Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 03:10
Behavioral task
behavioral1
Sample
2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe
-
Size
256KB
-
MD5
63fd057e320567a51be67e3cc8ee7120
-
SHA1
f54a93c21330b5430b4275face52def6f947bd5c
-
SHA256
2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489
-
SHA512
d4193ef23de8e535580284ee79fe6de957940b9f9180b2ca3af1982b922ae61eed699f23def8c56578bb899ae8cc2572458ccce3ae99a215fa8b025b6b693e4e
-
SSDEEP
3072:tEX2eMcop1X/jWsSBFdXZQ1UkY1UkVHe1rUtst76UtoUtFVgtRQ2c+j:tuGcozP+TdXe1PY1PRe19V+j
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kcdjoaee.exeAobnniji.exeFqfemqod.exeHebnlb32.exeMggabaea.exeObhdcanc.exeHelgmg32.exeEdqocbkp.exeAmaelomh.exeBffpki32.exeEldglp32.exeIabhah32.exeDcccpl32.exeFoafdoag.exeKlngkfge.exeMklcadfn.exeOococb32.exeAjmijmnn.exeCffljlpc.exeKoddccaa.exeBejfao32.exeEknmhk32.exeMpebmc32.exeNbjeinje.exeAnolkh32.exeFgcejm32.exeHeealhla.exeKkoncdcp.exeAciqcifh.exeKhielcfh.exeOlbfagca.exeCakqgeoi.exePqphnp32.exeEogmcjef.exeInjndk32.exeIakgefqe.exePnbojmmp.exeAbmgjo32.exeNblpfepo.exeFilgbdfd.exeCmjdaqgi.exeElajgpmj.exeGdkgkcpq.exeOjomdoof.exeDedlag32.exeHihlqeib.exeJkhldafl.exeBmcnqama.exeFjegog32.exeJialfgcc.exeLnjcomcf.exeBoogmgkl.exeGghkdp32.exeDldkmlhl.exeDgeaoinb.exeHboddk32.exeLclicpkm.exeLjfapjbi.exeOmklkkpl.exeChqoipkk.exePmmeon32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdjoaee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobnniji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqfemqod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebnlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Helgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edqocbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaelomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eldglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcccpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foafdoag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mklcadfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmijmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffljlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bejfao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbjeinje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anolkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgcejm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heealhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkoncdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aciqcifh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khielcfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cakqgeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqphnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogmcjef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbojmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nblpfepo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filgbdfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elajgpmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojomdoof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedlag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldglp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmjdaqgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhldafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmcnqama.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jialfgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cffljlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgeaoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hboddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omklkkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chqoipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmmeon32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mhgoji32.exeMmdgbp32.exeMapccndn.exeMmhamoho.exeNmkncofl.exeNfcbldmm.exeNplfdj32.exeNehomq32.exeNblpfepo.exeNhiholof.exeNdpicm32.exeNmhmlbkk.exeOklnff32.exeOdebolpe.exeOidglb32.exeOpnpimdf.exeOoclji32.exeOlgmcmgh.exePhnnho32.exePkljdj32.exePgckjk32.exePojbkh32.exePjcckf32.exePqnlhpfb.exePclhdl32.exePqphnp32.exeQgjqjjll.exeQoeeolig.exeQfonkfqd.exeQqdbiopj.exeAjmfad32.exeAbhkfg32.exeAkqpom32.exeAnolkh32.exeAeidgbaf.exeAnahqh32.exeAkeijlfq.exeAncefgfd.exeAababceh.exeBnfblgca.exeBepjha32.exeBfagpiam.exeBnhoag32.exeBfccei32.exeBffpki32.exeBmphhc32.exeBpnddn32.exeBbmapj32.exeBpqain32.exeBbonei32.exeBfkifhib.exeChlfnp32.exeCpcnonob.exeCbajkiof.exeCikbhc32.exeCljodo32.exeCohkpj32.exeCebcmdlg.exeChqoipkk.exeCojhejbh.exeCaidaeak.exeCdgpnqpo.exeCffljlpc.exeComdkipe.exepid Process 2508 Mhgoji32.exe 2052 Mmdgbp32.exe 3060 Mapccndn.exe 2732 Mmhamoho.exe 2892 Nmkncofl.exe 2712 Nfcbldmm.exe 2608 Nplfdj32.exe 2316 Nehomq32.exe 1692 Nblpfepo.exe 1940 Nhiholof.exe 2400 Ndpicm32.exe 1900 Nmhmlbkk.exe 1188 Oklnff32.exe 536 Odebolpe.exe 584 Oidglb32.exe 1012 Opnpimdf.exe 1280 Ooclji32.exe 2212 Olgmcmgh.exe 2272 Phnnho32.exe 680 Pkljdj32.exe 2236 Pgckjk32.exe 2800 Pojbkh32.exe 1860 Pjcckf32.exe 2412 Pqnlhpfb.exe 2660 Pclhdl32.exe 2996 Pqphnp32.exe 3008 Qgjqjjll.exe 2704 Qoeeolig.exe 2836 Qfonkfqd.exe 2692 Qqdbiopj.exe 2624 Ajmfad32.exe 2592 Abhkfg32.exe 3012 Akqpom32.exe 848 Anolkh32.exe 2024 Aeidgbaf.exe 1880 Anahqh32.exe 1892 Akeijlfq.exe 1884 Ancefgfd.exe 2876 Aababceh.exe 2388 Bnfblgca.exe 2124 Bepjha32.exe 2916 Bfagpiam.exe 1540 Bnhoag32.exe 1876 Bfccei32.exe 1552 Bffpki32.exe 1896 Bmphhc32.exe 2424 Bpnddn32.exe 2336 Bbmapj32.exe 3064 Bpqain32.exe 896 Bbonei32.exe 1484 Bfkifhib.exe 1488 Chlfnp32.exe 2780 Cpcnonob.exe 2808 Cbajkiof.exe 2832 Cikbhc32.exe 2696 Cljodo32.exe 2112 Cohkpj32.exe 1840 Cebcmdlg.exe 1928 Chqoipkk.exe 2504 Cojhejbh.exe 632 Caidaeak.exe 2920 Cdgpnqpo.exe 1672 Cffljlpc.exe 1208 Comdkipe.exe -
Loads dropped DLL 64 IoCs
Processes:
2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exeMhgoji32.exeMmdgbp32.exeMapccndn.exeMmhamoho.exeNmkncofl.exeNfcbldmm.exeNplfdj32.exeNehomq32.exeNblpfepo.exeNhiholof.exeNdpicm32.exeNmhmlbkk.exeOklnff32.exeOdebolpe.exeOidglb32.exeOpnpimdf.exeOoclji32.exeOlgmcmgh.exePhnnho32.exePkljdj32.exePgckjk32.exePojbkh32.exePjcckf32.exePqnlhpfb.exePclhdl32.exePqphnp32.exeQgjqjjll.exeQoeeolig.exeQfonkfqd.exeQqdbiopj.exeAjmfad32.exepid Process 2496 2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe 2496 2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe 2508 Mhgoji32.exe 2508 Mhgoji32.exe 2052 Mmdgbp32.exe 2052 Mmdgbp32.exe 3060 Mapccndn.exe 3060 Mapccndn.exe 2732 Mmhamoho.exe 2732 Mmhamoho.exe 2892 Nmkncofl.exe 2892 Nmkncofl.exe 2712 Nfcbldmm.exe 2712 Nfcbldmm.exe 2608 Nplfdj32.exe 2608 Nplfdj32.exe 2316 Nehomq32.exe 2316 Nehomq32.exe 1692 Nblpfepo.exe 1692 Nblpfepo.exe 1940 Nhiholof.exe 1940 Nhiholof.exe 2400 Ndpicm32.exe 2400 Ndpicm32.exe 1900 Nmhmlbkk.exe 1900 Nmhmlbkk.exe 1188 Oklnff32.exe 1188 Oklnff32.exe 536 Odebolpe.exe 536 Odebolpe.exe 584 Oidglb32.exe 584 Oidglb32.exe 1012 Opnpimdf.exe 1012 Opnpimdf.exe 1280 Ooclji32.exe 1280 Ooclji32.exe 2212 Olgmcmgh.exe 2212 Olgmcmgh.exe 2272 Phnnho32.exe 2272 Phnnho32.exe 680 Pkljdj32.exe 680 Pkljdj32.exe 2236 Pgckjk32.exe 2236 Pgckjk32.exe 2800 Pojbkh32.exe 2800 Pojbkh32.exe 1860 Pjcckf32.exe 1860 Pjcckf32.exe 2412 Pqnlhpfb.exe 2412 Pqnlhpfb.exe 2660 Pclhdl32.exe 2660 Pclhdl32.exe 2996 Pqphnp32.exe 2996 Pqphnp32.exe 3008 Qgjqjjll.exe 3008 Qgjqjjll.exe 2704 Qoeeolig.exe 2704 Qoeeolig.exe 2836 Qfonkfqd.exe 2836 Qfonkfqd.exe 2692 Qqdbiopj.exe 2692 Qqdbiopj.exe 2624 Ajmfad32.exe 2624 Ajmfad32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dejbqb32.exeOmioekbo.exeKhoebi32.exeMmadbjkk.exeMihdgkpp.exeBqeqqk32.exeBmbgfkje.exeEapfagno.exeChfbgn32.exeCaidaeak.exeHeealhla.exeHpkompgg.exeKjokokha.exeBmpkqklh.exeIjmipn32.exeJhoice32.exeKghpoa32.exeNjhfcp32.exeHnbopmnm.exeKjihalag.exePmgbao32.exePecgea32.exeBbeded32.exeHboddk32.exeOfhjopbg.exeAkqpom32.exeIoakoq32.exeMnbpjb32.exeNbbbdcgi.exeMqnifg32.exeBqijljfd.exeCebcmdlg.exeFlqmbd32.exeMlkjne32.exeNallalep.exePljcllqe.exeIhmpobck.exeDklddhka.exeLcofio32.exeHpbdmo32.exeJampjian.exeQppkfhlc.exeDhplhc32.exeLgmeid32.exeCillkbac.exePohhna32.exeFjegog32.exeJimbkh32.exeKncaojfb.exeAgolnbok.exeBmphhc32.exeCojhejbh.exeKpcqnf32.exeNmejllia.exeDaofpchf.exeGbohehoj.exeNdpicm32.exeCmbalfem.exeDmdnbecj.exePejmfqan.exeGiipab32.exedescription ioc Process File created C:\Windows\SysWOW64\Ioloda32.dll Dejbqb32.exe File created C:\Windows\SysWOW64\Ohncbdbd.exe Omioekbo.exe File created C:\Windows\SysWOW64\Gemncekq.dll Khoebi32.exe File created C:\Windows\SysWOW64\Iiegdegb.dll Mmadbjkk.exe File created C:\Windows\SysWOW64\Mpamde32.exe Mihdgkpp.exe File created C:\Windows\SysWOW64\Bdqlajbb.exe Bqeqqk32.exe File created C:\Windows\SysWOW64\Coacbfii.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Ehjona32.exe Eapfagno.exe File created C:\Windows\SysWOW64\Cpmjhk32.exe Chfbgn32.exe File created C:\Windows\SysWOW64\Khmggg32.dll Caidaeak.exe File created C:\Windows\SysWOW64\Infaph32.dll Heealhla.exe File created C:\Windows\SysWOW64\Hgbfnngi.exe Hpkompgg.exe File created C:\Windows\SysWOW64\Jpbbmeon.dll Kjokokha.exe File created C:\Windows\SysWOW64\Ibcihh32.dll Bmpkqklh.exe File created C:\Windows\SysWOW64\Ilofhffj.exe Ijmipn32.exe File created C:\Windows\SysWOW64\Joiappkp.exe Jhoice32.exe File opened for modification C:\Windows\SysWOW64\Kjglkm32.exe Kghpoa32.exe File opened for modification C:\Windows\SysWOW64\Nncbdomg.exe Njhfcp32.exe File created C:\Windows\SysWOW64\Fdfeim32.dll Eapfagno.exe File created C:\Windows\SysWOW64\Hmeolj32.exe Hnbopmnm.exe File created C:\Windows\SysWOW64\Kpcqnf32.exe Kjihalag.exe File opened for modification C:\Windows\SysWOW64\Pljcllqe.exe Pmgbao32.exe File opened for modification C:\Windows\SysWOW64\Plmpblnb.exe Pecgea32.exe File opened for modification C:\Windows\SysWOW64\Bfqpecma.exe Bbeded32.exe File opened for modification C:\Windows\SysWOW64\Hihlqeib.exe Hboddk32.exe File opened for modification C:\Windows\SysWOW64\Oekjjl32.exe Ofhjopbg.exe File opened for modification C:\Windows\SysWOW64\Anolkh32.exe Akqpom32.exe File opened for modification C:\Windows\SysWOW64\Ielclkhe.exe Ioakoq32.exe File created C:\Windows\SysWOW64\Dhfjmfen.dll Mnbpjb32.exe File created C:\Windows\SysWOW64\Jinafidh.dll Nbbbdcgi.exe File opened for modification C:\Windows\SysWOW64\Mclebc32.exe Mqnifg32.exe File opened for modification C:\Windows\SysWOW64\Bchfhfeh.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Chqoipkk.exe Cebcmdlg.exe File created C:\Windows\SysWOW64\Fbmfkkbm.exe Flqmbd32.exe File opened for modification C:\Windows\SysWOW64\Mjnjjbbh.exe Mlkjne32.exe File created C:\Windows\SysWOW64\Nbniid32.exe Nallalep.exe File created C:\Windows\SysWOW64\Pcdkif32.exe Pljcllqe.exe File created C:\Windows\SysWOW64\Jjplgd32.dll Ihmpobck.exe File created C:\Windows\SysWOW64\Dmjqpdje.exe Dklddhka.exe File created C:\Windows\SysWOW64\Ldpbpgoh.exe Lcofio32.exe File opened for modification C:\Windows\SysWOW64\Hbaaik32.exe Hpbdmo32.exe File opened for modification C:\Windows\SysWOW64\Kdklfe32.exe Jampjian.exe File created C:\Windows\SysWOW64\Qcogbdkg.exe Qppkfhlc.exe File created C:\Windows\SysWOW64\Gckainog.dll Dhplhc32.exe File opened for modification C:\Windows\SysWOW64\Ljkaeo32.exe Lgmeid32.exe File opened for modification C:\Windows\SysWOW64\Cacclpae.exe Cillkbac.exe File opened for modification C:\Windows\SysWOW64\Dldkmlhl.exe Dejbqb32.exe File opened for modification C:\Windows\SysWOW64\Pmkhjncg.exe Pohhna32.exe File created C:\Windows\SysWOW64\Fpoolael.exe Fjegog32.exe File opened for modification C:\Windows\SysWOW64\Jmhnkfpa.exe Jimbkh32.exe File created C:\Windows\SysWOW64\Mbellj32.dll Kncaojfb.exe File opened for modification C:\Windows\SysWOW64\Ajmijmnn.exe Agolnbok.exe File opened for modification C:\Windows\SysWOW64\Bpnddn32.exe Bmphhc32.exe File created C:\Windows\SysWOW64\Caidaeak.exe Cojhejbh.exe File created C:\Windows\SysWOW64\Agngji32.dll Kpcqnf32.exe File created C:\Windows\SysWOW64\Mpopnejo.exe Mmadbjkk.exe File created C:\Windows\SysWOW64\Pfpemp32.dll Nmejllia.exe File created C:\Windows\SysWOW64\Knjmll32.dll Daofpchf.exe File created C:\Windows\SysWOW64\Apoldh32.dll Gbohehoj.exe File opened for modification C:\Windows\SysWOW64\Nmhmlbkk.exe Ndpicm32.exe File opened for modification C:\Windows\SysWOW64\Dpqnhadq.exe Cmbalfem.exe File opened for modification C:\Windows\SysWOW64\Dpcjnabn.exe Dmdnbecj.exe File created C:\Windows\SysWOW64\Pldebkhj.exe Pejmfqan.exe File created C:\Windows\SysWOW64\Ggkqmoma.exe Giipab32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 6316 7160 WerFault.exe 696 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kpcqnf32.exeKpdjaecc.exeAeidgbaf.exeEpecbd32.exeFhdjgoha.exeFlqmbd32.exeKfebambf.exePojbkh32.exeAkqpom32.exeNipdkieg.exeObhdcanc.exePhcilf32.exeBbmapj32.exeEapfagno.exeHllmcc32.exeMpamde32.exePoklngnf.exeEldglp32.exeIbejdjln.exeKkjnnn32.exeDakmfh32.exeGiiglhjb.exeAdnpkjde.exeOmefkplm.exeFmkilb32.exeHfcjdkpg.exeOlbfagca.exeEheecbia.exeIfdjeoep.exePqnlhpfb.exeCojhejbh.exeGfmgelil.exeCbgmigeq.exeEknmhk32.exeGceailog.exeNmkncofl.exeNblpfepo.exeAlihaioe.exeLhpglecl.exePgcmbcih.exeHnpbjnpo.exeMmadbjkk.exeDdblgn32.exeDnpciaef.exeOlgmcmgh.exeBfccei32.exeLboiol32.exeBfagpiam.exeFgcejm32.exeAciqcifh.exeDhkkbmnp.exeHebnlb32.exeIhpfgalh.exeIjqoilii.exeJojkco32.exeIlabmedg.exeKjihalag.exeCcjoli32.exeNfdddm32.exeNgealejo.exeCillkbac.exeMqnifg32.exeMnaiol32.exeAlqnah32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcqnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdjaecc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeidgbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epecbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdjgoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfebambf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akqpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdcanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmapj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eapfagno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpamde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poklngnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibejdjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giiglhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omefkplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcjdkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbfagca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheecbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdjeoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqnlhpfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojhejbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmgelil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgmigeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkncofl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblpfepo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alihaioe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpbjnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddblgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgmcmgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfccei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lboiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfagpiam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcejm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aciqcifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkkbmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojkco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilabmedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjihalag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cillkbac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe -
Modifies registry class 64 IoCs
Processes:
Hgbfnngi.exeIjclol32.exeOjomdoof.exeAncefgfd.exeHphidanj.exePgnjde32.exeAbegfa32.exeGiiglhjb.exeJoiappkp.exeNmejllia.exeAaimopli.exeOpnpimdf.exeMihdgkpp.exeOoclji32.exeFmkilb32.exeGnaooi32.exeMqbbagjo.exeFhgnge32.exeAjgbkbjp.exeAmfognic.exeHihlqeib.exeLcfbdd32.exeAjeeeblb.exeBniajoic.exeBmphhc32.exeEdqocbkp.exeAmaelomh.exeGceailog.exeGgnmbn32.exeJpbalb32.exeAndgop32.exeAkqpom32.exeDedlag32.exeIelclkhe.exeKjihalag.exePgckjk32.exeNdmecgba.exeIjqoilii.exeGbadjg32.exeOekjjl32.exeEapfagno.exeGfmgelil.exeAckmih32.exeCcbphk32.exeDpegcq32.exeHhhgcc32.exeLjnnko32.exeNncbdomg.exeNapbjjom.exePaiaplin.exeAgolnbok.exeHllmcc32.exeIegjqk32.exeLhpglecl.exeCpkmcldj.exeDdblgn32.exeFkpjnkig.exeMapccndn.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidgma32.dll" Hgbfnngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijclol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhbjgmd.dll" Ancefgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hphidanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giiglhjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpemp32.dll" Nmejllia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opnpimdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mihdgkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckeolc32.dll" Ooclji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmkilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfnae32.dll" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhgnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncehag32.dll" Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amfognic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poeofkoh.dll" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajeeeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmphhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edqocbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amaelomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gceailog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjckino.dll" Jpbalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Andgop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akqpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfaqoma.dll" Ielclkhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjihalag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgckjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaimopli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coglpp32.dll" Gbadjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oekjjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eapfagno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moeinj32.dll" Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdlhfqf.dll" Dpegcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhhgcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljnnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idejihgk.dll" Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijclol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll" Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" Agolnbok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hllmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hllmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ailhedbj.dll" Iegjqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abigipko.dll" Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfalipj.dll" Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodahqi.dll" Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mapccndn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exeMhgoji32.exeMmdgbp32.exeMapccndn.exeMmhamoho.exeNmkncofl.exeNfcbldmm.exeNplfdj32.exeNehomq32.exeNblpfepo.exeNhiholof.exeNdpicm32.exeNmhmlbkk.exeOklnff32.exeOdebolpe.exeOidglb32.exedescription pid Process procid_target PID 2496 wrote to memory of 2508 2496 2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe 30 PID 2496 wrote to memory of 2508 2496 2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe 30 PID 2496 wrote to memory of 2508 2496 2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe 30 PID 2496 wrote to memory of 2508 2496 2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe 30 PID 2508 wrote to memory of 2052 2508 Mhgoji32.exe 31 PID 2508 wrote to memory of 2052 2508 Mhgoji32.exe 31 PID 2508 wrote to memory of 2052 2508 Mhgoji32.exe 31 PID 2508 wrote to memory of 2052 2508 Mhgoji32.exe 31 PID 2052 wrote to memory of 3060 2052 Mmdgbp32.exe 32 PID 2052 wrote to memory of 3060 2052 Mmdgbp32.exe 32 PID 2052 wrote to memory of 3060 2052 Mmdgbp32.exe 32 PID 2052 wrote to memory of 3060 2052 Mmdgbp32.exe 32 PID 3060 wrote to memory of 2732 3060 Mapccndn.exe 33 PID 3060 wrote to memory of 2732 3060 Mapccndn.exe 33 PID 3060 wrote to memory of 2732 3060 Mapccndn.exe 33 PID 3060 wrote to memory of 2732 3060 Mapccndn.exe 33 PID 2732 wrote to memory of 2892 2732 Mmhamoho.exe 34 PID 2732 wrote to memory of 2892 2732 Mmhamoho.exe 34 PID 2732 wrote to memory of 2892 2732 Mmhamoho.exe 34 PID 2732 wrote to memory of 2892 2732 Mmhamoho.exe 34 PID 2892 wrote to memory of 2712 2892 Nmkncofl.exe 35 PID 2892 wrote to memory of 2712 2892 Nmkncofl.exe 35 PID 2892 wrote to memory of 2712 2892 Nmkncofl.exe 35 PID 2892 wrote to memory of 2712 2892 Nmkncofl.exe 35 PID 2712 wrote to memory of 2608 2712 Nfcbldmm.exe 36 PID 2712 wrote to memory of 2608 2712 Nfcbldmm.exe 36 PID 2712 wrote to memory of 2608 2712 Nfcbldmm.exe 36 PID 2712 wrote to memory of 2608 2712 Nfcbldmm.exe 36 PID 2608 wrote to memory of 2316 2608 Nplfdj32.exe 37 PID 2608 wrote to memory of 2316 2608 Nplfdj32.exe 37 PID 2608 wrote to memory of 2316 2608 Nplfdj32.exe 37 PID 2608 wrote to memory of 2316 2608 Nplfdj32.exe 37 PID 2316 wrote to memory of 1692 2316 Nehomq32.exe 38 PID 2316 wrote to memory of 1692 2316 Nehomq32.exe 38 PID 2316 wrote to memory of 1692 2316 Nehomq32.exe 38 PID 2316 wrote to memory of 1692 2316 Nehomq32.exe 38 PID 1692 wrote to memory of 1940 1692 Nblpfepo.exe 39 PID 1692 wrote to memory of 1940 1692 Nblpfepo.exe 39 PID 1692 wrote to memory of 1940 1692 Nblpfepo.exe 39 PID 1692 wrote to memory of 1940 1692 Nblpfepo.exe 39 PID 1940 wrote to memory of 2400 1940 Nhiholof.exe 40 PID 1940 wrote to memory of 2400 1940 Nhiholof.exe 40 PID 1940 wrote to memory of 2400 1940 Nhiholof.exe 40 PID 1940 wrote to memory of 2400 1940 Nhiholof.exe 40 PID 2400 wrote to memory of 1900 2400 Ndpicm32.exe 41 PID 2400 wrote to memory of 1900 2400 Ndpicm32.exe 41 PID 2400 wrote to memory of 1900 2400 Ndpicm32.exe 41 PID 2400 wrote to memory of 1900 2400 Ndpicm32.exe 41 PID 1900 wrote to memory of 1188 1900 Nmhmlbkk.exe 42 PID 1900 wrote to memory of 1188 1900 Nmhmlbkk.exe 42 PID 1900 wrote to memory of 1188 1900 Nmhmlbkk.exe 42 PID 1900 wrote to memory of 1188 1900 Nmhmlbkk.exe 42 PID 1188 wrote to memory of 536 1188 Oklnff32.exe 43 PID 1188 wrote to memory of 536 1188 Oklnff32.exe 43 PID 1188 wrote to memory of 536 1188 Oklnff32.exe 43 PID 1188 wrote to memory of 536 1188 Oklnff32.exe 43 PID 536 wrote to memory of 584 536 Odebolpe.exe 44 PID 536 wrote to memory of 584 536 Odebolpe.exe 44 PID 536 wrote to memory of 584 536 Odebolpe.exe 44 PID 536 wrote to memory of 584 536 Odebolpe.exe 44 PID 584 wrote to memory of 1012 584 Oidglb32.exe 45 PID 584 wrote to memory of 1012 584 Oidglb32.exe 45 PID 584 wrote to memory of 1012 584 Oidglb32.exe 45 PID 584 wrote to memory of 1012 584 Oidglb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe"C:\Users\Admin\AppData\Local\Temp\2b133370a7d39d37aaf4f83787f9215b8c1bc46668317e11335486ba35d8c489N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe33⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe37⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe38⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe40⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe41⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe42⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe44⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe48⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe50⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe51⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe52⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe53⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe54⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe55⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe56⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe57⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe58⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe63⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe65⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe67⤵PID:344
-
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe68⤵PID:2228
-
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe69⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe70⤵PID:2668
-
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe71⤵PID:2984
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe72⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe73⤵PID:2600
-
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe74⤵PID:2648
-
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe75⤵PID:2980
-
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe76⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe78⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe79⤵PID:1544
-
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe80⤵PID:1944
-
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe82⤵PID:2636
-
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe83⤵PID:1448
-
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe85⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe86⤵PID:1412
-
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe87⤵PID:2948
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe88⤵PID:2772
-
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe89⤵PID:2708
-
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe91⤵PID:1384
-
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe92⤵PID:1656
-
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe93⤵PID:844
-
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe94⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe96⤵PID:3024
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe97⤵PID:336
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe98⤵PID:2664
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe99⤵PID:2408
-
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe102⤵PID:2888
-
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe103⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe105⤵PID:2908
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe106⤵PID:2728
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe107⤵PID:2964
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe108⤵PID:1240
-
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1856 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe110⤵PID:1948
-
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe111⤵PID:1624
-
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe112⤵PID:1828
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe113⤵PID:1036
-
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe114⤵PID:1820
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe115⤵PID:904
-
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe116⤵PID:328
-
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe117⤵PID:2076
-
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe118⤵PID:808
-
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe119⤵PID:3004
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe120⤵PID:2788
-
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe121⤵PID:2760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-