 1376 Alnalh32.exe 44 PID 1376 wrote to memory of 1928 1376 Alnalh32.exe 44 PID 1376 wrote to memory of 1928 1376 Alnalh32.exe 44 PID 1928 wrote to memory of 2528 1928 Aomnhd32.exe 45 PID 1928 wrote to memory of 2528 1928 Aomnhd32.exe 45 PID 1928 wrote to memory of 2528 1928 Aomnhd32.exe 45 PID 1928 wrote to memory of 2528 1928 Aomnhd32.exe 45 PID 2528 wrote to memory of 372 2528 Adifpk32.exe 46 PID 2528 wrote to memory of 372 2528 Adifpk32.exe 46 PID 2528 wrote to memory of 372 2528 Adifpk32.exe 46 PID 2528 wrote to memory of 372 2528 Adifpk32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe"C:\Users\Admin\AppData\Local\Temp\b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:372 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:388 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Ccjoli32.exeC:\Windows\system32\Ccjoli32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Dljmlj32.exeC:\Windows\system32\Dljmlj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:640 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe33⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe34⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe35⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe36⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe37⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe39⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe40⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe41⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe42⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe43⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe44⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe46⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe47⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe49⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe51⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe52⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe53⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe54⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe56⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe57⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe58⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe59⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe60⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe61⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe62⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe63⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe64⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe66⤵
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe67⤵PID:1012
-
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe68⤵PID:2412
-
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe69⤵PID:2416
-
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe71⤵PID:2688
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe72⤵PID:2796
-
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe73⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe74⤵PID:2880
-
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe75⤵PID:2068
-
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe76⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe77⤵PID:2232
-
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe78⤵PID:760
-
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe79⤵PID:1416
-
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe80⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe81⤵PID:840
-
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe82⤵PID:476
-
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe83⤵PID:2348
-
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe84⤵PID:2328
-
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe85⤵PID:1248
-
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe86⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe87⤵PID:2604
-
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe88⤵PID:788
-
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe89⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe90⤵PID:2864
-
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe91⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe92⤵PID:2972
-
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe93⤵PID:1252
-
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe94⤵PID:832
-
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe96⤵PID:2208
-
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe97⤵PID:1556
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe99⤵PID:2988
-
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe100⤵PID:2668
-
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe101⤵PID:2240
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe102⤵PID:2116
-
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe103⤵PID:1048
-
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe104⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe105⤵PID:1192
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe106⤵PID:2236
-
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe107⤵PID:2532
-
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe108⤵PID:1520
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe109⤵PID:1580
-
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe110⤵PID:2636
-
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe111⤵PID:1884
-
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe112⤵PID:2756
-
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe113⤵PID:2640
-
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe114⤵PID:2592
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe115⤵PID:2964
-
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe116⤵PID:2648
-
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe117⤵PID:1724
-
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe118⤵PID:2264
-
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe119⤵PID:560
-
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe120⤵PID:2832
-
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe121⤵PID:2308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-