Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 03:14
Behavioral task
behavioral1
Sample
b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exe
-
Size
144KB
-
MD5
cc58ee44f474994c3ca536793a01abf0
-
SHA1
aa8fa1cfbd0a9226b8d05989865efd6c81b42af6
-
SHA256
b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97
-
SHA512
bd2d903726345f767f9b6c773239a06501423f207e09669f44cae5e422d016f9f84a2c7fcfb620c24fc44f90d65c3337f02e96aac34eaee0f47a8cb4e3cde1e7
-
SSDEEP
3072:r4IsYgSu293Z0zGYJpD9r8XxrYnQg4sIb:r4Z6ZmGyZ6Yub
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qqffjo32.exeEfkphnbd.exeHhbkinel.exeGndick32.exePjbcplpe.exeLbkkgl32.exeGdaociml.exeLjceqb32.exeCammjakm.exeKibeoo32.exeOocmii32.exeCioilg32.exeJgbjbp32.exeGmfplibd.exeCncnob32.exeDoojec32.exeIkndgg32.exePllgnl32.exeQemhbj32.exeBohbhmfm.exeImnocf32.exeJohnamkm.exeMhjhmhhd.exeBqkill32.exeInainbcn.exeOkgaijaj.exeAfgacokc.exePaelfmaf.exeLopmii32.exeOffnhpfo.exeNnkpnclp.exeCocjiehd.exeGpdennml.exeLjbfpo32.exeCoiaiakf.exeIdcepgmg.exeFelbnn32.exeJnfcia32.exeMledmg32.exeFijkdmhn.exeMnmmboed.exePcjiff32.exeOnnmdcjm.exeHemdlj32.exeMqafhl32.exeHkdjfb32.exeLgepom32.exeDndnpf32.exeEnhpao32.exeHiiggoaf.exeKkconn32.exeOmcjep32.exeCnindhpg.exeIhdafkdg.exeEjalcgkg.exeMcoljagj.exeIinjhh32.exeOljaccjf.exeJgkdbacp.exeLmbhgd32.exeNhokljge.exeGmeakf32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqffjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkphnbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbkinel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gndick32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbcplpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdaociml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kibeoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmfplibd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doojec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikndgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pllgnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemhbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohbhmfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjhmhhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqkill32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inainbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okgaijaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paelfmaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnkpnclp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpdennml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljbfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coiaiakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idcepgmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felbnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mledmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijkdmhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcjiff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onnmdcjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemdlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgepom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndnpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhpao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiiggoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnindhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdafkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejalcgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcoljagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iinjhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmbhgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmeakf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbfpo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Nookip32.exeOgfcjm32.exeOhgoaehe.exeOlckbd32.exeOcmconhk.exeOekpkigo.exeOocddono.exeOgklelna.exeOhlimd32.exeOofaiokl.exeOepifi32.exeOljaccjf.exeOgpepl32.exeOhqbhdpj.exeOokjdn32.exePedbahod.exePhcomcng.exePpjgoaoj.exePcicklnn.exePgdokkfg.exePjbkgfej.exePlagcbdn.exePpmcdq32.exePgflqkdd.exePcmlfl32.exePflibgil.exePjgebf32.exePleaoa32.exePpamophb.exePcpikkge.exePlhnda32.exeQcbfakec.exeQhonib32.exeQqffjo32.exeQcdbfk32.exeQqhcpo32.exeAcgolj32.exeAjqgidij.exeAompak32.exeAgdhbi32.exeAhfdjanb.exeAopmfk32.exeAggegh32.exeAmcmpodi.exeAcnemi32.exeAqaffn32.exeAjjjocap.exeBcbohigp.exeBiogppeg.exeBcelmhen.exeBjodjb32.exeBjaqpbkh.exeBqkill32.exeBgeaifia.exeBjcmebie.exeBppfmigl.exeBggnof32.exeBfjnjcni.exeCmdfgm32.exeCqpbglno.exeCpbbch32.exeCjhfpa32.exeCabomkll.exeCcqkigkp.exepid Process 5108 Nookip32.exe 516 Ogfcjm32.exe 4284 Ohgoaehe.exe 3620 Olckbd32.exe 4956 Ocmconhk.exe 3348 Oekpkigo.exe 4252 Oocddono.exe 1424 Ogklelna.exe 4884 Ohlimd32.exe 3708 Oofaiokl.exe 4772 Oepifi32.exe 3308 Oljaccjf.exe 2076 Ogpepl32.exe 4688 Ohqbhdpj.exe 1392 Ookjdn32.exe 5048 Pedbahod.exe 4012 Phcomcng.exe 2764 Ppjgoaoj.exe 2472 Pcicklnn.exe 1676 Pgdokkfg.exe 2548 Pjbkgfej.exe 2164 Plagcbdn.exe 1464 Ppmcdq32.exe 4852 Pgflqkdd.exe 3992 Pcmlfl32.exe 3512 Pflibgil.exe 4084 Pjgebf32.exe 872 Pleaoa32.exe 2468 Ppamophb.exe 3700 Pcpikkge.exe 1744 Plhnda32.exe 5012 Qcbfakec.exe 952 Qhonib32.exe 1476 Qqffjo32.exe 3084 Qcdbfk32.exe 2280 Qqhcpo32.exe 2168 Acgolj32.exe 3280 Ajqgidij.exe 3460 Aompak32.exe 3016 Agdhbi32.exe 1596 Ahfdjanb.exe 3520 Aopmfk32.exe 3932 Aggegh32.exe 636 Amcmpodi.exe 4968 Acnemi32.exe 3032 Aqaffn32.exe 2004 Ajjjocap.exe 3124 Bcbohigp.exe 2512 Biogppeg.exe 660 Bcelmhen.exe 5004 Bjodjb32.exe 3188 Bjaqpbkh.exe 708 Bqkill32.exe 3480 Bgeaifia.exe 1748 Bjcmebie.exe 1608 Bppfmigl.exe 904 Bggnof32.exe 2544 Bfjnjcni.exe 1316 Cmdfgm32.exe 4920 Cqpbglno.exe 4936 Cpbbch32.exe 3536 Cjhfpa32.exe 5088 Cabomkll.exe 4312 Ccqkigkp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ohqbhdpj.exeLlmhaold.exeAmqhbe32.exeLhgkgijg.exeOcgkan32.exeIhphkl32.exeGpcfmkff.exeAkglloai.exeKlahfp32.exeDdgibkpc.exeNbbeml32.exeAkcjkfij.exeJgkdbacp.exePalbgl32.exeAnmfbl32.exeKqpoakco.exeLlqjbhdc.exeMcoljagj.exeKapfiqoj.exePgdokkfg.exeFfclcgfn.exeJjgchm32.exeLnadagbm.exeGbchdp32.exeJmbhoeid.exeAjpqnneo.exeIcnklbmj.exeIojbpo32.exeNmipdk32.exeQfkqjmdg.exeNjghbl32.exeAlnmjjdb.exeFlqdlnde.exeCkjbhmad.exeFiodpl32.exeKgflcifg.exeMhckcgpj.exeBgeaifia.exeCmdfgm32.exeFalcae32.exeIgdnabjh.exeOnnmdcjm.exeDpiplm32.exePleaoa32.exeFdqfll32.exeBhkmec32.exeFflohaij.exeGfjkjo32.exeIhmfco32.exeDpgeee32.exeGahcmd32.exeIqbbpm32.exeKdpmbc32.exeNhahaiec.exeAogiap32.exeCkebcg32.exeGiecfejd.exeHpmhdmea.exeEgaejeej.exeJjopcb32.exeLclpdncg.exePknqoc32.exedescription ioc Process File created C:\Windows\SysWOW64\Opakdijo.dll Ohqbhdpj.exe File created C:\Windows\SysWOW64\Lokdnjkg.exe Llmhaold.exe File opened for modification C:\Windows\SysWOW64\Apodoq32.exe Amqhbe32.exe File created C:\Windows\SysWOW64\Ncbegn32.dll Lhgkgijg.exe File opened for modification C:\Windows\SysWOW64\Ofegni32.exe Ocgkan32.exe File created C:\Windows\SysWOW64\Ikndgg32.exe Ihphkl32.exe File opened for modification C:\Windows\SysWOW64\Gbabigfj.exe Gpcfmkff.exe File created C:\Windows\SysWOW64\Bnfihkqm.exe Akglloai.exe File opened for modification C:\Windows\SysWOW64\Koodbl32.exe Klahfp32.exe File opened for modification C:\Windows\SysWOW64\Dgeenfog.exe Ddgibkpc.exe File created C:\Windows\SysWOW64\Klndfknp.dll Nbbeml32.exe File created C:\Windows\SysWOW64\Aoofle32.exe Akcjkfij.exe File opened for modification C:\Windows\SysWOW64\Jlhljhbg.exe Jgkdbacp.exe File created C:\Windows\SysWOW64\Pdkoch32.exe Palbgl32.exe File opened for modification C:\Windows\SysWOW64\Adfnofpd.exe Anmfbl32.exe File created C:\Windows\SysWOW64\Kiggbhda.exe Kqpoakco.exe File created C:\Windows\SysWOW64\Loofnccf.exe Llqjbhdc.exe File created C:\Windows\SysWOW64\Bhcmal32.dll Mcoljagj.exe File created C:\Windows\SysWOW64\Fjohgj32.dll Kapfiqoj.exe File created C:\Windows\SysWOW64\Pjbkgfej.exe Pgdokkfg.exe File opened for modification C:\Windows\SysWOW64\Flqdlnde.exe Ffclcgfn.exe File opened for modification C:\Windows\SysWOW64\Jpaleglc.exe Jjgchm32.exe File created C:\Windows\SysWOW64\Lcnmin32.exe Lnadagbm.exe File opened for modification C:\Windows\SysWOW64\Geaepk32.exe Gbchdp32.exe File created C:\Windows\SysWOW64\Jpaekqhh.exe Jmbhoeid.exe File created C:\Windows\SysWOW64\Alnmjjdb.exe Ajpqnneo.exe File created C:\Windows\SysWOW64\Jfkohq32.dll Icnklbmj.exe File created C:\Windows\SysWOW64\Igajal32.exe Iojbpo32.exe File created C:\Windows\SysWOW64\Npgmpf32.exe Nmipdk32.exe File created C:\Windows\SysWOW64\Keiifian.dll Qfkqjmdg.exe File created C:\Windows\SysWOW64\Naaqofgj.exe Njghbl32.exe File created C:\Windows\SysWOW64\Akamff32.exe Alnmjjdb.exe File created C:\Windows\SysWOW64\Momkkhch.dll Flqdlnde.exe File opened for modification C:\Windows\SysWOW64\Cnindhpg.exe Ckjbhmad.exe File opened for modification C:\Windows\SysWOW64\Flmqlg32.exe Fiodpl32.exe File opened for modification C:\Windows\SysWOW64\Knqepc32.exe Kgflcifg.exe File created C:\Windows\SysWOW64\Imqpnq32.dll Mhckcgpj.exe File created C:\Windows\SysWOW64\Bjcmebie.exe Bgeaifia.exe File opened for modification C:\Windows\SysWOW64\Cqpbglno.exe Cmdfgm32.exe File created C:\Windows\SysWOW64\Igbcbhgq.dll Falcae32.exe File opened for modification C:\Windows\SysWOW64\Innfnl32.exe Igdnabjh.exe File created C:\Windows\SysWOW64\Oeheqm32.exe Onnmdcjm.exe File created C:\Windows\SysWOW64\Ekppjn32.dll Dpiplm32.exe File opened for modification C:\Windows\SysWOW64\Ppamophb.exe Pleaoa32.exe File created C:\Windows\SysWOW64\Fimodc32.exe Fdqfll32.exe File opened for modification C:\Windows\SysWOW64\Bkjiao32.exe Bhkmec32.exe File created C:\Windows\SysWOW64\Eodolnaf.dll Fflohaij.exe File created C:\Windows\SysWOW64\Gihgfk32.exe Gfjkjo32.exe File created C:\Windows\SysWOW64\Clmmco32.dll Ihmfco32.exe File created C:\Windows\SysWOW64\Alfgikbb.dll Dpgeee32.exe File created C:\Windows\SysWOW64\Imjekecm.dll Gahcmd32.exe File created C:\Windows\SysWOW64\Cinbbnpa.dll Iqbbpm32.exe File created C:\Windows\SysWOW64\Kkjeomld.exe Kdpmbc32.exe File created C:\Windows\SysWOW64\Oibqpk32.dll Nhahaiec.exe File created C:\Windows\SysWOW64\Aafemk32.exe Aogiap32.exe File opened for modification C:\Windows\SysWOW64\Jjgchm32.exe Icnklbmj.exe File created C:\Windows\SysWOW64\Cncnob32.exe Ckebcg32.exe File opened for modification C:\Windows\SysWOW64\Gkdpbpih.exe Giecfejd.exe File created C:\Windows\SysWOW64\Hnphoj32.exe Hpmhdmea.exe File created C:\Windows\SysWOW64\Bcoaln32.dll Egaejeej.exe File opened for modification C:\Windows\SysWOW64\Jgcamf32.exe Jjopcb32.exe File opened for modification C:\Windows\SysWOW64\Lkchelci.exe Lclpdncg.exe File created C:\Windows\SysWOW64\Bchign32.dll Lnadagbm.exe File opened for modification C:\Windows\SysWOW64\Pmlmkn32.exe Pknqoc32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 6488 7220 1138 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exeKkhpdcab.exeOocmii32.exeMledmg32.exeJikoopij.exeOhnohn32.exeDmalne32.exeKedlip32.exeCadlbk32.exePkbjjbda.exeBemqih32.exeEpjajeqo.exeMalgcg32.exeDeqcbpld.exeOeoblb32.exeIcknfcol.exeDodjjimm.exeDhikci32.exePpmcdq32.exeLqbncb32.exeCndeii32.exeBfbaonae.exeGbabigfj.exeHoeieolb.exeMfkkqmiq.exeOgfcjm32.exeLbngllob.exePdmdnadc.exeEnhpao32.exeHbhijepa.exeGflhoo32.exeLlcghg32.exeAkoqpg32.exeEifhdd32.exeIplkpa32.exeMgeakekd.exeIjcahd32.exeBnfihkqm.exeHdjbiheb.exeFiaael32.exeNmkmjjaa.exeBnoddcef.exeGkdpbpih.exeOgklelna.exeQlggjk32.exeFdepgkgj.exeIhmfco32.exeOaajed32.exePknqoc32.exeKiejmi32.exeElgaeolp.exeHkicaahi.exeLkeekk32.exeHpqldc32.exePjbkgfej.exeHaafcb32.exeIlcldb32.exeApodoq32.exeOhfami32.exeGpbpbecj.exeKmfhkf32.exeEbnfbcbc.exeBmeandma.exeJnfcia32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhpdcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mledmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikoopij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnohn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmalne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kedlip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadlbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjajeqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deqcbpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeoblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icknfcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhikci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmcdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbaonae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbabigfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoeieolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkkqmiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfcjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbngllob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmdnadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhpao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhijepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifhdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgeakekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcahd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfihkqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjbiheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkmjjaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoddcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdpbpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogklelna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdepgkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmfco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaajed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknqoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiejmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkicaahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbkgfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haafcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apodoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfami32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbpbecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnfbcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeandma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfcia32.exe -
Modifies registry class 64 IoCs
Processes:
Iahlcaol.exeBlielbfi.exeKjgeedch.exeIialhaad.exeKolabf32.exeOfegni32.exeAknifq32.exePanhbfep.exeHpmhdmea.exeHhknpmma.exePkbjjbda.exeLflbkcll.exeNhokljge.exeNpiiffqe.exeIdbodn32.exeIinqbn32.exeMchppmij.exeMmnhcb32.exeFealin32.exeOmmceclc.exeAchegd32.exeGgkqgaol.exeBjcmebie.exeIakiia32.exeLjbfpo32.exeEmkndc32.exeLgbloglj.exeMjcngpjh.exeGbbajjlp.exeLcmodajm.exeOofaiokl.exeNihipdhl.exeDikihe32.exePknqoc32.exeDheibpje.exeLihpif32.exeMbgjbkfg.exeNccokk32.exeEfgemb32.exeKgamnded.exeNgjbaj32.exeKcejco32.exeBnmoijje.exeDhomfc32.exeEdjgfcec.exeIcknfcol.exeFbelcblk.exeHfaajnfb.exeJlolpq32.exeIhkjno32.exeb10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exeIjcahd32.exeJlhljhbg.exeDlieda32.exeJcikgacl.exeEnkdaepb.exeOhgoaehe.exeFkbkdkpp.exeAkhcfe32.exeKiggbhda.exeQepkbpak.exeQcclld32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklaah32.dll" Iahlcaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhogopn.dll" Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjgeedch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iialhaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofegni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoljp32.dll" Aknifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll" Panhbfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moqkim32.dll" Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpmoppk.dll" Pkbjjbda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoana32.dll" Nhokljge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npiiffqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idbodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkfjo32.dll" Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkolm32.dll" Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpopokm.dll" Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ommceclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmfkjol.dll" Achegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggkqgaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdnljan.dll" Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjjdmoc.dll" Iakiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljbfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenqhaga.dll" Emkndc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndhd32.dll" Mjcngpjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcmodajm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgpnkdm.dll" Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggamph32.dll" Dikihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdecba32.dll" Dheibpje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lihpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbgjbkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nccokk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgamnded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Achegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkcckgg.dll" Ngjbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmqgabec.dll" Dhomfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbelcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfaajnfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhcmpgk.dll" Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgooajdl.dll" b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijcahd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlhljhbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neqhhf32.dll" Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcleml32.dll" Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcjeh32.dll" Enkdaepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohgoaehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkbkdkpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akhcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiggbhda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcclld32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exeNookip32.exeOgfcjm32.exeOhgoaehe.exeOlckbd32.exeOcmconhk.exeOekpkigo.exeOocddono.exeOgklelna.exeOhlimd32.exeOofaiokl.exeOepifi32.exeOljaccjf.exeOgpepl32.exeOhqbhdpj.exeOokjdn32.exePedbahod.exePhcomcng.exePpjgoaoj.exePcicklnn.exePgdokkfg.exePjbkgfej.exedescription pid Process procid_target PID 908 wrote to memory of 5108 908 b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exe 83 PID 908 wrote to memory of 5108 908 b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exe 83 PID 908 wrote to memory of 5108 908 b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exe 83 PID 5108 wrote to memory of 516 5108 Nookip32.exe 84 PID 5108 wrote to memory of 516 5108 Nookip32.exe 84 PID 5108 wrote to memory of 516 5108 Nookip32.exe 84 PID 516 wrote to memory of 4284 516 Ogfcjm32.exe 85 PID 516 wrote to memory of 4284 516 Ogfcjm32.exe 85 PID 516 wrote to memory of 4284 516 Ogfcjm32.exe 85 PID 4284 wrote to memory of 3620 4284 Ohgoaehe.exe 86 PID 4284 wrote to memory of 3620 4284 Ohgoaehe.exe 86 PID 4284 wrote to memory of 3620 4284 Ohgoaehe.exe 86 PID 3620 wrote to memory of 4956 3620 Olckbd32.exe 87 PID 3620 wrote to memory of 4956 3620 Olckbd32.exe 87 PID 3620 wrote to memory of 4956 3620 Olckbd32.exe 87 PID 4956 wrote to memory of 3348 4956 Ocmconhk.exe 88 PID 4956 wrote to memory of 3348 4956 Ocmconhk.exe 88 PID 4956 wrote to memory of 3348 4956 Ocmconhk.exe 88 PID 3348 wrote to memory of 4252 3348 Oekpkigo.exe 89 PID 3348 wrote to memory of 4252 3348 Oekpkigo.exe 89 PID 3348 wrote to memory of 4252 3348 Oekpkigo.exe 89 PID 4252 wrote to memory of 1424 4252 Oocddono.exe 90 PID 4252 wrote to memory of 1424 4252 Oocddono.exe 90 PID 4252 wrote to memory of 1424 4252 Oocddono.exe 90 PID 1424 wrote to memory of 4884 1424 Ogklelna.exe 91 PID 1424 wrote to memory of 4884 1424 Ogklelna.exe 91 PID 1424 wrote to memory of 4884 1424 Ogklelna.exe 91 PID 4884 wrote to memory of 3708 4884 Ohlimd32.exe 92 PID 4884 wrote to memory of 3708 4884 Ohlimd32.exe 92 PID 4884 wrote to memory of 3708 4884 Ohlimd32.exe 92 PID 3708 wrote to memory of 4772 3708 Oofaiokl.exe 93 PID 3708 wrote to memory of 4772 3708 Oofaiokl.exe 93 PID 3708 wrote to memory of 4772 3708 Oofaiokl.exe 93 PID 4772 wrote to memory of 3308 4772 Oepifi32.exe 94 PID 4772 wrote to memory of 3308 4772 Oepifi32.exe 94 PID 4772 wrote to memory of 3308 4772 Oepifi32.exe 94 PID 3308 wrote to memory of 2076 3308 Oljaccjf.exe 95 PID 3308 wrote to memory of 2076 3308 Oljaccjf.exe 95 PID 3308 wrote to memory of 2076 3308 Oljaccjf.exe 95 PID 2076 wrote to memory of 4688 2076 Ogpepl32.exe 96 PID 2076 wrote to memory of 4688 2076 Ogpepl32.exe 96 PID 2076 wrote to memory of 4688 2076 Ogpepl32.exe 96 PID 4688 wrote to memory of 1392 4688 Ohqbhdpj.exe 97 PID 4688 wrote to memory of 1392 4688 Ohqbhdpj.exe 97 PID 4688 wrote to memory of 1392 4688 Ohqbhdpj.exe 97 PID 1392 wrote to memory of 5048 1392 Ookjdn32.exe 98 PID 1392 wrote to memory of 5048 1392 Ookjdn32.exe 98 PID 1392 wrote to memory of 5048 1392 Ookjdn32.exe 98 PID 5048 wrote to memory of 4012 5048 Pedbahod.exe 99 PID 5048 wrote to memory of 4012 5048 Pedbahod.exe 99 PID 5048 wrote to memory of 4012 5048 Pedbahod.exe 99 PID 4012 wrote to memory of 2764 4012 Phcomcng.exe 100 PID 4012 wrote to memory of 2764 4012 Phcomcng.exe 100 PID 4012 wrote to memory of 2764 4012 Phcomcng.exe 100 PID 2764 wrote to memory of 2472 2764 Ppjgoaoj.exe 101 PID 2764 wrote to memory of 2472 2764 Ppjgoaoj.exe 101 PID 2764 wrote to memory of 2472 2764 Ppjgoaoj.exe 101 PID 2472 wrote to memory of 1676 2472 Pcicklnn.exe 102 PID 2472 wrote to memory of 1676 2472 Pcicklnn.exe 102 PID 2472 wrote to memory of 1676 2472 Pcicklnn.exe 102 PID 1676 wrote to memory of 2548 1676 Pgdokkfg.exe 103 PID 1676 wrote to memory of 2548 1676 Pgdokkfg.exe 103 PID 1676 wrote to memory of 2548 1676 Pgdokkfg.exe 103 PID 2548 wrote to memory of 2164 2548 Pjbkgfej.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exe"C:\Users\Admin\AppData\Local\Temp\b10955829a5c0bbe772b13342e65f9eefaeb198e608ae5eaeda7443a3afd2c97N.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe23⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe25⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe26⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe27⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe28⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe30⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe31⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe32⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe33⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe34⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe36⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe37⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe38⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe39⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe40⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe41⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe42⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe43⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe44⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe45⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe46⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe47⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe48⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe49⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe50⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe51⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe52⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe53⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3480 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe57⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe58⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe59⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe61⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe62⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe63⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe64⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe65⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe66⤵PID:4944
-
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe67⤵
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe68⤵PID:3448
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe69⤵PID:4236
-
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe70⤵PID:2636
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe71⤵PID:1924
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe72⤵PID:1704
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe73⤵PID:4472
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe74⤵PID:3936
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe75⤵PID:2528
-
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe76⤵PID:4400
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe77⤵PID:3800
-
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe78⤵PID:2964
-
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe79⤵PID:3940
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe80⤵PID:3264
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe81⤵PID:632
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe82⤵PID:3552
-
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe83⤵PID:4604
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe84⤵PID:2496
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe85⤵PID:2320
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe86⤵PID:2972
-
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe87⤵
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe88⤵
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe89⤵PID:1300
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe90⤵PID:5040
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe91⤵
- System Location Discovery: System Language Discovery
PID:4716 -
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe92⤵PID:4424
-
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe93⤵PID:4300
-
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe94⤵PID:544
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe95⤵PID:4584
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe96⤵PID:3976
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe97⤵PID:2596
-
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe98⤵
- Modifies registry class
PID:4828 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe99⤵PID:3340
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe100⤵PID:3396
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3148 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe102⤵PID:3328
-
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe103⤵PID:2412
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe104⤵PID:5136
-
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe105⤵PID:5180
-
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe106⤵PID:5224
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe107⤵PID:5264
-
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe108⤵PID:5308
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe109⤵PID:5348
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe110⤵PID:5392
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe111⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe112⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe113⤵PID:5528
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe114⤵PID:5572
-
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe115⤵PID:5616
-
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe116⤵PID:5660
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe118⤵PID:5748
-
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe119⤵PID:5792
-
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe120⤵PID:5832
-
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe121⤵PID:5880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-