Analysis
-
max time kernel
74s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 03:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe
-
Size
565KB
-
MD5
d4fbc5c72c76df0b574a4aa4abc2c73c
-
SHA1
e4f7c191ca6058ca14fedcb461a1a6f203a2a5c2
-
SHA256
cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208
-
SHA512
8a1254475f24860e51e709ca2127182b5a0233a2983be8b5271e021580fdc11f20e9394c040f9398b2dec5151677388cfceca8f73fa5a9594cf9a511f0260f40
-
SSDEEP
12288:4zpZi+tuFjAh//+zrWAIAqWim/+zrWAI5KF8OXF:4zpQ+tuFjAh/mvFimm09OXF
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fplknh32.exePbppqf32.exeJhgnbehe.exeBacgohjk.exeJdpidm32.exeNcbkenba.exeMjgclcjh.exeDcfknooi.exeAiflpm32.exeIdbjkj32.exePgjfflkf.exeCfoellgb.exeHbkpfa32.exeBbolge32.exeIeiegf32.exeLdgnmhhj.exeAjjinaco.exeGfldno32.exeCjhdgk32.exePhhonn32.exeHojqjp32.exeCgaoic32.exeCbcfbege.exeJafmngde.exeFqheei32.exeLdokhn32.exeAcggbffj.exeOolbcaij.exeAaondi32.exeEioaillo.exeOcqhcqgk.exeQcmnaaji.execd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exeLkcgapjl.exeIocdmccp.exePceqfl32.exeMpnifkae.exeDkfcqo32.exeAaeiqf32.exeDhdddnep.exeHibebeqb.exeOnfadc32.exeKnbgnhfd.exeCldnqe32.exeEgkgad32.exeFkdckgpc.exeFdcncg32.exeKeehmobp.exeAkbgdkgm.exeMogene32.exeJoqdfghn.exePpbkoabf.exeJmggcmgg.exeKfcadq32.exeNdnplk32.exeDfdeab32.exeMmpcdfem.exeKgghgg32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplknh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbppqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhgnbehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bacgohjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpidm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbkenba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjgclcjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfknooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiflpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbjkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgjfflkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfoellgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbkpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieiegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnmhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjinaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfldno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjhdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phhonn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojqjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaoic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbcfbege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jafmngde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqheei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldokhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acggbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oolbcaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaondi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eioaillo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocqhcqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgaoic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcmnaaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdpidm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcgapjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iocdmccp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiflpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pceqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpnifkae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkfcqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaeiqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhdddnep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibebeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onfadc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbgnhfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldnqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egkgad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkdckgpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbkpfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keehmobp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbgdkgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafmngde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mogene32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joqdfghn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbkoabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fplknh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmggcmgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfcadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndnplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdeab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpcdfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgghgg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Moccnoni.exeNkjdcp32.exeOcqhcqgk.exeOklmhcdf.exeOknjmb32.exeOolbcaij.exePamlel32.exePqbifhjb.exePqdelh32.exePcenmcea.exePbjkop32.exeQnalcqpm.exeQoqhncgp.exeAjjinaco.exeAmkbpm32.exeAcggbffj.exeAiflpm32.exeBlgeahoo.exeBbcjca32.exeBedcembk.exeCfhlbe32.exeCihedpcg.exeCbcfbege.exeCgaoic32.exeDhehfk32.exeDoamhe32.exeDabfjp32.exeEocfmh32.exeEkjgbi32.exeFbfldc32.exeFgeabi32.exeFcoolj32.exeGfadcemm.exeGnofng32.exeGapoob32.exeHhlcal32.exeHmkiobge.exeHffjng32.exeIpaklm32.exeIbadnhmb.exeIokahhac.exeJkabmi32.exeJcmgal32.exeJgkphj32.exeJcaqmkpn.exeJafmngde.exeJcfjhj32.exeKnbgnhfd.exeKnddcg32.exeKfbemi32.exeLmnkpc32.exeLkcgapjl.exeLbplciof.exeLaeidfdn.exeMagfjebk.exeMmngof32.exeMmpcdfem.exeMmemoe32.exeNaionh32.exeNkbcgnie.exeNhfdqb32.exeOkfmbm32.exeOkijhmcm.exeOpebpdad.exepid Process 872 Moccnoni.exe 584 Nkjdcp32.exe 3060 Ocqhcqgk.exe 3032 Oklmhcdf.exe 2812 Oknjmb32.exe 2536 Oolbcaij.exe 1316 Pamlel32.exe 1248 Pqbifhjb.exe 1460 Pqdelh32.exe 432 Pcenmcea.exe 2120 Pbjkop32.exe 1548 Qnalcqpm.exe 2196 Qoqhncgp.exe 2656 Ajjinaco.exe 2472 Amkbpm32.exe 1716 Acggbffj.exe 612 Aiflpm32.exe 1356 Blgeahoo.exe 2568 Bbcjca32.exe 2440 Bedcembk.exe 2780 Cfhlbe32.exe 2172 Cihedpcg.exe 2608 Cbcfbege.exe 888 Cgaoic32.exe 3000 Dhehfk32.exe 2936 Doamhe32.exe 1620 Dabfjp32.exe 2940 Eocfmh32.exe 2016 Ekjgbi32.exe 2844 Fbfldc32.exe 2260 Fgeabi32.exe 3020 Fcoolj32.exe 2460 Gfadcemm.exe 2832 Gnofng32.exe 2788 Gapoob32.exe 2284 Hhlcal32.exe 768 Hmkiobge.exe 944 Hffjng32.exe 2576 Ipaklm32.exe 2704 Ibadnhmb.exe 1808 Iokahhac.exe 2340 Jkabmi32.exe 2336 Jcmgal32.exe 2356 Jgkphj32.exe 2512 Jcaqmkpn.exe 2548 Jafmngde.exe 3008 Jcfjhj32.exe 1500 Knbgnhfd.exe 1876 Knddcg32.exe 1532 Kfbemi32.exe 112 Lmnkpc32.exe 2636 Lkcgapjl.exe 1056 Lbplciof.exe 2544 Laeidfdn.exe 1232 Magfjebk.exe 1544 Mmngof32.exe 1528 Mmpcdfem.exe 2020 Mmemoe32.exe 1984 Naionh32.exe 1616 Nkbcgnie.exe 3004 Nhfdqb32.exe 2700 Okfmbm32.exe 2664 Okijhmcm.exe 2880 Opebpdad.exe -
Loads dropped DLL 64 IoCs
Processes:
cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exeMoccnoni.exeNkjdcp32.exeOcqhcqgk.exeOklmhcdf.exeOknjmb32.exeOolbcaij.exePamlel32.exePqbifhjb.exePqdelh32.exePcenmcea.exePbjkop32.exeQnalcqpm.exeQoqhncgp.exeAjjinaco.exeAmkbpm32.exeAcggbffj.exeAiflpm32.exeBlgeahoo.exeBbcjca32.exeBedcembk.exeCfhlbe32.exeCihedpcg.exeCbcfbege.exeCgaoic32.exeDhehfk32.exeDoamhe32.exeDabfjp32.exeEocfmh32.exeEkjgbi32.exeFbfldc32.exeFgeabi32.exepid Process 1628 cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe 1628 cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe 872 Moccnoni.exe 872 Moccnoni.exe 584 Nkjdcp32.exe 584 Nkjdcp32.exe 3060 Ocqhcqgk.exe 3060 Ocqhcqgk.exe 3032 Oklmhcdf.exe 3032 Oklmhcdf.exe 2812 Oknjmb32.exe 2812 Oknjmb32.exe 2536 Oolbcaij.exe 2536 Oolbcaij.exe 1316 Pamlel32.exe 1316 Pamlel32.exe 1248 Pqbifhjb.exe 1248 Pqbifhjb.exe 1460 Pqdelh32.exe 1460 Pqdelh32.exe 432 Pcenmcea.exe 432 Pcenmcea.exe 2120 Pbjkop32.exe 2120 Pbjkop32.exe 1548 Qnalcqpm.exe 1548 Qnalcqpm.exe 2196 Qoqhncgp.exe 2196 Qoqhncgp.exe 2656 Ajjinaco.exe 2656 Ajjinaco.exe 2472 Amkbpm32.exe 2472 Amkbpm32.exe 1716 Acggbffj.exe 1716 Acggbffj.exe 612 Aiflpm32.exe 612 Aiflpm32.exe 1356 Blgeahoo.exe 1356 Blgeahoo.exe 2568 Bbcjca32.exe 2568 Bbcjca32.exe 2440 Bedcembk.exe 2440 Bedcembk.exe 2780 Cfhlbe32.exe 2780 Cfhlbe32.exe 2172 Cihedpcg.exe 2172 Cihedpcg.exe 2608 Cbcfbege.exe 2608 Cbcfbege.exe 888 Cgaoic32.exe 888 Cgaoic32.exe 3000 Dhehfk32.exe 3000 Dhehfk32.exe 2936 Doamhe32.exe 2936 Doamhe32.exe 1620 Dabfjp32.exe 1620 Dabfjp32.exe 2940 Eocfmh32.exe 2940 Eocfmh32.exe 2016 Ekjgbi32.exe 2016 Ekjgbi32.exe 2844 Fbfldc32.exe 2844 Fbfldc32.exe 2260 Fgeabi32.exe 2260 Fgeabi32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Alfdcp32.exeAkbgdkgm.exeJoqdfghn.exePgjfflkf.exeBfkobj32.exeKlamohhj.exeNjmejaqb.exeOknjmb32.exeAnmnhhmd.exeGnjehaio.exeMpllpl32.exeObonfj32.exeAkjham32.exeAmnanefa.exeLdgnmhhj.exeAjjinaco.exeEkdglcmh.exeLkcgapjl.exeDdnhidmm.exeHnjagdlj.exeJmmmbg32.exeJhikhefb.exeHmkiobge.exeBcoffd32.exeDbqajk32.exeBfphmi32.exeMjgclcjh.exeCfhlbe32.exeOkfmbm32.exeFfjghppi.exePbppqf32.exeAbachg32.exeGcfgfack.exeFcgdjmlo.exeHffjng32.exeLglnajjb.exeNjammhei.exeIpecndab.exeNkbcgnie.exeHefginae.exeEgimdmmc.exePqbifhjb.exeJcmgal32.exeMmngof32.exeKeehmobp.exeJhchjgoh.exeDoamhe32.exeQcmnaaji.exeMmpcdfem.exeDihkimag.exeCfoellgb.exeBbolge32.exeJohlpoij.exeOcqhcqgk.exeGnofng32.exePobeao32.exeElqcnfdp.exePlaoim32.exeBlgeahoo.exeJcaqmkpn.exeLomidgkl.exedescription ioc Process File created C:\Windows\SysWOW64\Aaeiqf32.exe Alfdcp32.exe File created C:\Windows\SysWOW64\Bbolge32.exe Akbgdkgm.exe File opened for modification C:\Windows\SysWOW64\Jocalffk.exe Joqdfghn.exe File created C:\Windows\SysWOW64\Ppbkoabf.exe Pgjfflkf.exe File created C:\Windows\SysWOW64\Bcopkn32.exe Bfkobj32.exe File created C:\Windows\SysWOW64\Joidfo32.dll Klamohhj.exe File created C:\Windows\SysWOW64\Njobpa32.exe Njmejaqb.exe File created C:\Windows\SysWOW64\Kjqpgali.dll Oknjmb32.exe File opened for modification C:\Windows\SysWOW64\Bfkobj32.exe Anmnhhmd.exe File created C:\Windows\SysWOW64\Gnlbnagl.exe Gnjehaio.exe File opened for modification C:\Windows\SysWOW64\Mpnifkae.exe Mpllpl32.exe File created C:\Windows\SysWOW64\Ccnbppgg.dll Obonfj32.exe File created C:\Windows\SysWOW64\Amnanefa.exe Akjham32.exe File created C:\Windows\SysWOW64\Phheippe.dll Amnanefa.exe File created C:\Windows\SysWOW64\Eipnnj32.dll Ldgnmhhj.exe File created C:\Windows\SysWOW64\Iqkcelpl.dll Ajjinaco.exe File created C:\Windows\SysWOW64\Ladpqq32.dll Ekdglcmh.exe File created C:\Windows\SysWOW64\Iaibff32.dll Lkcgapjl.exe File created C:\Windows\SysWOW64\Dmiihjak.exe Ddnhidmm.exe File created C:\Windows\SysWOW64\Okmpgc32.dll Hnjagdlj.exe File created C:\Windows\SysWOW64\Jhgnbehe.exe Jmmmbg32.exe File created C:\Windows\SysWOW64\Jdplmflg.exe Jhikhefb.exe File created C:\Windows\SysWOW64\Hffjng32.exe Hmkiobge.exe File opened for modification C:\Windows\SysWOW64\Bacgohjk.exe Bcoffd32.exe File created C:\Windows\SysWOW64\Dlifcqfl.exe Dbqajk32.exe File opened for modification C:\Windows\SysWOW64\Bbfibj32.exe Bfphmi32.exe File created C:\Windows\SysWOW64\Npdkdjhp.exe Mjgclcjh.exe File opened for modification C:\Windows\SysWOW64\Npdkdjhp.exe Mjgclcjh.exe File created C:\Windows\SysWOW64\Aikjmm32.dll Cfhlbe32.exe File created C:\Windows\SysWOW64\Okijhmcm.exe Okfmbm32.exe File created C:\Windows\SysWOW64\Fmdpejgf.exe Ffjghppi.exe File created C:\Windows\SysWOW64\Pkkeeikj.exe Pbppqf32.exe File created C:\Windows\SysWOW64\Akjham32.exe Abachg32.exe File opened for modification C:\Windows\SysWOW64\Anmnhhmd.exe Amnanefa.exe File created C:\Windows\SysWOW64\Bmhjjiab.dll Gcfgfack.exe File created C:\Windows\SysWOW64\Ghhpkmjg.dll Fcgdjmlo.exe File opened for modification C:\Windows\SysWOW64\Ipaklm32.exe Hffjng32.exe File created C:\Windows\SysWOW64\Mgnkfjho.exe Lglnajjb.exe File created C:\Windows\SysWOW64\Dnimkebm.dll Njammhei.exe File created C:\Windows\SysWOW64\Ijmdql32.exe Ipecndab.exe File opened for modification C:\Windows\SysWOW64\Nhfdqb32.exe Nkbcgnie.exe File created C:\Windows\SysWOW64\Njnjicba.dll Hefginae.exe File created C:\Windows\SysWOW64\Ekgfkl32.exe Egimdmmc.exe File created C:\Windows\SysWOW64\Pqdelh32.exe Pqbifhjb.exe File created C:\Windows\SysWOW64\Jgkphj32.exe Jcmgal32.exe File opened for modification C:\Windows\SysWOW64\Mmpcdfem.exe Mmngof32.exe File created C:\Windows\SysWOW64\Klamohhj.exe Keehmobp.exe File created C:\Windows\SysWOW64\Iaieif32.dll Abachg32.exe File opened for modification C:\Windows\SysWOW64\Jmpqbnmp.exe Jhchjgoh.exe File created C:\Windows\SysWOW64\Dabfjp32.exe Doamhe32.exe File created C:\Windows\SysWOW64\Abbjbnoq.exe Qcmnaaji.exe File opened for modification C:\Windows\SysWOW64\Mmemoe32.exe Mmpcdfem.exe File created C:\Windows\SysWOW64\Eddmalde.dll Dihkimag.exe File created C:\Windows\SysWOW64\Cedbmi32.exe Cfoellgb.exe File created C:\Windows\SysWOW64\Bdoeipjh.exe Bbolge32.exe File opened for modification C:\Windows\SysWOW64\Kfcadq32.exe Johlpoij.exe File opened for modification C:\Windows\SysWOW64\Oklmhcdf.exe Ocqhcqgk.exe File opened for modification C:\Windows\SysWOW64\Gapoob32.exe Gnofng32.exe File opened for modification C:\Windows\SysWOW64\Podbgo32.exe Pobeao32.exe File created C:\Windows\SysWOW64\Ambcga32.dll Elqcnfdp.exe File created C:\Windows\SysWOW64\Ckcpfp32.dll Plaoim32.exe File opened for modification C:\Windows\SysWOW64\Bbcjca32.exe Blgeahoo.exe File created C:\Windows\SysWOW64\Gfmogk32.dll Jcaqmkpn.exe File created C:\Windows\SysWOW64\Lkffohon.exe Lomidgkl.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3692 3716 WerFault.exe 319 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fbfldc32.exeJcfjhj32.exeCfhlbe32.exePodbgo32.exeFqheei32.exeAoakfl32.exeCfoellgb.exeOklmhcdf.exeAbachg32.exeCopljmpo.exeBbimbpld.exeJkfnaa32.exeQnagbc32.exeMcendc32.exeNjmejaqb.exeDhehfk32.exeEioaillo.exeLbfcbdce.exeEekdmk32.exePlaoim32.exeDbqajk32.exeNdnplk32.exeAiflpm32.exeDpmjjhmi.exeHnjagdlj.exeIimenapo.exeEeiggk32.exePhhonn32.exeJmmmbg32.exeJhikhefb.exeMmngof32.exeFfjghppi.exeJhchjgoh.exeJmpqbnmp.exeBbolge32.exeHojqjp32.exePamlel32.exeIpoqofjh.exeFkeedo32.exeGkiooocb.exeLdgnmhhj.exeCihedpcg.exeMpllpl32.exeBbfibj32.exeNbljfdoh.exeNcjcnfcn.exeAkkokc32.exeEkgfkl32.exeFplknh32.exeMmemoe32.exeNkbcgnie.exeOlgboogb.exePihlhagn.exeOnfadc32.exeGnofng32.exeIpaklm32.exeOpebpdad.exeGnjehaio.exeGfbfln32.exeCpbiolnl.exePqbifhjb.exeJoqdfghn.exeKkigfdjo.exeQnalcqpm.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfjhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhlbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqheei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoakfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfoellgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklmhcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abachg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copljmpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbimbpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfnaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnagbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcendc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmejaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhehfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eioaillo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfcbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekdmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiflpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmjjhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjagdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimenapo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeiggk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhonn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmmmbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhikhefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmngof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffjghppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhchjgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmpqbnmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbolge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamlel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoqofjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkeedo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiooocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnmhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihedpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpllpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbfibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbljfdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjcnfcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkokc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgfkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplknh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmemoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbcgnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgboogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihlhagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfadc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnofng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipaklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opebpdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjehaio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfbfln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbiolnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbifhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joqdfghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkigfdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnalcqpm.exe -
Modifies registry class 64 IoCs
Processes:
Dmiihjak.exeDabfjp32.exeNaionh32.exeJhgnbehe.exeOefmid32.exeOcqhcqgk.exeOklmhcdf.exeDalfdjdl.exeFqheei32.exeDbqajk32.exeHjfbaj32.exeNjobpa32.exePamlel32.exeLbplciof.exeQcmnaaji.exeKlamohhj.exeMhlcnl32.exeMfijfdca.exeKadhen32.exeMpllpl32.exeAbachg32.exeJhchjgoh.exeBdoeipjh.exeHffjng32.exeLmnkpc32.exeLbfcbdce.execd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exeBiakbc32.exeIiaoip32.exeKkfjpemb.exeIbadnhmb.exeGlpdbfek.exeMcendc32.exeMagfjebk.exeDijgnm32.exeHamgno32.exeCgaoic32.exeGfadcemm.exeFakhhk32.exeLdchdjom.exeGkiooocb.exeInajql32.exeBbcjca32.exeDfdeab32.exePihlhagn.exeCngfqi32.exeEkdglcmh.exeKkigfdjo.exeKfcadq32.exeHhlcal32.exeGodhgedg.exeKjhahb32.exeFcgdjmlo.exeMoccnoni.exeOhkpdj32.exeOkailkhd.exeMgaqohql.exeAaondi32.exeMpnifkae.exeIjmdql32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmiihjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dabfjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naionh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhgnbehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaecfp32.dll" Oefmid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjdlgkfb.dll" Ocqhcqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jogacc32.dll" Oklmhcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dalfdjdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqheei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbqajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcggjbl.dll" Hjfbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njobpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pamlel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdejenb.dll" Lbplciof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodlloep.dll" Qcmnaaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joidfo32.dll" Klamohhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebhjc32.dll" Mhlcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qndhopgo.dll" Mfijfdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kadhen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhbna32.dll" Mpllpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abachg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnmiaib.dll" Jhchjgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdoeipjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hffjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohhqjab.dll" Lmnkpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbfcbdce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhchjgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abpceblc.dll" Biakbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iiaoip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkfjpemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamopnkl.dll" Ibadnhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcdlj32.dll" Glpdbfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciijbkd.dll" Mcendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Magfjebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfpln32.dll" Dijgnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hamgno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmbdd32.dll" Cgaoic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnmpd32.dll" Gfadcemm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fakhhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldchdjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkiooocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inajql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbcjca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfdeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkfoiql.dll" Pihlhagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cngfqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqahnpk.dll" Dbqajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekdglcmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkigfdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfcadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhlcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Godhgedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjhahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfdgc32.dll" Dmiihjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghhpkmjg.dll" Fcgdjmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moccnoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohkpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peknbgmo.dll" Okailkhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhogeg.dll" Aaondi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqheei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbnoj32.dll" Mpnifkae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijmdql32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exeMoccnoni.exeNkjdcp32.exeOcqhcqgk.exeOklmhcdf.exeOknjmb32.exeOolbcaij.exePamlel32.exePqbifhjb.exePqdelh32.exePcenmcea.exePbjkop32.exeQnalcqpm.exeQoqhncgp.exeAjjinaco.exeAmkbpm32.exedescription pid Process procid_target PID 1628 wrote to memory of 872 1628 cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe 30 PID 1628 wrote to memory of 872 1628 cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe 30 PID 1628 wrote to memory of 872 1628 cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe 30 PID 1628 wrote to memory of 872 1628 cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe 30 PID 872 wrote to memory of 584 872 Moccnoni.exe 31 PID 872 wrote to memory of 584 872 Moccnoni.exe 31 PID 872 wrote to memory of 584 872 Moccnoni.exe 31 PID 872 wrote to memory of 584 872 Moccnoni.exe 31 PID 584 wrote to memory of 3060 584 Nkjdcp32.exe 32 PID 584 wrote to memory of 3060 584 Nkjdcp32.exe 32 PID 584 wrote to memory of 3060 584 Nkjdcp32.exe 32 PID 584 wrote to memory of 3060 584 Nkjdcp32.exe 32 PID 3060 wrote to memory of 3032 3060 Ocqhcqgk.exe 33 PID 3060 wrote to memory of 3032 3060 Ocqhcqgk.exe 33 PID 3060 wrote to memory of 3032 3060 Ocqhcqgk.exe 33 PID 3060 wrote to memory of 3032 3060 Ocqhcqgk.exe 33 PID 3032 wrote to memory of 2812 3032 Oklmhcdf.exe 34 PID 3032 wrote to memory of 2812 3032 Oklmhcdf.exe 34 PID 3032 wrote to memory of 2812 3032 Oklmhcdf.exe 34 PID 3032 wrote to memory of 2812 3032 Oklmhcdf.exe 34 PID 2812 wrote to memory of 2536 2812 Oknjmb32.exe 35 PID 2812 wrote to memory of 2536 2812 Oknjmb32.exe 35 PID 2812 wrote to memory of 2536 2812 Oknjmb32.exe 35 PID 2812 wrote to memory of 2536 2812 Oknjmb32.exe 35 PID 2536 wrote to memory of 1316 2536 Oolbcaij.exe 36 PID 2536 wrote to memory of 1316 2536 Oolbcaij.exe 36 PID 2536 wrote to memory of 1316 2536 Oolbcaij.exe 36 PID 2536 wrote to memory of 1316 2536 Oolbcaij.exe 36 PID 1316 wrote to memory of 1248 1316 Pamlel32.exe 37 PID 1316 wrote to memory of 1248 1316 Pamlel32.exe 37 PID 1316 wrote to memory of 1248 1316 Pamlel32.exe 37 PID 1316 wrote to memory of 1248 1316 Pamlel32.exe 37 PID 1248 wrote to memory of 1460 1248 Pqbifhjb.exe 38 PID 1248 wrote to memory of 1460 1248 Pqbifhjb.exe 38 PID 1248 wrote to memory of 1460 1248 Pqbifhjb.exe 38 PID 1248 wrote to memory of 1460 1248 Pqbifhjb.exe 38 PID 1460 wrote to memory of 432 1460 Pqdelh32.exe 39 PID 1460 wrote to memory of 432 1460 Pqdelh32.exe 39 PID 1460 wrote to memory of 432 1460 Pqdelh32.exe 39 PID 1460 wrote to memory of 432 1460 Pqdelh32.exe 39 PID 432 wrote to memory of 2120 432 Pcenmcea.exe 40 PID 432 wrote to memory of 2120 432 Pcenmcea.exe 40 PID 432 wrote to memory of 2120 432 Pcenmcea.exe 40 PID 432 wrote to memory of 2120 432 Pcenmcea.exe 40 PID 2120 wrote to memory of 1548 2120 Pbjkop32.exe 41 PID 2120 wrote to memory of 1548 2120 Pbjkop32.exe 41 PID 2120 wrote to memory of 1548 2120 Pbjkop32.exe 41 PID 2120 wrote to memory of 1548 2120 Pbjkop32.exe 41 PID 1548 wrote to memory of 2196 1548 Qnalcqpm.exe 42 PID 1548 wrote to memory of 2196 1548 Qnalcqpm.exe 42 PID 1548 wrote to memory of 2196 1548 Qnalcqpm.exe 42 PID 1548 wrote to memory of 2196 1548 Qnalcqpm.exe 42 PID 2196 wrote to memory of 2656 2196 Qoqhncgp.exe 43 PID 2196 wrote to memory of 2656 2196 Qoqhncgp.exe 43 PID 2196 wrote to memory of 2656 2196 Qoqhncgp.exe 43 PID 2196 wrote to memory of 2656 2196 Qoqhncgp.exe 43 PID 2656 wrote to memory of 2472 2656 Ajjinaco.exe 44 PID 2656 wrote to memory of 2472 2656 Ajjinaco.exe 44 PID 2656 wrote to memory of 2472 2656 Ajjinaco.exe 44 PID 2656 wrote to memory of 2472 2656 Ajjinaco.exe 44 PID 2472 wrote to memory of 1716 2472 Amkbpm32.exe 45 PID 2472 wrote to memory of 1716 2472 Amkbpm32.exe 45 PID 2472 wrote to memory of 1716 2472 Amkbpm32.exe 45 PID 2472 wrote to memory of 1716 2472 Amkbpm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe"C:\Users\Admin\AppData\Local\Temp\cd2e5ed798f8c2517a0417eeda757b192244e3f09ae338f848fa7b5c30413208.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Moccnoni.exeC:\Windows\system32\Moccnoni.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Nkjdcp32.exeC:\Windows\system32\Nkjdcp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Oknjmb32.exeC:\Windows\system32\Oknjmb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Oolbcaij.exeC:\Windows\system32\Oolbcaij.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Pqbifhjb.exeC:\Windows\system32\Pqbifhjb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Pqdelh32.exeC:\Windows\system32\Pqdelh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Pcenmcea.exeC:\Windows\system32\Pcenmcea.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Pbjkop32.exeC:\Windows\system32\Pbjkop32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Qnalcqpm.exeC:\Windows\system32\Qnalcqpm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Qoqhncgp.exeC:\Windows\system32\Qoqhncgp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ajjinaco.exeC:\Windows\system32\Ajjinaco.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Amkbpm32.exeC:\Windows\system32\Amkbpm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Acggbffj.exeC:\Windows\system32\Acggbffj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Aiflpm32.exeC:\Windows\system32\Aiflpm32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:612 -
C:\Windows\SysWOW64\Blgeahoo.exeC:\Windows\system32\Blgeahoo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Bbcjca32.exeC:\Windows\system32\Bbcjca32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Bedcembk.exeC:\Windows\system32\Bedcembk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Cihedpcg.exeC:\Windows\system32\Cihedpcg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Cbcfbege.exeC:\Windows\system32\Cbcfbege.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Dhehfk32.exeC:\Windows\system32\Dhehfk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Doamhe32.exeC:\Windows\system32\Doamhe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Dabfjp32.exeC:\Windows\system32\Dabfjp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Eocfmh32.exeC:\Windows\system32\Eocfmh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Fgeabi32.exeC:\Windows\system32\Fgeabi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe33⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe36⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Hhlcal32.exeC:\Windows\system32\Hhlcal32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Ipaklm32.exeC:\Windows\system32\Ipaklm32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe42⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Jkabmi32.exeC:\Windows\system32\Jkabmi32.exe43⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe45⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Jcfjhj32.exeC:\Windows\system32\Jcfjhj32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Knbgnhfd.exeC:\Windows\system32\Knbgnhfd.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Knddcg32.exeC:\Windows\system32\Knddcg32.exe50⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe51⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Lbplciof.exeC:\Windows\system32\Lbplciof.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe55⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Nkbcgnie.exeC:\Windows\system32\Nkbcgnie.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe62⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Okijhmcm.exeC:\Windows\system32\Okijhmcm.exe64⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Pobeao32.exeC:\Windows\system32\Pobeao32.exe66⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Podbgo32.exeC:\Windows\system32\Podbgo32.exe67⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Pdajpf32.exeC:\Windows\system32\Pdajpf32.exe68⤵PID:1804
-
C:\Windows\SysWOW64\Paekijkb.exeC:\Windows\system32\Paekijkb.exe69⤵PID:1680
-
C:\Windows\SysWOW64\Paghojip.exeC:\Windows\system32\Paghojip.exe70⤵PID:2436
-
C:\Windows\SysWOW64\Qnnhcknd.exeC:\Windows\system32\Qnnhcknd.exe71⤵PID:1692
-
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe72⤵PID:2484
-
C:\Windows\SysWOW64\Qcmnaaji.exeC:\Windows\system32\Qcmnaaji.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Abbjbnoq.exeC:\Windows\system32\Abbjbnoq.exe74⤵PID:2108
-
C:\Windows\SysWOW64\Akkokc32.exeC:\Windows\system32\Akkokc32.exe75⤵
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Afpchl32.exeC:\Windows\system32\Afpchl32.exe76⤵PID:2212
-
C:\Windows\SysWOW64\Aeepjh32.exeC:\Windows\system32\Aeepjh32.exe77⤵PID:1612
-
C:\Windows\SysWOW64\Aokdga32.exeC:\Windows\system32\Aokdga32.exe78⤵PID:2304
-
C:\Windows\SysWOW64\Aicipgqe.exeC:\Windows\system32\Aicipgqe.exe79⤵PID:2816
-
C:\Windows\SysWOW64\Aaondi32.exeC:\Windows\system32\Aaondi32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Bcoffd32.exeC:\Windows\system32\Bcoffd32.exe81⤵
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Bacgohjk.exeC:\Windows\system32\Bacgohjk.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe83⤵PID:2308
-
C:\Windows\SysWOW64\Bbimbpld.exeC:\Windows\system32\Bbimbpld.exe84⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Cbljgpja.exeC:\Windows\system32\Cbljgpja.exe85⤵PID:2276
-
C:\Windows\SysWOW64\Cldnqe32.exeC:\Windows\system32\Cldnqe32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Chkoef32.exeC:\Windows\system32\Chkoef32.exe87⤵PID:2128
-
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe88⤵PID:2072
-
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe89⤵PID:2596
-
C:\Windows\SysWOW64\Cahmik32.exeC:\Windows\system32\Cahmik32.exe90⤵PID:3048
-
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe92⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Dalfdjdl.exeC:\Windows\system32\Dalfdjdl.exe93⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe94⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe95⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe96⤵PID:2864
-
C:\Windows\SysWOW64\Eoimlc32.exeC:\Windows\system32\Eoimlc32.exe97⤵PID:2456
-
C:\Windows\SysWOW64\Eioaillo.exeC:\Windows\system32\Eioaillo.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Egkgad32.exeC:\Windows\system32\Egkgad32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1668 -
C:\Windows\SysWOW64\Egndgdai.exeC:\Windows\system32\Egndgdai.exe101⤵PID:544
-
C:\Windows\SysWOW64\Fqfipj32.exeC:\Windows\system32\Fqfipj32.exe102⤵PID:1084
-
C:\Windows\SysWOW64\Fqheei32.exeC:\Windows\system32\Fqheei32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe104⤵PID:2660
-
C:\Windows\SysWOW64\Fbloba32.exeC:\Windows\system32\Fbloba32.exe105⤵PID:2564
-
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe108⤵PID:1264
-
C:\Windows\SysWOW64\Gfldno32.exeC:\Windows\system32\Gfldno32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe110⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Gnjehaio.exeC:\Windows\system32\Gnjehaio.exe111⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Gnlbnagl.exeC:\Windows\system32\Gnlbnagl.exe112⤵PID:576
-
C:\Windows\SysWOW64\Gckgkg32.exeC:\Windows\system32\Gckgkg32.exe113⤵PID:1088
-
C:\Windows\SysWOW64\Hcndag32.exeC:\Windows\system32\Hcndag32.exe114⤵PID:892
-
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Hefginae.exeC:\Windows\system32\Hefginae.exe116⤵
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe117⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Inqhhc32.exeC:\Windows\system32\Inqhhc32.exe118⤵PID:1424
-
C:\Windows\SysWOW64\Iocdmccp.exeC:\Windows\system32\Iocdmccp.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Iimenapo.exeC:\Windows\system32\Iimenapo.exe120⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Idbjkj32.exeC:\Windows\system32\Idbjkj32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-