Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 02:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe
-
Size
96KB
-
MD5
66305ce8aaacc69b3582458763968cd8
-
SHA1
470239456d7b269c99ff9de8b0eb8678282de65f
-
SHA256
b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542
-
SHA512
c1fcf88b03a67f391907401898d0797c745cfeb8f87c8b38059c15d9af7e3e577a425ab10a1b5062178a2b251b391dec572a76779cf6e93f5aa8b6c0e9afab9f
-
SSDEEP
1536:b06VOgjMYqU6rXoIzlD2vcnVm0mz8nNVMx7WEZp0E5FFfUN1Avhw6JCMd:A0OCyUilBmhIVMxN35FFfUrQlMW
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eaheeecg.exeBmpkqklh.exeFakdcnhh.exeNmkplgnq.exeNbjeinje.exeGjbpne32.exeHeliepmn.exeCgfkmgnj.exeHbkqdepm.exeNgpqfp32.exeFhgifgnb.exeDmojkc32.exeFhdjgoha.exeMcjhmcok.exeCkhdggom.exeFiepea32.exeHohkmj32.exeHokhbj32.exeCjjkpe32.exeMqbbagjo.exeKbpbmkan.exeMbqkiind.exeHcdnhoac.exeOpnbbe32.exePnbojmmp.exeDmgmpnhl.exeHklhae32.exeGolbnm32.exeHidcef32.exeJndjmifj.exeKenoifpb.exeMclebc32.exeBqijljfd.exeOiafee32.exeBnqned32.exeGhdiokbq.exeJfliim32.exeImlhebfc.exeCmkfji32.exeCbgobp32.exeKaajei32.exeOfadnq32.exeDafoikjb.exeJipaip32.exeBammlq32.exeBmbgfkje.exeFhljkm32.exeKdmban32.exeDphfbiem.exeLkicbk32.exeBaefnmml.exeEbqngb32.exeKjokokha.exeLqipkhbj.exePlmbkd32.exeEhpcehcj.exeEjaphpnp.exeFaonom32.exeIfgicg32.exeNfgjml32.exeAdipfd32.exeDjgkii32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaheeecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdcnhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkplgnq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjbpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heliepmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbkqdepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpqfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhgifgnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdjgoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcjhmcok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hokhbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbpbmkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbojmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgmpnhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kenoifpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclebc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiafee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnqned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdiokbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfliim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imlhebfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaajei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafoikjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipaip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bammlq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhljkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmban32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphfbiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkicbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baefnmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebqngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqipkhbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmbkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaphpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifgicg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpbmkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfgjml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adipfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgkii32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Bcpgdhpp.exeBeackp32.exeBmhkmm32.exeBfqpecma.exeBiolanld.exeBnldjekl.exeBefmfpbi.exeBammlq32.exeBgffhkoj.exeBkbaii32.exeBnqned32.exeBcmfmlen.exeBflbigdb.exeCnckjddd.exeCmfkfa32.exeCpdgbm32.exeCgkocj32.exeCjjkpe32.exeCmhglq32.exeCbepdhgc.exeCfpldf32.exeCmjdaqgi.exeCpiqmlfm.exeCeeieced.exeCmmagpef.exeCblfdg32.exeDifnaqih.exeDjgkii32.exeDaacecfc.exeDdpobo32.exeDoecog32.exeDacpkc32.exeDdblgn32.exeDmjqpdje.exeDafmqb32.exeDgbeiiqe.exeDiaaeepi.exeDahifbpk.exeDpkibo32.exeDkqnoh32.exeDmojkc32.exeEiekpd32.exeEldglp32.exeEgikjh32.exeEihgfd32.exeEhkhaqpk.exeEpbpbnan.exeEcploipa.exeEijdkcgn.exeEhmdgp32.exeEklqcl32.exeEogmcjef.exeEaeipfei.exeEddeladm.exeEknmhk32.exeEknmhk32.exeEnlidg32.exeEaheeecg.exeFhbnbpjc.exeFgdnnl32.exeFkpjnkig.exeFolfoj32.exeFajbke32.exeFpmbfbgo.exepid Process 2972 Bcpgdhpp.exe 2552 Beackp32.exe 2384 Bmhkmm32.exe 2816 Bfqpecma.exe 2984 Biolanld.exe 2828 Bnldjekl.exe 2732 Befmfpbi.exe 1416 Bammlq32.exe 2688 Bgffhkoj.exe 2676 Bkbaii32.exe 2872 Bnqned32.exe 2924 Bcmfmlen.exe 820 Bflbigdb.exe 2496 Cnckjddd.exe 2216 Cmfkfa32.exe 1208 Cpdgbm32.exe 2192 Cgkocj32.exe 776 Cjjkpe32.exe 1968 Cmhglq32.exe 2596 Cbepdhgc.exe 2040 Cfpldf32.exe 2316 Cmjdaqgi.exe 2444 Cpiqmlfm.exe 888 Ceeieced.exe 2524 Cmmagpef.exe 1696 Cblfdg32.exe 576 Difnaqih.exe 2332 Djgkii32.exe 2768 Daacecfc.exe 2812 Ddpobo32.exe 2784 Doecog32.exe 2644 Dacpkc32.exe 3052 Ddblgn32.exe 2932 Dmjqpdje.exe 1064 Dafmqb32.exe 1564 Dgbeiiqe.exe 988 Diaaeepi.exe 2208 Dahifbpk.exe 2284 Dpkibo32.exe 1436 Dkqnoh32.exe 1164 Dmojkc32.exe 2952 Eiekpd32.exe 440 Eldglp32.exe 1768 Egikjh32.exe 1388 Eihgfd32.exe 2440 Ehkhaqpk.exe 608 Epbpbnan.exe 2352 Ecploipa.exe 1600 Eijdkcgn.exe 2084 Ehmdgp32.exe 2968 Eklqcl32.exe 2892 Eogmcjef.exe 2848 Eaeipfei.exe 2692 Eddeladm.exe 2632 Eknmhk32.exe 2740 Eknmhk32.exe 1140 Enlidg32.exe 1304 Eaheeecg.exe 2956 Fhbnbpjc.exe 1732 Fgdnnl32.exe 1952 Fkpjnkig.exe 2420 Folfoj32.exe 1152 Fajbke32.exe 908 Fpmbfbgo.exe -
Loads dropped DLL 64 IoCs
Processes:
b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exeBcpgdhpp.exeBeackp32.exeBmhkmm32.exeBfqpecma.exeBiolanld.exeBnldjekl.exeBefmfpbi.exeBammlq32.exeBgffhkoj.exeBkbaii32.exeBnqned32.exeBcmfmlen.exeBflbigdb.exeCnckjddd.exeCmfkfa32.exeCpdgbm32.exeCgkocj32.exeCjjkpe32.exeCmhglq32.exeCbepdhgc.exeCfpldf32.exeCmjdaqgi.exeCpiqmlfm.exeCeeieced.exeCmmagpef.exeCblfdg32.exeDifnaqih.exeDjgkii32.exeDaacecfc.exeDdpobo32.exeDoecog32.exepid Process 2584 b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe 2584 b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe 2972 Bcpgdhpp.exe 2972 Bcpgdhpp.exe 2552 Beackp32.exe 2552 Beackp32.exe 2384 Bmhkmm32.exe 2384 Bmhkmm32.exe 2816 Bfqpecma.exe 2816 Bfqpecma.exe 2984 Biolanld.exe 2984 Biolanld.exe 2828 Bnldjekl.exe 2828 Bnldjekl.exe 2732 Befmfpbi.exe 2732 Befmfpbi.exe 1416 Bammlq32.exe 1416 Bammlq32.exe 2688 Bgffhkoj.exe 2688 Bgffhkoj.exe 2676 Bkbaii32.exe 2676 Bkbaii32.exe 2872 Bnqned32.exe 2872 Bnqned32.exe 2924 Bcmfmlen.exe 2924 Bcmfmlen.exe 820 Bflbigdb.exe 820 Bflbigdb.exe 2496 Cnckjddd.exe 2496 Cnckjddd.exe 2216 Cmfkfa32.exe 2216 Cmfkfa32.exe 1208 Cpdgbm32.exe 1208 Cpdgbm32.exe 2192 Cgkocj32.exe 2192 Cgkocj32.exe 776 Cjjkpe32.exe 776 Cjjkpe32.exe 1968 Cmhglq32.exe 1968 Cmhglq32.exe 2596 Cbepdhgc.exe 2596 Cbepdhgc.exe 2040 Cfpldf32.exe 2040 Cfpldf32.exe 2316 Cmjdaqgi.exe 2316 Cmjdaqgi.exe 2444 Cpiqmlfm.exe 2444 Cpiqmlfm.exe 888 Ceeieced.exe 888 Ceeieced.exe 2524 Cmmagpef.exe 2524 Cmmagpef.exe 1696 Cblfdg32.exe 1696 Cblfdg32.exe 576 Difnaqih.exe 576 Difnaqih.exe 2332 Djgkii32.exe 2332 Djgkii32.exe 2768 Daacecfc.exe 2768 Daacecfc.exe 2812 Ddpobo32.exe 2812 Ddpobo32.exe 2784 Doecog32.exe 2784 Doecog32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Imbjcpnn.exeIhglhp32.exeCnfqccna.exeCgaaah32.exeDfmeccao.exeOdmckcmq.exeDcghkf32.exeFihfnp32.exeJllqplnp.exeJbfilffm.exeNlnpgd32.exeCileqlmg.exeFepjea32.exeHaqnea32.exeNjeccjcd.exeAacmij32.exeEihgfd32.exeEhlmljkm.exeHofngkga.exeOdkgec32.exeBkbdabog.exeFqfemqod.exeMggabaea.exeOjomdoof.exeEaphjp32.exeOlbogqoe.exePaaddgkj.exeQobdgo32.exeEicpcm32.exeIaimipjl.exeJbnjhh32.exeDoecog32.exeEnlidg32.exeMkqqnq32.exePebpkk32.exeQgmpibam.exeHegpjaac.exeImlhebfc.exeJhoklnkg.exeDhpgfeao.exeJfcabd32.exeKenhopmf.exeEddeladm.exeKnmdeioh.exePmmneg32.exeNhlgmd32.exeKfibhjlj.exeBgghac32.exeCfehhn32.exeFhbpkh32.exeKmfpmc32.exeIchmgl32.exeKoaqcn32.exeKjokokha.exeMobfgdcl.exeQnghel32.exeFiepea32.exeGkmbmh32.exeGnbejb32.exeMloiec32.exeCfanmogq.exePhnpagdp.exeQkfocaki.exeLljpjchg.exedescription ioc Process File created C:\Windows\SysWOW64\Iamfdo32.exe Imbjcpnn.exe File created C:\Windows\SysWOW64\Cihifg32.dll Ihglhp32.exe File created C:\Windows\SysWOW64\Ednoihel.dll Cnfqccna.exe File opened for modification C:\Windows\SysWOW64\Cjonncab.exe Cgaaah32.exe File opened for modification C:\Windows\SysWOW64\Dmgmpnhl.exe Dfmeccao.exe File created C:\Windows\SysWOW64\Ohipla32.exe Odmckcmq.exe File created C:\Windows\SysWOW64\Dhbdleol.exe Dcghkf32.exe File created C:\Windows\SysWOW64\Odifibfn.dll Fihfnp32.exe File opened for modification C:\Windows\SysWOW64\Jpgmpk32.exe Jllqplnp.exe File created C:\Windows\SysWOW64\Iddpheep.dll Jbfilffm.exe File created C:\Windows\SysWOW64\Nnmlcp32.exe Nlnpgd32.exe File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Gdcjpncm.exe Fepjea32.exe File created C:\Windows\SysWOW64\Heliepmn.exe Haqnea32.exe File created C:\Windows\SysWOW64\Nmcopebh.exe Njeccjcd.exe File created C:\Windows\SysWOW64\Adaiee32.exe Aacmij32.exe File created C:\Windows\SysWOW64\Gfebgn32.dll Eihgfd32.exe File opened for modification C:\Windows\SysWOW64\Egonhf32.exe Ehlmljkm.exe File created C:\Windows\SysWOW64\Ilmbdp32.dll Hofngkga.exe File opened for modification C:\Windows\SysWOW64\Ohfcfb32.exe Odkgec32.exe File created C:\Windows\SysWOW64\Lclknm32.dll Bkbdabog.exe File created C:\Windows\SysWOW64\Gfcnegnk.exe Fqfemqod.exe File opened for modification C:\Windows\SysWOW64\Mfjann32.exe Mggabaea.exe File created C:\Windows\SysWOW64\Nmlkfoig.dll Ojomdoof.exe File created C:\Windows\SysWOW64\Bpoggldm.dll Eaphjp32.exe File opened for modification C:\Windows\SysWOW64\Onqkclni.exe Olbogqoe.exe File created C:\Windows\SysWOW64\Cdlfik32.dll Paaddgkj.exe File opened for modification C:\Windows\SysWOW64\Qaapcj32.exe Qobdgo32.exe File opened for modification C:\Windows\SysWOW64\Epnhpglg.exe Eicpcm32.exe File created C:\Windows\SysWOW64\Iipejmko.exe Iaimipjl.exe File created C:\Windows\SysWOW64\Ccmlejba.dll Jbnjhh32.exe File opened for modification C:\Windows\SysWOW64\Dacpkc32.exe Doecog32.exe File opened for modification C:\Windows\SysWOW64\Eaheeecg.exe Enlidg32.exe File created C:\Windows\SysWOW64\Mnomjl32.exe Mkqqnq32.exe File created C:\Windows\SysWOW64\Phqmgg32.exe Pebpkk32.exe File opened for modification C:\Windows\SysWOW64\Qnghel32.exe Qgmpibam.exe File opened for modification C:\Windows\SysWOW64\Hiclkp32.exe Hegpjaac.exe File opened for modification C:\Windows\SysWOW64\Blkman32.dll Imlhebfc.exe File opened for modification C:\Windows\SysWOW64\Jjnhhjjk.exe Jhoklnkg.exe File opened for modification C:\Windows\SysWOW64\Dfcgbb32.exe Dhpgfeao.exe File created C:\Windows\SysWOW64\Jefbnacn.exe Jfcabd32.exe File opened for modification C:\Windows\SysWOW64\Khldkllj.exe Kenhopmf.exe File created C:\Windows\SysWOW64\Eknmhk32.exe Eddeladm.exe File created C:\Windows\SysWOW64\Kpkpadnl.exe Knmdeioh.exe File opened for modification C:\Windows\SysWOW64\Plpopddd.exe Pmmneg32.exe File created C:\Windows\SysWOW64\Nfoghakb.exe Nhlgmd32.exe File created C:\Windows\SysWOW64\Hnjblg32.dll Kfibhjlj.exe File created C:\Windows\SysWOW64\Bkbdabog.exe Bgghac32.exe File created C:\Windows\SysWOW64\Pofhpf32.dll Cfehhn32.exe File opened for modification C:\Windows\SysWOW64\Flnlkgjq.exe Fhbpkh32.exe File created C:\Windows\SysWOW64\Kjpndcho.dll Kmfpmc32.exe File created C:\Windows\SysWOW64\Gahjmjal.dll Ichmgl32.exe File opened for modification C:\Windows\SysWOW64\Kncaojfb.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Dcqlnqml.dll Kjokokha.exe File opened for modification C:\Windows\SysWOW64\Mgjnhaco.exe Mobfgdcl.exe File created C:\Windows\SysWOW64\Dicdjqhf.dll Qnghel32.exe File created C:\Windows\SysWOW64\Fhaflo32.dll Fiepea32.exe File created C:\Windows\SysWOW64\Padqpaec.dll Gkmbmh32.exe File created C:\Windows\SysWOW64\Imienpig.dll Gnbejb32.exe File created C:\Windows\SysWOW64\Mqjefamk.exe Mloiec32.exe File created C:\Windows\SysWOW64\Cjljnn32.exe Cfanmogq.exe File created C:\Windows\SysWOW64\Iidobe32.dll Phnpagdp.exe File created C:\Windows\SysWOW64\Cmfaflol.dll Qkfocaki.exe File created C:\Windows\SysWOW64\Ocaadj32.dll Lljpjchg.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 9380 9436 1064 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kaajei32.exeLfhhjklc.exeEhnfpifm.exeFppaej32.exeIeajkfmd.exeKnfndjdp.exeMikjpiim.exeAfffenbp.exeInhdgdmk.exeEaeipfei.exeOfcqcp32.exeJbbccgmp.exeOnlahm32.exeOlpbaa32.exeJjkkbjln.exeEmaijk32.exeEogolc32.exeBcpgdhpp.exeGoplilpf.exePkjphcff.exeDmkcil32.exeEgikjh32.exeJhbold32.exeGdkjdl32.exeHgeelf32.exeHmoofdea.exeNbmaon32.exePkmlmbcd.exeAkcomepg.exeHdpcokdo.exeIebldo32.exeBfqpecma.exeKdpfadlm.exeCileqlmg.exeFmaeho32.exeHmbndmkb.exeFhomkcoa.exeIhglhp32.exeDfmeccao.exeFhgppnan.exeKkdnhi32.exeNfigck32.exeIoohokoo.exeIjkocg32.exeNjnmbk32.exeNmcopebh.exeBkknac32.exeGkgoff32.exeBieopm32.exeOflpgnld.exeNhlgmd32.exeOpqoge32.exeEklqcl32.exeOpglafab.exeJefbnacn.exeEogmcjef.exeHmkeke32.exeImokehhl.exeNncbdomg.exePhqmgg32.exeOmckoi32.exePacajg32.exePplaki32.exeDbaice32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhhjklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnfpifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieajkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhdgdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaeipfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcqcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbccgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkkbjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emaijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpgdhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goplilpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egikjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmlmbcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcomepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpfadlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbndmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhomkcoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmeccao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgppnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfigck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioohokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkocg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnmbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkknac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflpgnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlgmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklqcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opglafab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogmcjef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokehhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncbdomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phqmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacajg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaice32.exe -
Modifies registry class 64 IoCs
Processes:
Bkegah32.exeMhcmedli.exePmehdh32.exeFqfemqod.exeGbadjg32.exeIoohokoo.exeKgclio32.exeDncibp32.exeKpgffe32.exeBceibfgj.exeGjbpne32.exeAphjjf32.exeMimpkcdn.exeEblelb32.exeImggplgm.exeIgebkiof.exeLfmbek32.exeOmioekbo.exeBkhhhd32.exeLncfcgeb.exeOeaqig32.exeJfofol32.exeAqbdkk32.exeFigmjq32.exeMdmkoepk.exeJlhkgm32.exeJjkkbjln.exeLdahkaij.exeMjcjog32.exeHblgnkdh.exeLpnmgdli.exeNmkplgnq.exeOnlahm32.exeFodebh32.exeFofbhgde.exeAdaiee32.exeBnochnpm.exeGblkoham.exeKnhjjj32.exeDjfdob32.exeEjcmmp32.exeGgkibhjf.exeHohkmj32.exeCehhdkjf.exeGlbaei32.exeLcjlnpmo.exeAchjibcl.exeDomccejd.exeGmeeepjp.exeHbidne32.exeColpld32.exeHnjbeh32.exeIpeaco32.exeOlbfagca.exePplaki32.exeIahceq32.exeIfgicg32.exeNbpghl32.exeJfjolf32.exeLgqkbb32.exeQnghel32.exeDanpemej.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhcmedli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalhln32.dll" Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hedbmpnc.dll" Fqfemqod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbadjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnjlmid.dll" Dncibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjbpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihgmjad.dll" Aphjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bieepc32.dll" Eblelb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imggplgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefdckem.dll" Lfmbek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjikp32.dll" Lncfcgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oeaqig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll" Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Figmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdmkoepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlhkgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjkkbjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldahkaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkijcgjo.dll" Mjcjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhkdkaa.dll" Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dociji32.dll" Onlahm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fodebh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fofbhgde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faffik32.dll" Bnochnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gblkoham.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knhjjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnppof32.dll" Djfdob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejcmmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnmjop32.dll" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pblmdj32.dll" Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepoia32.dll" Lcjlnpmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfpkcm32.dll" Domccejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apidjmhc.dll" Gmeeepjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pplaki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iahceq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifgicg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbpghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" Jfjolf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnghel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Danpemej.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exeBcpgdhpp.exeBeackp32.exeBmhkmm32.exeBfqpecma.exeBiolanld.exeBnldjekl.exeBefmfpbi.exeBammlq32.exeBgffhkoj.exeBkbaii32.exeBnqned32.exeBcmfmlen.exeBflbigdb.exeCnckjddd.exeCmfkfa32.exedescription pid Process procid_target PID 2584 wrote to memory of 2972 2584 b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe 30 PID 2584 wrote to memory of 2972 2584 b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe 30 PID 2584 wrote to memory of 2972 2584 b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe 30 PID 2584 wrote to memory of 2972 2584 b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe 30 PID 2972 wrote to memory of 2552 2972 Bcpgdhpp.exe 31 PID 2972 wrote to memory of 2552 2972 Bcpgdhpp.exe 31 PID 2972 wrote to memory of 2552 2972 Bcpgdhpp.exe 31 PID 2972 wrote to memory of 2552 2972 Bcpgdhpp.exe 31 PID 2552 wrote to memory of 2384 2552 Beackp32.exe 32 PID 2552 wrote to memory of 2384 2552 Beackp32.exe 32 PID 2552 wrote to memory of 2384 2552 Beackp32.exe 32 PID 2552 wrote to memory of 2384 2552 Beackp32.exe 32 PID 2384 wrote to memory of 2816 2384 Bmhkmm32.exe 33 PID 2384 wrote to memory of 2816 2384 Bmhkmm32.exe 33 PID 2384 wrote to memory of 2816 2384 Bmhkmm32.exe 33 PID 2384 wrote to memory of 2816 2384 Bmhkmm32.exe 33 PID 2816 wrote to memory of 2984 2816 Bfqpecma.exe 34 PID 2816 wrote to memory of 2984 2816 Bfqpecma.exe 34 PID 2816 wrote to memory of 2984 2816 Bfqpecma.exe 34 PID 2816 wrote to memory of 2984 2816 Bfqpecma.exe 34 PID 2984 wrote to memory of 2828 2984 Biolanld.exe 35 PID 2984 wrote to memory of 2828 2984 Biolanld.exe 35 PID 2984 wrote to memory of 2828 2984 Biolanld.exe 35 PID 2984 wrote to memory of 2828 2984 Biolanld.exe 35 PID 2828 wrote to memory of 2732 2828 Bnldjekl.exe 36 PID 2828 wrote to memory of 2732 2828 Bnldjekl.exe 36 PID 2828 wrote to memory of 2732 2828 Bnldjekl.exe 36 PID 2828 wrote to memory of 2732 2828 Bnldjekl.exe 36 PID 2732 wrote to memory of 1416 2732 Befmfpbi.exe 37 PID 2732 wrote to memory of 1416 2732 Befmfpbi.exe 37 PID 2732 wrote to memory of 1416 2732 Befmfpbi.exe 37 PID 2732 wrote to memory of 1416 2732 Befmfpbi.exe 37 PID 1416 wrote to memory of 2688 1416 Bammlq32.exe 38 PID 1416 wrote to memory of 2688 1416 Bammlq32.exe 38 PID 1416 wrote to memory of 2688 1416 Bammlq32.exe 38 PID 1416 wrote to memory of 2688 1416 Bammlq32.exe 38 PID 2688 wrote to memory of 2676 2688 Bgffhkoj.exe 39 PID 2688 wrote to memory of 2676 2688 Bgffhkoj.exe 39 PID 2688 wrote to memory of 2676 2688 Bgffhkoj.exe 39 PID 2688 wrote to memory of 2676 2688 Bgffhkoj.exe 39 PID 2676 wrote to memory of 2872 2676 Bkbaii32.exe 40 PID 2676 wrote to memory of 2872 2676 Bkbaii32.exe 40 PID 2676 wrote to memory of 2872 2676 Bkbaii32.exe 40 PID 2676 wrote to memory of 2872 2676 Bkbaii32.exe 40 PID 2872 wrote to memory of 2924 2872 Bnqned32.exe 41 PID 2872 wrote to memory of 2924 2872 Bnqned32.exe 41 PID 2872 wrote to memory of 2924 2872 Bnqned32.exe 41 PID 2872 wrote to memory of 2924 2872 Bnqned32.exe 41 PID 2924 wrote to memory of 820 2924 Bcmfmlen.exe 42 PID 2924 wrote to memory of 820 2924 Bcmfmlen.exe 42 PID 2924 wrote to memory of 820 2924 Bcmfmlen.exe 42 PID 2924 wrote to memory of 820 2924 Bcmfmlen.exe 42 PID 820 wrote to memory of 2496 820 Bflbigdb.exe 43 PID 820 wrote to memory of 2496 820 Bflbigdb.exe 43 PID 820 wrote to memory of 2496 820 Bflbigdb.exe 43 PID 820 wrote to memory of 2496 820 Bflbigdb.exe 43 PID 2496 wrote to memory of 2216 2496 Cnckjddd.exe 44 PID 2496 wrote to memory of 2216 2496 Cnckjddd.exe 44 PID 2496 wrote to memory of 2216 2496 Cnckjddd.exe 44 PID 2496 wrote to memory of 2216 2496 Cnckjddd.exe 44 PID 2216 wrote to memory of 1208 2216 Cmfkfa32.exe 45 PID 2216 wrote to memory of 1208 2216 Cmfkfa32.exe 45 PID 2216 wrote to memory of 1208 2216 Cmfkfa32.exe 45 PID 2216 wrote to memory of 1208 2216 Cmfkfa32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe"C:\Users\Admin\AppData\Local\Temp\b9ead5d8fdf57a0a5bb6e173adc480c7ce8e3b4e26cf26e7083f06287b07d542.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe33⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe34⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe35⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe36⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe37⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe38⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe39⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe40⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe41⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe43⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe44⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe47⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe48⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe49⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe50⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe51⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe57⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe60⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe61⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe62⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe63⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe64⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe65⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe67⤵PID:852
-
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe68⤵PID:2256
-
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe69⤵PID:1588
-
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe70⤵PID:1532
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe71⤵PID:1676
-
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe72⤵PID:2708
-
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe73⤵PID:1900
-
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe74⤵PID:1332
-
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe75⤵PID:2364
-
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe76⤵PID:2044
-
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe77⤵PID:1896
-
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe78⤵PID:2020
-
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe79⤵PID:1180
-
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe80⤵PID:2176
-
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe81⤵
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe83⤵PID:2448
-
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe84⤵PID:568
-
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe85⤵PID:1704
-
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe87⤵PID:1280
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe88⤵PID:2128
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe89⤵PID:2624
-
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe90⤵PID:2220
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe91⤵PID:1880
-
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe92⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe93⤵PID:2152
-
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe94⤵PID:2452
-
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe95⤵
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe96⤵PID:1828
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe97⤵PID:1684
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe98⤵PID:1504
-
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe99⤵PID:1692
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe100⤵PID:2408
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe101⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe102⤵PID:3060
-
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe103⤵PID:3068
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe104⤵PID:1568
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe105⤵PID:1752
-
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1888 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe108⤵PID:628
-
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe109⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe110⤵PID:324
-
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe111⤵PID:1592
-
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe113⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe114⤵PID:2888
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe115⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe116⤵PID:1616
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe117⤵PID:1320
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe118⤵PID:2960
-
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe119⤵PID:2276
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe120⤵PID:1788
-
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe121⤵PID:2568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-