Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 02:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe
-
Size
288KB
-
MD5
2760a55f9f727e20be63fb8214f73033
-
SHA1
16fd3b42b547896b94bb0520ba4fd7cd75291377
-
SHA256
d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f
-
SHA512
5445e2ee211b6b0f4efe2d72f67edd1b656384dcde541b439d72a6311708d146edf062d81cd69e168e4d64a0e798d99ba963cb5c5ee667c120ab00fae172279e
-
SSDEEP
6144:LWB/rVQg+kMXp3pui6yYPaIGckfru5xyDpui6yYPaIGckSUv:A/r6XNpV6yYP4rbpV6yYPgv
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Npmphinm.exeKpkpadnl.exePdgmlhha.exeIelclkhe.exeGjifodii.exeAhpbkd32.exeHmbndmkb.exeFjegog32.exeKechdf32.exeMflgih32.exeCcpeld32.exeEmdeok32.exeBddbjhlp.exeDaofpchf.exeDdpobo32.exeEclbcj32.exeDnpciaef.exePfnmmn32.exeEbckmaec.exeGcgqgd32.exeJnagmc32.exeBfncpcoc.exeHpbdmo32.exeKdnild32.exeOhncbdbd.exeNdcapd32.exeNhakcfab.exeGnaooi32.exeCbffoabe.exeJajmjcoe.exeOioipf32.exeCfpldf32.exeOpnbbe32.exeBieopm32.exeIkfbbjdj.exeLlomfpag.exeBbbgod32.exeJbbccgmp.exeDpklkgoj.exeEldiehbk.exeMimgeigj.exeOococb32.exePadhdm32.exeCocphf32.exeAgihgp32.exeAacmij32.exeLmpcca32.exeQaqnkafa.exeAcnjnh32.exeEpbpbnan.exeOaghki32.exeJjpdmi32.exeJhlmmfef.exeKllnhg32.exeEdcnakpa.exeIipejmko.exeGmpcgace.exeKaompi32.exeBqeqqk32.exeFhgppnan.exePlmbkd32.exeOemgplgo.exeBjkhdacm.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmphinm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ielclkhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjifodii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mflgih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpeld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daofpchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpobo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclbcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebckmaec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnagmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfncpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhakcfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jajmjcoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opnbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikfbbjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llomfpag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbbccgmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mimgeigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agihgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmpcca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqnkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaghki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhlmmfef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kllnhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iipejmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcgace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kaompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oemgplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhdacm.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Gbaken32.exeGildahhp.exeGpelnb32.exeHbiaemkk.exeHhhgcc32.exeHnbopmnm.exeIpehmebh.exeIphecepe.exeImleli32.exeIlabmedg.exeIfffkncm.exeIelclkhe.exeJhlmmfef.exeJniefm32.exeJkpbdq32.exeJdhgnf32.exeKdjccf32.exeKjglkm32.exeKfnmpn32.exeKpcqnf32.exeKfpifm32.exeKhoebi32.exeKbgjkn32.exeKllnhg32.exeKbigpn32.exeKhcomhbi.exeLqncaj32.exeLkdhoc32.exeLcomce32.exeLkfddc32.exeLcaiiejc.exeLfpeeqig.exeLjnnko32.exeLmljgj32.exeMkaghg32.exeMchoid32.exeMpopnejo.exeMelifl32.exeMndmoaog.exeMacilmnk.exeMlhnifmq.exeMeabakda.exeNecogkbo.exeNhakcfab.exeNmnclmoj.exeNpmphinm.exeNjbdea32.exeNpolmh32.exeNmcmgm32.exeNpaich32.exeNenakoho.exeNlhjhi32.exeNfnneb32.exeNeqnqofm.exeOhojmjep.exeOpfbngfb.exeOagoep32.exeOhagbj32.exeOokpodkj.exeOeehln32.exeOonldcih.exeOehdan32.exeOdjdmjgo.exeOmcifpnp.exepid Process 3056 Gbaken32.exe 2312 Gildahhp.exe 1244 Gpelnb32.exe 2380 Hbiaemkk.exe 2848 Hhhgcc32.exe 3008 Hnbopmnm.exe 2884 Ipehmebh.exe 2624 Iphecepe.exe 2212 Imleli32.exe 668 Ilabmedg.exe 760 Ifffkncm.exe 1152 Ielclkhe.exe 1764 Jhlmmfef.exe 2488 Jniefm32.exe 2292 Jkpbdq32.exe 1304 Jdhgnf32.exe 2536 Kdjccf32.exe 1344 Kjglkm32.exe 1356 Kfnmpn32.exe 1720 Kpcqnf32.exe 2612 Kfpifm32.exe 2516 Khoebi32.exe 1196 Kbgjkn32.exe 2336 Kllnhg32.exe 2348 Kbigpn32.exe 2996 Khcomhbi.exe 1428 Lqncaj32.exe 2552 Lkdhoc32.exe 2112 Lcomce32.exe 2732 Lkfddc32.exe 2844 Lcaiiejc.exe 2868 Lfpeeqig.exe 2788 Ljnnko32.exe 2660 Lmljgj32.exe 1976 Mkaghg32.exe 592 Mchoid32.exe 1540 Mpopnejo.exe 1004 Melifl32.exe 1616 Mndmoaog.exe 584 Macilmnk.exe 2280 Mlhnifmq.exe 1728 Meabakda.exe 1856 Necogkbo.exe 2384 Nhakcfab.exe 2116 Nmnclmoj.exe 1640 Npmphinm.exe 1056 Njbdea32.exe 2196 Npolmh32.exe 1740 Nmcmgm32.exe 1752 Npaich32.exe 1960 Nenakoho.exe 2352 Nlhjhi32.exe 2720 Nfnneb32.exe 2368 Neqnqofm.exe 2856 Ohojmjep.exe 2804 Opfbngfb.exe 2872 Oagoep32.exe 2800 Ohagbj32.exe 2372 Ookpodkj.exe 1156 Oeehln32.exe 2012 Oonldcih.exe 2944 Oehdan32.exe 2176 Odjdmjgo.exe 316 Omcifpnp.exe -
Loads dropped DLL 64 IoCs
Processes:
d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exeGbaken32.exeGildahhp.exeGpelnb32.exeHbiaemkk.exeHhhgcc32.exeHnbopmnm.exeIpehmebh.exeIphecepe.exeImleli32.exeIlabmedg.exeIfffkncm.exeIelclkhe.exeJhlmmfef.exeJniefm32.exeJkpbdq32.exeJdhgnf32.exeKdjccf32.exeKjglkm32.exeKfnmpn32.exeKpcqnf32.exeKfpifm32.exeKhoebi32.exeKbgjkn32.exeKllnhg32.exeKbigpn32.exeKhcomhbi.exeLqncaj32.exeLkdhoc32.exeLcomce32.exeLkfddc32.exeLcaiiejc.exepid Process 2360 d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe 2360 d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe 3056 Gbaken32.exe 3056 Gbaken32.exe 2312 Gildahhp.exe 2312 Gildahhp.exe 1244 Gpelnb32.exe 1244 Gpelnb32.exe 2380 Hbiaemkk.exe 2380 Hbiaemkk.exe 2848 Hhhgcc32.exe 2848 Hhhgcc32.exe 3008 Hnbopmnm.exe 3008 Hnbopmnm.exe 2884 Ipehmebh.exe 2884 Ipehmebh.exe 2624 Iphecepe.exe 2624 Iphecepe.exe 2212 Imleli32.exe 2212 Imleli32.exe 668 Ilabmedg.exe 668 Ilabmedg.exe 760 Ifffkncm.exe 760 Ifffkncm.exe 1152 Ielclkhe.exe 1152 Ielclkhe.exe 1764 Jhlmmfef.exe 1764 Jhlmmfef.exe 2488 Jniefm32.exe 2488 Jniefm32.exe 2292 Jkpbdq32.exe 2292 Jkpbdq32.exe 1304 Jdhgnf32.exe 1304 Jdhgnf32.exe 2536 Kdjccf32.exe 2536 Kdjccf32.exe 1344 Kjglkm32.exe 1344 Kjglkm32.exe 1356 Kfnmpn32.exe 1356 Kfnmpn32.exe 1720 Kpcqnf32.exe 1720 Kpcqnf32.exe 2612 Kfpifm32.exe 2612 Kfpifm32.exe 2516 Khoebi32.exe 2516 Khoebi32.exe 1196 Kbgjkn32.exe 1196 Kbgjkn32.exe 2336 Kllnhg32.exe 2336 Kllnhg32.exe 2348 Kbigpn32.exe 2348 Kbigpn32.exe 2996 Khcomhbi.exe 2996 Khcomhbi.exe 1428 Lqncaj32.exe 1428 Lqncaj32.exe 2552 Lkdhoc32.exe 2552 Lkdhoc32.exe 2112 Lcomce32.exe 2112 Lcomce32.exe 2732 Lkfddc32.exe 2732 Lkfddc32.exe 2844 Lcaiiejc.exe 2844 Lcaiiejc.exe -
Drops file in System32 directory 64 IoCs
Processes:
Oonldcih.exePeefcjlg.exeGcjmmdbf.exeDbifnj32.exeAkpkmo32.exeKbjbge32.exeDbaice32.exeFadndbci.exeMeabakda.exeNenakoho.exeAodkci32.exeJeafjiop.exeNnafnopi.exeDjfdob32.exeKofcbl32.exeKechdf32.exeAkkoig32.exeMikjpiim.exeCfehhn32.exeOoabmbbe.exeCebeem32.exeLonibk32.exeDpcmgi32.exeLpqlemaj.exed47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exeQkffng32.exeDklddhka.exeElkmmodo.exeBqgmfkhg.exeCagienkb.exeEhpalp32.exeGbjojh32.exeLbfook32.exeFhbnbpjc.exeGepafc32.exeMfokinhf.exeQiflohqk.exeMndmoaog.exeMobfgdcl.exeNppofado.exeBbjmpcab.exeLkggmldl.exeBogjaamh.exeIefcfe32.exeMcckcbgp.exeBolcma32.exeFkefbcmf.exeKjglkm32.exeMpopnejo.exeBkmhnjlh.exeEcnoijbd.exeJdnmma32.exeJbfilffm.exeKdnild32.exeLnhgim32.exeEgonhf32.exeJefbnacn.exeOmcifpnp.exeKbpbmkan.exeLdheebad.exeCgidfcdk.exeNibqqh32.exeIfbphh32.exedescription ioc Process File created C:\Windows\SysWOW64\Oehdan32.exe Oonldcih.exe File created C:\Windows\SysWOW64\Plpopddd.exe Peefcjlg.exe File created C:\Windows\SysWOW64\Gdkjdl32.exe Gcjmmdbf.exe File created C:\Windows\SysWOW64\Elajgpmj.exe Dbifnj32.exe File created C:\Windows\SysWOW64\Fmiogi32.dll Akpkmo32.exe File created C:\Windows\SysWOW64\Aiomcb32.dll Kbjbge32.exe File opened for modification C:\Windows\SysWOW64\Dilapopb.exe Dbaice32.exe File opened for modification C:\Windows\SysWOW64\Ghofam32.exe Fadndbci.exe File created C:\Windows\SysWOW64\Fimmkm32.dll Meabakda.exe File created C:\Windows\SysWOW64\Imlmlm32.dll Nenakoho.exe File opened for modification C:\Windows\SysWOW64\Bbbgod32.exe Aodkci32.exe File created C:\Windows\SysWOW64\Gchfle32.dll Jeafjiop.exe File created C:\Windows\SysWOW64\Neknki32.exe Nnafnopi.exe File created C:\Windows\SysWOW64\Dpcmgi32.exe Djfdob32.exe File created C:\Windows\SysWOW64\Fbieeo32.dll Kofcbl32.exe File created C:\Windows\SysWOW64\Klmqapci.exe Kechdf32.exe File opened for modification C:\Windows\SysWOW64\Adcdbl32.exe Akkoig32.exe File created C:\Windows\SysWOW64\Mqbbagjo.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Cmppehkh.exe Cfehhn32.exe File created C:\Windows\SysWOW64\Dombicdm.dll Ooabmbbe.exe File opened for modification C:\Windows\SysWOW64\Ckmnbg32.exe Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Ldjbkb32.exe Lonibk32.exe File created C:\Windows\SysWOW64\Dbaice32.exe Dpcmgi32.exe File created C:\Windows\SysWOW64\Laahme32.exe Lpqlemaj.exe File created C:\Windows\SysWOW64\Gbaken32.exe d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe File created C:\Windows\SysWOW64\Qaqnkafa.exe Qkffng32.exe File created C:\Windows\SysWOW64\Idgnjl32.dll Dklddhka.exe File created C:\Windows\SysWOW64\Cmlcld32.dll Elkmmodo.exe File created C:\Windows\SysWOW64\Bfdenafn.exe Bqgmfkhg.exe File opened for modification C:\Windows\SysWOW64\Cebeem32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Onhlmh32.dll Ehpalp32.exe File created C:\Windows\SysWOW64\Obhipb32.dll Gbjojh32.exe File opened for modification C:\Windows\SysWOW64\Lhpglecl.exe Lbfook32.exe File opened for modification C:\Windows\SysWOW64\Elajgpmj.exe Dbifnj32.exe File created C:\Windows\SysWOW64\Fgdnnl32.exe Fhbnbpjc.exe File opened for modification C:\Windows\SysWOW64\Gcbabpcf.exe Gepafc32.exe File created C:\Windows\SysWOW64\Mimgeigj.exe Mfokinhf.exe File created C:\Windows\SysWOW64\Qkghgpfi.exe Qiflohqk.exe File opened for modification C:\Windows\SysWOW64\Macilmnk.exe Mndmoaog.exe File created C:\Windows\SysWOW64\Mikjpiim.exe Mobfgdcl.exe File created C:\Windows\SysWOW64\Nggggoda.exe Nppofado.exe File opened for modification C:\Windows\SysWOW64\Bjebdfnn.exe Bbjmpcab.exe File opened for modification C:\Windows\SysWOW64\Ljigih32.exe Lkggmldl.exe File created C:\Windows\SysWOW64\Ffbhcq32.dll Bogjaamh.exe File created C:\Windows\SysWOW64\Adkqmpip.dll Iefcfe32.exe File created C:\Windows\SysWOW64\Kheoph32.dll Mcckcbgp.exe File opened for modification C:\Windows\SysWOW64\Bqmpdioa.exe Bolcma32.exe File created C:\Windows\SysWOW64\Ikdngobg.dll Fkefbcmf.exe File created C:\Windows\SysWOW64\Kfnmpn32.exe Kjglkm32.exe File created C:\Windows\SysWOW64\Melifl32.exe Mpopnejo.exe File opened for modification C:\Windows\SysWOW64\Bbgqjdce.exe Bkmhnjlh.exe File created C:\Windows\SysWOW64\Gfebgn32.dll Ecnoijbd.exe File opened for modification C:\Windows\SysWOW64\Jkhejkcq.exe Jdnmma32.exe File created C:\Windows\SysWOW64\Iddpheep.dll Jbfilffm.exe File created C:\Windows\SysWOW64\Eoepingi.dll Kdnild32.exe File created C:\Windows\SysWOW64\Lhnkffeo.exe Lnhgim32.exe File opened for modification C:\Windows\SysWOW64\Eaebeoan.exe Egonhf32.exe File opened for modification C:\Windows\SysWOW64\Jhenjmbb.exe Jefbnacn.exe File opened for modification C:\Windows\SysWOW64\Opaebkmc.exe Omcifpnp.exe File created C:\Windows\SysWOW64\Kijkje32.exe Kbpbmkan.exe File opened for modification C:\Windows\SysWOW64\Llomfpag.exe Ldheebad.exe File created C:\Windows\SysWOW64\Cmfmojcb.exe Cgidfcdk.exe File created C:\Windows\SysWOW64\Ippbdn32.dll Nibqqh32.exe File created C:\Windows\SysWOW64\Ecqgacgg.dll Ifbphh32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 7140 760 WerFault.exe 728 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fpjofl32.exeOlkifaen.exeJedcpi32.exeDjfdob32.exeAkpkmo32.exeBddbjhlp.exeBmcnqama.exeBhjlli32.exeCcnifd32.exeNecogkbo.exeMfgnnhkc.exeEegkpo32.exeDmmpolof.exeOkgjodmi.exeFjegog32.exeEclbcj32.exeHcigco32.exeBbeded32.exeCmmagpef.exeAndgop32.exeEpbbkf32.exeKmimcbja.exeLhlqjone.exeQaqnkafa.exeAgbpnh32.exeCenljmgq.exeCgcnghpl.exeNnjicjbf.exeEknpadcn.exeKekkiq32.exeFpoolael.exeQppkfhlc.exeHjgehgnh.exeIchmgl32.exeAqonbm32.exeCileqlmg.exeCpfdhl32.exeIfgpnmom.exeLhpglecl.exePdeqfhjd.exeClojhf32.exeCjljnn32.exeKhoebi32.exeLcaiiejc.exeGkebafoa.exeOoabmbbe.exeJniefm32.exeMkaghg32.exeIhniaa32.exeJmfafgbd.exeFckhhgcf.exeOhfcfb32.exeLghgmg32.exeCjlheehe.exeFjhcegll.exeAgolnbok.exeAnbkipok.exeAficjnpm.exeGlpepj32.exeQqfkln32.exeGmpcgace.exeBolcma32.exeGojhafnb.exeIbcphc32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkifaen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfdob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcnqama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necogkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfgnnhkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmpolof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgjodmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcigco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbeded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmagpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andgop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlqjone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqnkafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenljmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjicjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknpadcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoolael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgehgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichmgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqonbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfdhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpnmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khoebi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkebafoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabmbbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkaghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfafgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fckhhgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlheehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbkipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpepj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfkln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bolcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe -
Modifies registry class 64 IoCs
Processes:
Palepb32.exeJefpeh32.exeAdaiee32.exeGlpepj32.exeLlpfjomf.exeGhajacmo.exeNnafnopi.exeKdbepm32.exeAhebaiac.exeBqgmfkhg.exeIichjc32.exeKpcqnf32.exeDaacecfc.exeFogibnha.exeHemqpf32.exeLkggmldl.exeDeondj32.exeEnlidg32.exeQnghel32.exeAaimopli.exeHgnokgcc.exeKmkihbho.exeMeabakda.exeNhakcfab.exeBkegah32.exeEeldkonl.exeIlcalnii.exeJbbccgmp.exeJbfilffm.exeGbaken32.exeIphecepe.exeBffbdadk.exeMneohj32.exeCmhjdiap.exeKidjdpie.exeBbbgod32.exeGdkgkcpq.exeHldlga32.exeQgjccb32.exeIacjjacb.exeJoidhh32.exeJmnqje32.exePplaki32.exeEkmfne32.exeJpmmfp32.exeDjlfma32.exeCblfdg32.exeCbffoabe.exeNijpdfhm.exeFkcilc32.exeLhiakf32.exeNnoiio32.exeMlafkb32.exeEbckmaec.exeQododfek.exeIpeaco32.exeLjfapjbi.exeEkdchf32.exeHmbndmkb.exeCenljmgq.exeDmbcen32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foehfmaf.dll" Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdhclbka.dll" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glpepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghajacmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll" Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllnnkld.dll" Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpcqnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfej32.dll" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpoenh32.dll" Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deondj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enlidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qnghel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgnokgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" Kmkihbho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjqmnofi.dll" Nhakcfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekcfk32.dll" Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maadfi32.dll" Ilcalnii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbbccgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmkihbho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbaken32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iphecepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhakcfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bffbdadk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mneohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npepblac.dll" Cmhjdiap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kidjdpie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbfilffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcijqc32.dll" Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehmbkc.dll" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qgjccb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iacjjacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll" Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfpeln32.dll" Ekmfne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djlfma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdhoc32.dll" Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkcilc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adqaqk32.dll" Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipalg32.dll" Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkalpla.dll" Ebckmaec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpbjee.dll" Ipeaco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekdchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncadjah.dll" Hmbndmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cenljmgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmbcen32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exeGbaken32.exeGildahhp.exeGpelnb32.exeHbiaemkk.exeHhhgcc32.exeHnbopmnm.exeIpehmebh.exeIphecepe.exeImleli32.exeIlabmedg.exeIfffkncm.exeIelclkhe.exeJhlmmfef.exeJniefm32.exeJkpbdq32.exedescription pid Process procid_target PID 2360 wrote to memory of 3056 2360 d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe 30 PID 2360 wrote to memory of 3056 2360 d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe 30 PID 2360 wrote to memory of 3056 2360 d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe 30 PID 2360 wrote to memory of 3056 2360 d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe 30 PID 3056 wrote to memory of 2312 3056 Gbaken32.exe 31 PID 3056 wrote to memory of 2312 3056 Gbaken32.exe 31 PID 3056 wrote to memory of 2312 3056 Gbaken32.exe 31 PID 3056 wrote to memory of 2312 3056 Gbaken32.exe 31 PID 2312 wrote to memory of 1244 2312 Gildahhp.exe 32 PID 2312 wrote to memory of 1244 2312 Gildahhp.exe 32 PID 2312 wrote to memory of 1244 2312 Gildahhp.exe 32 PID 2312 wrote to memory of 1244 2312 Gildahhp.exe 32 PID 1244 wrote to memory of 2380 1244 Gpelnb32.exe 33 PID 1244 wrote to memory of 2380 1244 Gpelnb32.exe 33 PID 1244 wrote to memory of 2380 1244 Gpelnb32.exe 33 PID 1244 wrote to memory of 2380 1244 Gpelnb32.exe 33 PID 2380 wrote to memory of 2848 2380 Hbiaemkk.exe 34 PID 2380 wrote to memory of 2848 2380 Hbiaemkk.exe 34 PID 2380 wrote to memory of 2848 2380 Hbiaemkk.exe 34 PID 2380 wrote to memory of 2848 2380 Hbiaemkk.exe 34 PID 2848 wrote to memory of 3008 2848 Hhhgcc32.exe 35 PID 2848 wrote to memory of 3008 2848 Hhhgcc32.exe 35 PID 2848 wrote to memory of 3008 2848 Hhhgcc32.exe 35 PID 2848 wrote to memory of 3008 2848 Hhhgcc32.exe 35 PID 3008 wrote to memory of 2884 3008 Hnbopmnm.exe 36 PID 3008 wrote to memory of 2884 3008 Hnbopmnm.exe 36 PID 3008 wrote to memory of 2884 3008 Hnbopmnm.exe 36 PID 3008 wrote to memory of 2884 3008 Hnbopmnm.exe 36 PID 2884 wrote to memory of 2624 2884 Ipehmebh.exe 37 PID 2884 wrote to memory of 2624 2884 Ipehmebh.exe 37 PID 2884 wrote to memory of 2624 2884 Ipehmebh.exe 37 PID 2884 wrote to memory of 2624 2884 Ipehmebh.exe 37 PID 2624 wrote to memory of 2212 2624 Iphecepe.exe 38 PID 2624 wrote to memory of 2212 2624 Iphecepe.exe 38 PID 2624 wrote to memory of 2212 2624 Iphecepe.exe 38 PID 2624 wrote to memory of 2212 2624 Iphecepe.exe 38 PID 2212 wrote to memory of 668 2212 Imleli32.exe 39 PID 2212 wrote to memory of 668 2212 Imleli32.exe 39 PID 2212 wrote to memory of 668 2212 Imleli32.exe 39 PID 2212 wrote to memory of 668 2212 Imleli32.exe 39 PID 668 wrote to memory of 760 668 Ilabmedg.exe 40 PID 668 wrote to memory of 760 668 Ilabmedg.exe 40 PID 668 wrote to memory of 760 668 Ilabmedg.exe 40 PID 668 wrote to memory of 760 668 Ilabmedg.exe 40 PID 760 wrote to memory of 1152 760 Ifffkncm.exe 41 PID 760 wrote to memory of 1152 760 Ifffkncm.exe 41 PID 760 wrote to memory of 1152 760 Ifffkncm.exe 41 PID 760 wrote to memory of 1152 760 Ifffkncm.exe 41 PID 1152 wrote to memory of 1764 1152 Ielclkhe.exe 42 PID 1152 wrote to memory of 1764 1152 Ielclkhe.exe 42 PID 1152 wrote to memory of 1764 1152 Ielclkhe.exe 42 PID 1152 wrote to memory of 1764 1152 Ielclkhe.exe 42 PID 1764 wrote to memory of 2488 1764 Jhlmmfef.exe 43 PID 1764 wrote to memory of 2488 1764 Jhlmmfef.exe 43 PID 1764 wrote to memory of 2488 1764 Jhlmmfef.exe 43 PID 1764 wrote to memory of 2488 1764 Jhlmmfef.exe 43 PID 2488 wrote to memory of 2292 2488 Jniefm32.exe 44 PID 2488 wrote to memory of 2292 2488 Jniefm32.exe 44 PID 2488 wrote to memory of 2292 2488 Jniefm32.exe 44 PID 2488 wrote to memory of 2292 2488 Jniefm32.exe 44 PID 2292 wrote to memory of 1304 2292 Jkpbdq32.exe 45 PID 2292 wrote to memory of 1304 2292 Jkpbdq32.exe 45 PID 2292 wrote to memory of 1304 2292 Jkpbdq32.exe 45 PID 2292 wrote to memory of 1304 2292 Jkpbdq32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe"C:\Users\Admin\AppData\Local\Temp\d47636412ce71fc90e9dd6ea01be96117ed690aee2a66f7b9e5759d064039d1f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1196 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe33⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe34⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe35⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe37⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe39⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe41⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe42⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe46⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe48⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe49⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe50⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe51⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe53⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe55⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe56⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe57⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe58⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe59⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe60⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe61⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe63⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe64⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe66⤵PID:1776
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe67⤵PID:308
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe68⤵
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe69⤵PID:324
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe70⤵PID:1952
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe71⤵PID:2168
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe72⤵PID:3060
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe73⤵PID:2100
-
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe74⤵PID:1908
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe75⤵PID:2840
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe76⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe77⤵PID:3052
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe78⤵PID:2860
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe79⤵PID:2924
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe80⤵PID:2928
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe81⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe83⤵PID:2032
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe84⤵
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe86⤵PID:696
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe87⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe88⤵PID:2708
-
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe89⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe90⤵PID:844
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe91⤵PID:2760
-
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe92⤵PID:2512
-
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe93⤵PID:2632
-
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe94⤵PID:2616
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe95⤵PID:396
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe98⤵PID:496
-
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe99⤵
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe102⤵PID:108
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe104⤵PID:2264
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe105⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe106⤵PID:2200
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe107⤵PID:2700
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe108⤵PID:2140
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe109⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe110⤵PID:1932
-
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe111⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe112⤵PID:1028
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe113⤵PID:1904
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe114⤵PID:2584
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe115⤵PID:1572
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe116⤵PID:2736
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe118⤵PID:2824
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:380 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe120⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe121⤵PID:2724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-