Analysis
-
max time kernel
53s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 04:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe
-
Size
669KB
-
MD5
013731f1e2ee59dcb4e5c1dceab78c9d
-
SHA1
4e8d174c9226841581aac442cf6c424d588ddbe0
-
SHA256
e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5
-
SHA512
a2e4b8ff52991c86d5dd0f923dec38a447d9de28f5ecd7bab87f0e2d1474dfe74829d1978a1129a41a3d6ee2ca0c3ebe25a961142bfccc5af7b456407763eae5
-
SSDEEP
12288:rVfUteVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:rVfUMchMpQnqrdX72LbY6x46uR/qYglN
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ppcmhj32.exeNgcebnen.exeAfdjmo32.exeEomfiobe.exeCoejfn32.exeOlclimif.exeGefjlg32.exee3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exeDiklpn32.exeCjglcmbi.exeCjlenm32.exeGiljinne.exeHmpemkkf.exeDdmohbln.exeMmgmhngk.exeLdfgbb32.exeOncndnlq.exeEnajgllm.exeEcnbpcje.exeKgoief32.exeGpfeoqmf.exeKalkjh32.exeNpgppdpc.exePmecdgbk.exeEgaoldnf.exeNaebmppm.exeChdeonfa.exeFkfcdpfg.exeKacakgip.exeQnmfmoaa.exeNhbnjpic.exeBgndnd32.exeKidlodkj.exeHngbhp32.exeLmhhcaik.exeNmnoll32.exeEphhmn32.exeKelqff32.exeBncboo32.exeEdbonh32.exeFefdhj32.exeKmjhjndm.exeQpnkjq32.exeBholco32.exeOfcnmh32.exeOpaeok32.exeJmqckf32.exeJmplqp32.exeKebgea32.exeKfkjnh32.exePbcahgjd.exeEhjbaooe.exeCcgahe32.exeFfeoid32.exeEjbhno32.exeFbflfomj.exeJmcpqfba.exeEibbqmhd.exeAmglij32.exeBbkkbpjc.exeCidhcg32.exeFfokan32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppcmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngcebnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdjmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomfiobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coejfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olclimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gefjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diklpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjglcmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjlenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giljinne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmpemkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddmohbln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgmhngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oncndnlq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enajgllm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnbpcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgoief32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfeoqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kalkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npgppdpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmecdgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egaoldnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naebmppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chdeonfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkfcdpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kacakgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnmfmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbnjpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmgmhngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgndnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kidlodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hngbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmhhcaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmnoll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kelqff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bncboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edbonh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjhjndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpnkjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bholco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opaeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmqckf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmplqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebgea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfkjnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbcahgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjbaooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccgahe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffeoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejbhno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbflfomj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmcpqfba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbqmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amglij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbkkbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cidhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enajgllm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffokan32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lcqdidim.exeMnfhfmhc.exeMgjpcf32.exeNmnoll32.exeOnhnjclg.exePpqqbjkm.exePpcmhj32.exeQhehmkqn.exeAkhndf32.exeApllml32.exeBlcmbmip.exeBhjngnod.exeCqlhlo32.exeCfmjoe32.exeCofohkgi.exeEphhmn32.exeEdfqclni.exeEhjbaooe.exeEbpgoh32.exeFlhkhnel.exeFljhmmci.exeFhcehngk.exeFpojlp32.exeFangfcki.exeGmegkd32.exeGohqhl32.exeGhaeaaki.exeGhcbga32.exeGalfpgpg.exeHngppgae.exeHgpeimhf.exeHfdbji32.exeIfgooikk.exeIbnodj32.exeIkfdmogp.exeIodlcnmf.exeIbeeeijg.exeJeenfd32.exeJmqckf32.exeJmcpqfba.exeJjgpjjak.exeJaahgd32.exeJilmkffb.exeJcaahofh.exeKphbmp32.exeKeekeg32.exeKalkjh32.exeKlapha32.exeKkglim32.exeKelqff32.exeKacakgip.exeLgpjcnhh.exeLphnlcnh.exeLdfgbb32.exeLicpki32.exeLldhldpg.exeLelmei32.exeModano32.exeMognco32.exeMhobldaf.exeMnqdpj32.exeNqamaeii.exeNlhnfg32.exeNbgcdmjb.exepid Process 2288 Lcqdidim.exe 2920 Mnfhfmhc.exe 2408 Mgjpcf32.exe 2884 Nmnoll32.exe 2760 Onhnjclg.exe 900 Ppqqbjkm.exe 2104 Ppcmhj32.exe 1484 Qhehmkqn.exe 3040 Akhndf32.exe 540 Apllml32.exe 2036 Blcmbmip.exe 2348 Bhjngnod.exe 2204 Cqlhlo32.exe 2480 Cfmjoe32.exe 2080 Cofohkgi.exe 2652 Ephhmn32.exe 2604 Edfqclni.exe 2444 Ehjbaooe.exe 1816 Ebpgoh32.exe 1640 Flhkhnel.exe 568 Fljhmmci.exe 2376 Fhcehngk.exe 1512 Fpojlp32.exe 1748 Fangfcki.exe 3012 Gmegkd32.exe 1604 Gohqhl32.exe 2912 Ghaeaaki.exe 2932 Ghcbga32.exe 2996 Galfpgpg.exe 2744 Hngppgae.exe 2440 Hgpeimhf.exe 2472 Hfdbji32.exe 2508 Ifgooikk.exe 2500 Ibnodj32.exe 2224 Ikfdmogp.exe 2004 Iodlcnmf.exe 1996 Ibeeeijg.exe 2232 Jeenfd32.exe 1524 Jmqckf32.exe 368 Jmcpqfba.exe 1716 Jjgpjjak.exe 2484 Jaahgd32.exe 696 Jilmkffb.exe 112 Jcaahofh.exe 2012 Kphbmp32.exe 964 Keekeg32.exe 1408 Kalkjh32.exe 1740 Klapha32.exe 1780 Kkglim32.exe 316 Kelqff32.exe 2468 Kacakgip.exe 2976 Lgpjcnhh.exe 1752 Lphnlcnh.exe 2600 Ldfgbb32.exe 2352 Licpki32.exe 2312 Lldhldpg.exe 1580 Lelmei32.exe 2180 Modano32.exe 1292 Mognco32.exe 2888 Mhobldaf.exe 2244 Mnqdpj32.exe 2072 Nqamaeii.exe 1832 Nlhnfg32.exe 2284 Nbgcdmjb.exe -
Loads dropped DLL 64 IoCs
Processes:
e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exeLcqdidim.exeMnfhfmhc.exeMgjpcf32.exeNmnoll32.exeOnhnjclg.exePpqqbjkm.exePpcmhj32.exeQhehmkqn.exeAkhndf32.exeApllml32.exeBlcmbmip.exeBhjngnod.exeCqlhlo32.exeCfmjoe32.exeCofohkgi.exeEphhmn32.exeEdfqclni.exeEhjbaooe.exeEbpgoh32.exeFlhkhnel.exeFljhmmci.exeFhcehngk.exeFpojlp32.exeFangfcki.exeGmegkd32.exeGohqhl32.exeGhaeaaki.exeGhcbga32.exeGalfpgpg.exeHngppgae.exeHgpeimhf.exepid Process 2380 e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe 2380 e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe 2288 Lcqdidim.exe 2288 Lcqdidim.exe 2920 Mnfhfmhc.exe 2920 Mnfhfmhc.exe 2408 Mgjpcf32.exe 2408 Mgjpcf32.exe 2884 Nmnoll32.exe 2884 Nmnoll32.exe 2760 Onhnjclg.exe 2760 Onhnjclg.exe 900 Ppqqbjkm.exe 900 Ppqqbjkm.exe 2104 Ppcmhj32.exe 2104 Ppcmhj32.exe 1484 Qhehmkqn.exe 1484 Qhehmkqn.exe 3040 Akhndf32.exe 3040 Akhndf32.exe 540 Apllml32.exe 540 Apllml32.exe 2036 Blcmbmip.exe 2036 Blcmbmip.exe 2348 Bhjngnod.exe 2348 Bhjngnod.exe 2204 Cqlhlo32.exe 2204 Cqlhlo32.exe 2480 Cfmjoe32.exe 2480 Cfmjoe32.exe 2080 Cofohkgi.exe 2080 Cofohkgi.exe 2652 Ephhmn32.exe 2652 Ephhmn32.exe 2604 Edfqclni.exe 2604 Edfqclni.exe 2444 Ehjbaooe.exe 2444 Ehjbaooe.exe 1816 Ebpgoh32.exe 1816 Ebpgoh32.exe 1640 Flhkhnel.exe 1640 Flhkhnel.exe 568 Fljhmmci.exe 568 Fljhmmci.exe 2376 Fhcehngk.exe 2376 Fhcehngk.exe 1512 Fpojlp32.exe 1512 Fpojlp32.exe 1748 Fangfcki.exe 1748 Fangfcki.exe 3012 Gmegkd32.exe 3012 Gmegkd32.exe 1604 Gohqhl32.exe 1604 Gohqhl32.exe 2912 Ghaeaaki.exe 2912 Ghaeaaki.exe 2932 Ghcbga32.exe 2932 Ghcbga32.exe 2996 Galfpgpg.exe 2996 Galfpgpg.exe 2744 Hngppgae.exe 2744 Hngppgae.exe 2440 Hgpeimhf.exe 2440 Hgpeimhf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Klapha32.exePghklq32.exeOncpmf32.exeEddeia32.exeEbcqicem.exeHccbnhla.exeKnkkngol.exeGigano32.exeDhcanahm.exeFkfcdpfg.exeMgjpcf32.exeCnedilio.exeAkhndf32.exeIodlcnmf.exeKelqff32.exeEhilgikj.exeKjdiigbm.exeIccqedfa.exePdhdcnng.exeFlhkhnel.exeJaahgd32.exeMpegka32.exeDnbdbomn.exePbcahgjd.exeCoejfn32.exeGohqhl32.exeLgpjcnhh.exeJgiffg32.exeOnhnjclg.exePpqqbjkm.exeJilmkffb.exePjbnmm32.exeAagadh32.exeNhbnjpic.exeLnhmqc32.exeCdooongp.exeGmegkd32.exeNlhnfg32.exeCjdonndl.exeKgoief32.exeGflcplhh.exeHcohbh32.exeInopce32.exeGfkagc32.exeKmeknakn.exeIdkdfo32.exeEnajgllm.exeJojaje32.exeNmgiga32.exePqekin32.exeAghidl32.exeHgpeimhf.exeCondfo32.exeIkfokb32.exeFpojlp32.exeChickknc.exeHmpemkkf.exeCpojcpcm.exeJmplqp32.exeBcbabodk.exeCgpmbgai.exedescription ioc Process File created C:\Windows\SysWOW64\Igmqgqif.dll Klapha32.exe File created C:\Windows\SysWOW64\Ddiafqpq.dll Pghklq32.exe File opened for modification C:\Windows\SysWOW64\Okgpfjbo.exe Oncpmf32.exe File created C:\Windows\SysWOW64\Qakagnfq.dll Eddeia32.exe File created C:\Windows\SysWOW64\Jkjigh32.dll Ebcqicem.exe File created C:\Windows\SysWOW64\Hojbbiae.exe Hccbnhla.exe File created C:\Windows\SysWOW64\Kidlodkj.exe Knkkngol.exe File created C:\Windows\SysWOW64\Kkmddm32.dll Gigano32.exe File opened for modification C:\Windows\SysWOW64\Ddjbbbna.exe Dhcanahm.exe File created C:\Windows\SysWOW64\Fhjcmcep.exe Fkfcdpfg.exe File created C:\Windows\SysWOW64\Lbinkahf.dll Mgjpcf32.exe File created C:\Windows\SysWOW64\Cofaad32.exe Cnedilio.exe File created C:\Windows\SysWOW64\Apllml32.exe Akhndf32.exe File created C:\Windows\SysWOW64\Kgagfk32.dll Iodlcnmf.exe File opened for modification C:\Windows\SysWOW64\Kacakgip.exe Kelqff32.exe File created C:\Windows\SysWOW64\Fncddc32.exe Ehilgikj.exe File created C:\Windows\SysWOW64\Kfkjnh32.exe Kjdiigbm.exe File created C:\Windows\SysWOW64\Cffpbe32.dll Iccqedfa.exe File created C:\Windows\SysWOW64\Paldmbmq.exe Pdhdcnng.exe File opened for modification C:\Windows\SysWOW64\Fljhmmci.exe Flhkhnel.exe File opened for modification C:\Windows\SysWOW64\Jilmkffb.exe Jaahgd32.exe File created C:\Windows\SysWOW64\Mebpchmb.exe Mpegka32.exe File created C:\Windows\SysWOW64\Dndahokk.exe Dnbdbomn.exe File created C:\Windows\SysWOW64\Qmmbhegc.exe Pbcahgjd.exe File opened for modification C:\Windows\SysWOW64\Dklkkoqf.exe Coejfn32.exe File created C:\Windows\SysWOW64\Ghaeaaki.exe Gohqhl32.exe File opened for modification C:\Windows\SysWOW64\Lphnlcnh.exe Lgpjcnhh.exe File created C:\Windows\SysWOW64\Hnibonjd.dll Jgiffg32.exe File created C:\Windows\SysWOW64\Ppqqbjkm.exe Onhnjclg.exe File created C:\Windows\SysWOW64\Ppcmhj32.exe Ppqqbjkm.exe File created C:\Windows\SysWOW64\Jcaahofh.exe Jilmkffb.exe File created C:\Windows\SysWOW64\Hpiaec32.dll Pjbnmm32.exe File created C:\Windows\SysWOW64\Qgbmpqjn.dll Aagadh32.exe File opened for modification C:\Windows\SysWOW64\Nefncd32.exe Nhbnjpic.exe File created C:\Windows\SysWOW64\Pagdkl32.dll Lnhmqc32.exe File created C:\Windows\SysWOW64\Doipoldo.exe Cdooongp.exe File created C:\Windows\SysWOW64\Gohqhl32.exe Gmegkd32.exe File opened for modification C:\Windows\SysWOW64\Nbgcdmjb.exe Nlhnfg32.exe File opened for modification C:\Windows\SysWOW64\Cjglcmbi.exe Cjdonndl.exe File created C:\Windows\SysWOW64\Kkmakd32.exe Kgoief32.exe File created C:\Windows\SysWOW64\Kjhffd32.dll Gflcplhh.exe File created C:\Windows\SysWOW64\Fljhmmci.exe Flhkhnel.exe File created C:\Windows\SysWOW64\Hadece32.exe Hcohbh32.exe File created C:\Windows\SysWOW64\Kkggja32.dll Inopce32.exe File opened for modification C:\Windows\SysWOW64\Giljinne.exe Gfkagc32.exe File opened for modification C:\Windows\SysWOW64\Ppcmhj32.exe Ppqqbjkm.exe File created C:\Windows\SysWOW64\Lmhhcaik.exe Kmeknakn.exe File created C:\Windows\SysWOW64\Pfeqph32.dll Idkdfo32.exe File opened for modification C:\Windows\SysWOW64\Ecnbpcje.exe Enajgllm.exe File created C:\Windows\SysWOW64\Iphgeipb.dll Jojaje32.exe File created C:\Windows\SysWOW64\Mfmial32.dll Nmgiga32.exe File created C:\Windows\SysWOW64\Qjnoacdc.exe Pqekin32.exe File created C:\Windows\SysWOW64\Akfbjkdj.exe Aghidl32.exe File opened for modification C:\Windows\SysWOW64\Hfdbji32.exe Hgpeimhf.exe File created C:\Windows\SysWOW64\Jodkkj32.exe Jgiffg32.exe File created C:\Windows\SysWOW64\Cidhcg32.exe Condfo32.exe File created C:\Windows\SysWOW64\Ijklmn32.exe Ikfokb32.exe File opened for modification C:\Windows\SysWOW64\Fangfcki.exe Fpojlp32.exe File created C:\Windows\SysWOW64\Cdpdpl32.exe Chickknc.exe File created C:\Windows\SysWOW64\Hmbbcjic.exe Hmpemkkf.exe File opened for modification C:\Windows\SysWOW64\Cgkoejig.exe Cpojcpcm.exe File created C:\Windows\SysWOW64\Ghliap32.dll Jmplqp32.exe File opened for modification C:\Windows\SysWOW64\Bagncl32.exe Bcbabodk.exe File opened for modification C:\Windows\SysWOW64\Djaedbnj.exe Cgpmbgai.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3000 932 WerFault.exe 391 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Halkahoo.exeAkhndf32.exeFljhmmci.exeNkmffegm.exeBckidl32.exeCdooongp.exeFnnbfjmp.exeBlcmbmip.exeKalkjh32.exeDfmbmkgm.exeBhlmef32.exeJgiffg32.exeAliejq32.exeFidmniqa.exeDobcekld.exeJmqckf32.exeIqbekpal.exeKgibeklf.exeOmjgkjof.exeBaakem32.exeCoehnecn.exePmecdgbk.exeHpcbol32.exeQhehmkqn.exeLldhldpg.exeNlhnfg32.exeCondfo32.exeEcnbpcje.exeLlagegfb.exeCgkoejig.exeGflcplhh.exeLfgbmf32.exeMmojcceo.exeNimaic32.exeJhebij32.exeBholco32.exeGpiadq32.exeGohqhl32.exeCnnohmog.exeKfqpmc32.exeGbdobc32.exeLicpki32.exeOgkbmcba.exeBlpibghg.exeKmeknakn.exeQjnoacdc.exeCfmjoe32.exeClbbfj32.exeEgobfdpi.exeCjglcmbi.exeQpnkjq32.exeBfjmkn32.exeHiichkog.exeFfndghdj.exeHngppgae.exeConbmfif.exeNpgppdpc.exeBagncl32.exeGfkagc32.exePobhfl32.exeMpegka32.exeOkmqlp32.exePildih32.exeAhmpfc32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halkahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhndf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljhmmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmffegm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckidl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdooongp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnbfjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blcmbmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmbmkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhlmef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgiffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aliejq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidmniqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobcekld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmqckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbekpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgibeklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjgkjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baakem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coehnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmecdgbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcbol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhehmkqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldhldpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhnfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Condfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnbpcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llagegfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkoejig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflcplhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgbmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmojcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhebij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bholco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpiadq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnohmog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfqpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licpki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkbmcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blpibghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmeknakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjnoacdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbbfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egobfdpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjglcmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpnkjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjmkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiichkog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffndghdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hngppgae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conbmfif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgppdpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagncl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkagc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpegka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okmqlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pildih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmpfc32.exe -
Modifies registry class 64 IoCs
Processes:
Ppqqbjkm.exeConbmfif.exeDiklpn32.exeCnnohmog.exeBdbfpafn.exeEgpdom32.exeEbpgoh32.exeBbkkbpjc.exeDnbdbomn.exeHljljflh.exeGflcplhh.exeIbnodj32.exeCofohkgi.exeIqbekpal.exeGfkagc32.exeLmondpbc.exeCdooongp.exeChahin32.exeQhehmkqn.exeDnonjqdq.exeEfihcpqk.exeQpnkjq32.exeEcnbpcje.exeFfokan32.exeAkfbjkdj.exeEhilgikj.exeMeolcb32.exePobhfl32.exeCidhcg32.exeDdmohbln.exeAajedn32.exeBagncl32.exeKbgqbdbd.exeNdkoemji.exeKcjcefbd.exeGnqolikm.exeHcohbh32.exeBfjmkn32.exeIjklmn32.exeLicpki32.exeJqjdon32.exePkdiehca.exeCpojcpcm.exeDobcekld.exeKidlodkj.exeCnedilio.exeFidmniqa.exeHinlck32.exeHfdbji32.exeModano32.exeCoehnecn.exeOeeeeehe.exeDhcoei32.exeKalkjh32.exeLhgeao32.exeQipmdhcj.exeDoipoldo.exeFefnmdfo.exePjlgna32.exeJollgl32.exeNgcebnen.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppqqbjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Conbmfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diklpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnnohmog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkdmogal.dll" Bdbfpafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdiidfqe.dll" Egpdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebpgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfbpel32.dll" Bbkkbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnbdbomn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hljljflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gflcplhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibnodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpipeaaf.dll" Cofohkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqbekpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpahjen.dll" Gfkagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncghha32.dll" Lmondpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdooongp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chahin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhehmkqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlleon32.dll" Dnonjqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlqmjc32.dll" Efihcpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfganlfn.dll" Qpnkjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkfpmm32.dll" Ecnbpcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffokan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akfbjkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkjbbln.dll" Ehilgikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbgqo32.dll" Meolcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pobhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cidhcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddmohbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkcnkj32.dll" Aajedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bagncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbgqbdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndkoemji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcjcefbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnqolikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amebin32.dll" Hcohbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfehfd.dll" Ijklmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjelpcob.dll" Licpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcleaanm.dll" Jqjdon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkdiehca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpojcpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmemm32.dll" Dobcekld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebbii32.dll" Kidlodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckanhf32.dll" Cnedilio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fidmniqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hinlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Modano32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coehnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeeeeehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodfic32.dll" Dhcoei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpnkjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kalkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Licpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljaplc32.dll" Lhgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naohim32.dll" Qipmdhcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doipoldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fefnmdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhffd32.dll" Gflcplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjlgna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jollgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngcebnen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exeLcqdidim.exeMnfhfmhc.exeMgjpcf32.exeNmnoll32.exeOnhnjclg.exePpqqbjkm.exePpcmhj32.exeQhehmkqn.exeAkhndf32.exeApllml32.exeBlcmbmip.exeBhjngnod.exeCqlhlo32.exeCfmjoe32.exeCofohkgi.exedescription pid Process procid_target PID 2380 wrote to memory of 2288 2380 e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe 29 PID 2380 wrote to memory of 2288 2380 e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe 29 PID 2380 wrote to memory of 2288 2380 e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe 29 PID 2380 wrote to memory of 2288 2380 e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe 29 PID 2288 wrote to memory of 2920 2288 Lcqdidim.exe 30 PID 2288 wrote to memory of 2920 2288 Lcqdidim.exe 30 PID 2288 wrote to memory of 2920 2288 Lcqdidim.exe 30 PID 2288 wrote to memory of 2920 2288 Lcqdidim.exe 30 PID 2920 wrote to memory of 2408 2920 Mnfhfmhc.exe 31 PID 2920 wrote to memory of 2408 2920 Mnfhfmhc.exe 31 PID 2920 wrote to memory of 2408 2920 Mnfhfmhc.exe 31 PID 2920 wrote to memory of 2408 2920 Mnfhfmhc.exe 31 PID 2408 wrote to memory of 2884 2408 Mgjpcf32.exe 32 PID 2408 wrote to memory of 2884 2408 Mgjpcf32.exe 32 PID 2408 wrote to memory of 2884 2408 Mgjpcf32.exe 32 PID 2408 wrote to memory of 2884 2408 Mgjpcf32.exe 32 PID 2884 wrote to memory of 2760 2884 Nmnoll32.exe 33 PID 2884 wrote to memory of 2760 2884 Nmnoll32.exe 33 PID 2884 wrote to memory of 2760 2884 Nmnoll32.exe 33 PID 2884 wrote to memory of 2760 2884 Nmnoll32.exe 33 PID 2760 wrote to memory of 900 2760 Onhnjclg.exe 34 PID 2760 wrote to memory of 900 2760 Onhnjclg.exe 34 PID 2760 wrote to memory of 900 2760 Onhnjclg.exe 34 PID 2760 wrote to memory of 900 2760 Onhnjclg.exe 34 PID 900 wrote to memory of 2104 900 Ppqqbjkm.exe 35 PID 900 wrote to memory of 2104 900 Ppqqbjkm.exe 35 PID 900 wrote to memory of 2104 900 Ppqqbjkm.exe 35 PID 900 wrote to memory of 2104 900 Ppqqbjkm.exe 35 PID 2104 wrote to memory of 1484 2104 Ppcmhj32.exe 36 PID 2104 wrote to memory of 1484 2104 Ppcmhj32.exe 36 PID 2104 wrote to memory of 1484 2104 Ppcmhj32.exe 36 PID 2104 wrote to memory of 1484 2104 Ppcmhj32.exe 36 PID 1484 wrote to memory of 3040 1484 Qhehmkqn.exe 37 PID 1484 wrote to memory of 3040 1484 Qhehmkqn.exe 37 PID 1484 wrote to memory of 3040 1484 Qhehmkqn.exe 37 PID 1484 wrote to memory of 3040 1484 Qhehmkqn.exe 37 PID 3040 wrote to memory of 540 3040 Akhndf32.exe 38 PID 3040 wrote to memory of 540 3040 Akhndf32.exe 38 PID 3040 wrote to memory of 540 3040 Akhndf32.exe 38 PID 3040 wrote to memory of 540 3040 Akhndf32.exe 38 PID 540 wrote to memory of 2036 540 Apllml32.exe 39 PID 540 wrote to memory of 2036 540 Apllml32.exe 39 PID 540 wrote to memory of 2036 540 Apllml32.exe 39 PID 540 wrote to memory of 2036 540 Apllml32.exe 39 PID 2036 wrote to memory of 2348 2036 Blcmbmip.exe 40 PID 2036 wrote to memory of 2348 2036 Blcmbmip.exe 40 PID 2036 wrote to memory of 2348 2036 Blcmbmip.exe 40 PID 2036 wrote to memory of 2348 2036 Blcmbmip.exe 40 PID 2348 wrote to memory of 2204 2348 Bhjngnod.exe 41 PID 2348 wrote to memory of 2204 2348 Bhjngnod.exe 41 PID 2348 wrote to memory of 2204 2348 Bhjngnod.exe 41 PID 2348 wrote to memory of 2204 2348 Bhjngnod.exe 41 PID 2204 wrote to memory of 2480 2204 Cqlhlo32.exe 42 PID 2204 wrote to memory of 2480 2204 Cqlhlo32.exe 42 PID 2204 wrote to memory of 2480 2204 Cqlhlo32.exe 42 PID 2204 wrote to memory of 2480 2204 Cqlhlo32.exe 42 PID 2480 wrote to memory of 2080 2480 Cfmjoe32.exe 43 PID 2480 wrote to memory of 2080 2480 Cfmjoe32.exe 43 PID 2480 wrote to memory of 2080 2480 Cfmjoe32.exe 43 PID 2480 wrote to memory of 2080 2480 Cfmjoe32.exe 43 PID 2080 wrote to memory of 2652 2080 Cofohkgi.exe 44 PID 2080 wrote to memory of 2652 2080 Cofohkgi.exe 44 PID 2080 wrote to memory of 2652 2080 Cofohkgi.exe 44 PID 2080 wrote to memory of 2652 2080 Cofohkgi.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe"C:\Users\Admin\AppData\Local\Temp\e3c1742c0c9b3bac3a4fbf833d9a347df39c1dbe307baec35e4bfbd129e357f5.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Lcqdidim.exeC:\Windows\system32\Lcqdidim.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Mnfhfmhc.exeC:\Windows\system32\Mnfhfmhc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ppqqbjkm.exeC:\Windows\system32\Ppqqbjkm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Ppcmhj32.exeC:\Windows\system32\Ppcmhj32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Cfmjoe32.exeC:\Windows\system32\Cfmjoe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Ebpgoh32.exeC:\Windows\system32\Ebpgoh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Gohqhl32.exeC:\Windows\system32\Gohqhl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Hgpeimhf.exeC:\Windows\system32\Hgpeimhf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Ifgooikk.exeC:\Windows\system32\Ifgooikk.exe34⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ibnodj32.exeC:\Windows\system32\Ibnodj32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe36⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Iodlcnmf.exeC:\Windows\system32\Iodlcnmf.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Ibeeeijg.exeC:\Windows\system32\Ibeeeijg.exe38⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Jeenfd32.exeC:\Windows\system32\Jeenfd32.exe39⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Jmcpqfba.exeC:\Windows\system32\Jmcpqfba.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Jjgpjjak.exeC:\Windows\system32\Jjgpjjak.exe42⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Jaahgd32.exeC:\Windows\system32\Jaahgd32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Jcaahofh.exeC:\Windows\system32\Jcaahofh.exe45⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Kphbmp32.exeC:\Windows\system32\Kphbmp32.exe46⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe47⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe50⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Kelqff32.exeC:\Windows\system32\Kelqff32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe54⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ldfgbb32.exeC:\Windows\system32\Ldfgbb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Lldhldpg.exeC:\Windows\system32\Lldhldpg.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe58⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe60⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Mhobldaf.exeC:\Windows\system32\Mhobldaf.exe61⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe62⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Nqamaeii.exeC:\Windows\system32\Nqamaeii.exe63⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Nlhnfg32.exeC:\Windows\system32\Nlhnfg32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\Nbgcdmjb.exeC:\Windows\system32\Nbgcdmjb.exe65⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Nokdnail.exeC:\Windows\system32\Nokdnail.exe66⤵PID:2008
-
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe67⤵PID:2192
-
C:\Windows\SysWOW64\Oncndnlq.exeC:\Windows\system32\Oncndnlq.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe69⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Omjgkjof.exeC:\Windows\system32\Omjgkjof.exe70⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Oiahpkdj.exeC:\Windows\system32\Oiahpkdj.exe71⤵PID:2992
-
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe72⤵PID:2144
-
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe73⤵PID:2256
-
C:\Windows\SysWOW64\Pbnfdpge.exeC:\Windows\system32\Pbnfdpge.exe74⤵PID:2708
-
C:\Windows\SysWOW64\Pjlgna32.exeC:\Windows\system32\Pjlgna32.exe75⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe76⤵PID:2300
-
C:\Windows\SysWOW64\Qechqj32.exeC:\Windows\system32\Qechqj32.exe77⤵PID:2328
-
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe78⤵PID:1448
-
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe79⤵PID:1148
-
C:\Windows\SysWOW64\Apbblg32.exeC:\Windows\system32\Apbblg32.exe80⤵PID:2764
-
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe81⤵PID:2056
-
C:\Windows\SysWOW64\Afngoand.exeC:\Windows\system32\Afngoand.exe82⤵PID:436
-
C:\Windows\SysWOW64\Aoilcc32.exeC:\Windows\system32\Aoilcc32.exe83⤵PID:2236
-
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe84⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Blpibghg.exeC:\Windows\system32\Blpibghg.exe85⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe86⤵PID:2292
-
C:\Windows\SysWOW64\Bncboo32.exeC:\Windows\system32\Bncboo32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Bgndnd32.exeC:\Windows\system32\Bgndnd32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Bpfhfjgq.exeC:\Windows\system32\Bpfhfjgq.exe90⤵PID:2856
-
C:\Windows\SysWOW64\Ccgahe32.exeC:\Windows\system32\Ccgahe32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1168 -
C:\Windows\SysWOW64\Conbmfif.exeC:\Windows\system32\Conbmfif.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Clbbfj32.exeC:\Windows\system32\Clbbfj32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Chickknc.exeC:\Windows\system32\Chickknc.exe94⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Cdpdpl32.exeC:\Windows\system32\Cdpdpl32.exe95⤵PID:2212
-
C:\Windows\SysWOW64\Coehnecn.exeC:\Windows\system32\Coehnecn.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Cgpmbgai.exeC:\Windows\system32\Cgpmbgai.exe97⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe98⤵PID:1992
-
C:\Windows\SysWOW64\Dnonjqdq.exeC:\Windows\system32\Dnonjqdq.exe99⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe100⤵PID:1964
-
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Ebcqicem.exeC:\Windows\system32\Ebcqicem.exe102⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Enlncdio.exeC:\Windows\system32\Enlncdio.exe103⤵PID:2596
-
C:\Windows\SysWOW64\Eibbqmhd.exeC:\Windows\system32\Eibbqmhd.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1172 -
C:\Windows\SysWOW64\Ejeknelp.exeC:\Windows\system32\Ejeknelp.exe105⤵PID:2952
-
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Fncddc32.exeC:\Windows\system32\Fncddc32.exe107⤵PID:3008
-
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Fblpnepn.exeC:\Windows\system32\Fblpnepn.exe109⤵PID:612
-
C:\Windows\SysWOW64\Gkgdbh32.exeC:\Windows\system32\Gkgdbh32.exe110⤵PID:2620
-
C:\Windows\SysWOW64\Gadidabc.exeC:\Windows\system32\Gadidabc.exe111⤵PID:1656
-
C:\Windows\SysWOW64\Gmkjjbhg.exeC:\Windows\system32\Gmkjjbhg.exe112⤵PID:1644
-
C:\Windows\SysWOW64\Gpkckneh.exeC:\Windows\system32\Gpkckneh.exe113⤵PID:2820
-
C:\Windows\SysWOW64\Gnocdb32.exeC:\Windows\system32\Gnocdb32.exe114⤵PID:2748
-
C:\Windows\SysWOW64\Hdilalko.exeC:\Windows\system32\Hdilalko.exe115⤵PID:2828
-
C:\Windows\SysWOW64\Hcohbh32.exeC:\Windows\system32\Hcohbh32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Hadece32.exeC:\Windows\system32\Hadece32.exe117⤵PID:1676
-
C:\Windows\SysWOW64\Hccbnhla.exeC:\Windows\system32\Hccbnhla.exe118⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe119⤵PID:2640
-
C:\Windows\SysWOW64\Inopce32.exeC:\Windows\system32\Inopce32.exe120⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Idkdfo32.exeC:\Windows\system32\Idkdfo32.exe121⤵
- Drops file in System32 directory
PID:1396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-