Analysis
-
max time kernel
92s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 04:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exe
-
Size
96KB
-
MD5
5f05af8b74b354aff4357cfa0d110fd5
-
SHA1
e3c27a98f75c2d4a1efd614427c3def30c0cb369
-
SHA256
ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f
-
SHA512
e0eb2437bd4481557d0d569eab272c6a0dcf572a0ec5926fd511196ddd207c4988394124a8157c6cccdc74c0df48573f8c39aad6ee98bdf076be071faf15d032
-
SSDEEP
1536:RDMLdHWy2/MwrxHd2Gc1oZKxUVf/38pPS6Zs66DdZJduV9jojTIvjr:pmHWPkodHc1oQxgnslts6odHd69jc0v
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Oaqbkn32.exeBheplb32.exeKcpjnjii.exeHehkajig.exeLggejg32.exeMqafhl32.exeIdahjg32.exeNlkgmh32.exeBkobmnka.exeDkceokii.exePlejdkmm.exeBfgjjm32.exeJjjpnlbd.exeNognnj32.exeLjhefhha.exeLcimdh32.exeOeokal32.exeJnlbojee.exeEifaim32.exeDdgibkpc.exeFpggamqc.exeJnhidk32.exeKnnhjcog.exeAfgacokc.exeCbeapmll.exeEfccmidp.exeFikbocki.exeAkpoaj32.exeBhkfkmmg.exeDbqqkkbo.exeHcpojd32.exeOodcdb32.exePaoollik.exeQkjgegae.exeEiieicml.exePalbgl32.exeEiokinbk.exeLqmmmmph.exeMblcnj32.exeHmechmip.exeJpdhkf32.exeOjgjndno.exeQkmdkgob.exeHemdlj32.exeKgdpni32.exeNeafjdkn.exeFmfnpa32.exeGbfldf32.exeOnpjichj.exeFpgpgfmh.exeMmmqhl32.exeNhdlao32.exeKkpbin32.exeLmpkadnm.exePmlfqh32.exeFlqdlnde.exeIpoopgnf.exeAeaanjkl.exeCfbcke32.exePkadoiip.exeGdaociml.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaqbkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lggejg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqafhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkobmnka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkceokii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfgjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nognnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljhefhha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcimdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeokal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifaim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgibkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggamqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afgacokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akpoaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkfkmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paoollik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiieicml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqmmmmph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpdhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkmdkgob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgdpni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neafjdkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbfldf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjichj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddgibkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmpkadnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flqdlnde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeaanjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkadoiip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaociml.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mbgjbkfg.exeMiaboe32.exeMbighjdd.exeMhfppabl.exeMblcnj32.exeMifljdjo.exeNjghbl32.exeNaaqofgj.exeNhkikq32.exeNbqmiinl.exeNhmeapmd.exeNognnj32.exeNeafjdkn.exeNahgoe32.exeNolgijpk.exeNhdlao32.exeOkchnk32.exeOehlkc32.exeOoqqdi32.exeOifeab32.exeOldamm32.exeOemefcap.exeOhkbbn32.exeOlgncmim.exeObafpg32.exeOlijhmgj.exeOafcqcea.exeOhpkmn32.exePojcjh32.exePedlgbkh.exePkadoiip.exePchlpfjb.exePibdmp32.exePlpqil32.exePamiaboj.exePlbmokop.exePoajkgnc.exePekbga32.exePlejdkmm.exePocfpf32.exePiijno32.exeQkjgegae.exeQadoba32.exeQkmdkgob.exeQcclld32.exeAllpejfe.exeAaiimadl.exeAjpqnneo.exeAfgacokc.exeAkcjkfij.exeAfinioip.exeAkffafgg.exeAbponp32.exeAjggomog.exeAodogdmn.exeBfngdn32.exeBkkple32.exeBfpdin32.exeBohibc32.exeBmlilh32.exeBbiado32.exeBombmcec.exeBfgjjm32.exeBmabggdm.exepid Process 4076 Mbgjbkfg.exe 2328 Miaboe32.exe 1188 Mbighjdd.exe 2184 Mhfppabl.exe 3212 Mblcnj32.exe 1304 Mifljdjo.exe 3656 Njghbl32.exe 4344 Naaqofgj.exe 2992 Nhkikq32.exe 1268 Nbqmiinl.exe 4540 Nhmeapmd.exe 708 Nognnj32.exe 3124 Neafjdkn.exe 4680 Nahgoe32.exe 4516 Nolgijpk.exe 3900 Nhdlao32.exe 3916 Okchnk32.exe 980 Oehlkc32.exe 2068 Ooqqdi32.exe 1860 Oifeab32.exe 3828 Oldamm32.exe 8 Oemefcap.exe 1804 Ohkbbn32.exe 648 Olgncmim.exe 1016 Obafpg32.exe 4984 Olijhmgj.exe 1924 Oafcqcea.exe 2272 Ohpkmn32.exe 4580 Pojcjh32.exe 4748 Pedlgbkh.exe 4728 Pkadoiip.exe 416 Pchlpfjb.exe 4048 Pibdmp32.exe 2568 Plpqil32.exe 772 Pamiaboj.exe 4380 Plbmokop.exe 5056 Poajkgnc.exe 2808 Pekbga32.exe 2768 Plejdkmm.exe 3888 Pocfpf32.exe 3772 Piijno32.exe 460 Qkjgegae.exe 2820 Qadoba32.exe 3408 Qkmdkgob.exe 1628 Qcclld32.exe 856 Allpejfe.exe 4296 Aaiimadl.exe 4588 Ajpqnneo.exe 2868 Afgacokc.exe 1624 Akcjkfij.exe 1124 Afinioip.exe 3776 Akffafgg.exe 1408 Abponp32.exe 1572 Ajggomog.exe 2460 Aodogdmn.exe 3756 Bfngdn32.exe 2620 Bkkple32.exe 372 Bfpdin32.exe 2392 Bohibc32.exe 3220 Bmlilh32.exe 2876 Bbiado32.exe 264 Bombmcec.exe 4700 Bfgjjm32.exe 332 Bmabggdm.exe -
Drops file in System32 directory 64 IoCs
Processes:
Efblbbqd.exeHlnjbedi.exePfandnla.exeCglbhhga.exeHildmn32.exeAolblopj.exeAhbjoe32.exeAdikdfna.exeCdimqm32.exeCpbjkn32.exeEifhdd32.exeHplicjok.exeCohkokgj.exeEiokinbk.exePdenmbkk.exeElnoopdj.exePmoiqneg.exeDbbffdlq.exeJebfng32.exeOmnjojpo.exeMnpabe32.exeCkhecmcf.exeIgfclkdj.exeQacameaj.exeBpkdjofm.exeOoqqdi32.exeChlflabp.exeHlglidlo.exeOffnhpfo.exeChnlgjlb.exePmcclm32.exeEkodjiol.exeLlmhaold.exeBmabggdm.exeMminhceb.exePlbmokop.exeCfigpm32.exeMjahlgpf.exeDbnmke32.exeDoaneiop.exeEnigke32.exeNhkikq32.exeOhkbbn32.exeLcdciiec.exePmnbfhal.exeFlqdlnde.exeIgigla32.exeOodcdb32.exeAlkijdci.exeAednci32.exeChnbbqpn.exeBombmcec.exeCkpbnb32.exeGflhoo32.exeHlcjhkdp.exeMjmoag32.exePhfjcf32.exeCbdjeg32.exeFihnomjp.exeFpgpgfmh.exeQadoba32.exeFmpqfq32.exeNmfcok32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Eiahnnph.exe Efblbbqd.exe File created C:\Windows\SysWOW64\Lobpkihi.dll Hlnjbedi.exe File opened for modification C:\Windows\SysWOW64\Pmlfqh32.exe Pfandnla.exe File opened for modification C:\Windows\SysWOW64\Ckgohf32.exe Cglbhhga.exe File created C:\Windows\SysWOW64\Iljpij32.exe Hildmn32.exe File created C:\Windows\SysWOW64\Adikdfna.exe Aolblopj.exe File created C:\Windows\SysWOW64\Hlmkgk32.dll Ahbjoe32.exe File opened for modification C:\Windows\SysWOW64\Akccap32.exe Adikdfna.exe File opened for modification C:\Windows\SysWOW64\Cggimh32.exe Cdimqm32.exe File created C:\Windows\SysWOW64\Bjlfmfbi.dll Cpbjkn32.exe File created C:\Windows\SysWOW64\Embddb32.exe Eifhdd32.exe File opened for modification C:\Windows\SysWOW64\Hckeoeno.exe Hplicjok.exe File created C:\Windows\SysWOW64\Mjfmcmai.dll Cohkokgj.exe File created C:\Windows\SysWOW64\Emjgim32.exe Eiokinbk.exe File opened for modification C:\Windows\SysWOW64\Pjpfjl32.exe Pdenmbkk.exe File created C:\Windows\SysWOW64\Efccmidp.exe Elnoopdj.exe File opened for modification C:\Windows\SysWOW64\Pefabkej.exe Pmoiqneg.exe File opened for modification C:\Windows\SysWOW64\Deqcbpld.exe Dbbffdlq.exe File created C:\Windows\SysWOW64\Jllokajf.exe Jebfng32.exe File opened for modification C:\Windows\SysWOW64\Ocgbld32.exe Omnjojpo.exe File created C:\Windows\SysWOW64\Mmbanbmg.exe Mnpabe32.exe File created C:\Windows\SysWOW64\Eadhip32.dll Ckhecmcf.exe File opened for modification C:\Windows\SysWOW64\Ieidhh32.exe Igfclkdj.exe File created C:\Windows\SysWOW64\Qdaniq32.exe Qacameaj.exe File opened for modification C:\Windows\SysWOW64\Bgelgi32.exe Bpkdjofm.exe File created C:\Windows\SysWOW64\Oifeab32.exe Ooqqdi32.exe File created C:\Windows\SysWOW64\Nbenoa32.dll Chlflabp.exe File opened for modification C:\Windows\SysWOW64\Hpchib32.exe Hlglidlo.exe File opened for modification C:\Windows\SysWOW64\Onmfimga.exe Offnhpfo.exe File created C:\Windows\SysWOW64\Cklhcfle.exe Chnlgjlb.exe File opened for modification C:\Windows\SysWOW64\Paoollik.exe Pmcclm32.exe File created C:\Windows\SysWOW64\Eokqkh32.exe Ekodjiol.exe File created C:\Windows\SysWOW64\Lcgpni32.exe Llmhaold.exe File created C:\Windows\SysWOW64\Cfigpm32.exe Bmabggdm.exe File created C:\Windows\SysWOW64\Odgpqgeo.dll Mminhceb.exe File created C:\Windows\SysWOW64\Ofimgb32.dll Plbmokop.exe File created C:\Windows\SysWOW64\Ckfphc32.exe Cfigpm32.exe File opened for modification C:\Windows\SysWOW64\Mgehfkop.exe Mjahlgpf.exe File created C:\Windows\SysWOW64\Nklinjmj.dll Dbnmke32.exe File created C:\Windows\SysWOW64\Dbpjaeoc.exe Doaneiop.exe File created C:\Windows\SysWOW64\Fqehjpfj.dll Enigke32.exe File created C:\Windows\SysWOW64\Nbqmiinl.exe Nhkikq32.exe File created C:\Windows\SysWOW64\Dpildobq.dll Ohkbbn32.exe File created C:\Windows\SysWOW64\Ljnlecmp.exe Lcdciiec.exe File created C:\Windows\SysWOW64\Pdhkcb32.exe Pmnbfhal.exe File created C:\Windows\SysWOW64\Bdinlh32.dll Flqdlnde.exe File opened for modification C:\Windows\SysWOW64\Jjgchm32.exe Igigla32.exe File created C:\Windows\SysWOW64\Mmddqemj.dll Oodcdb32.exe File opened for modification C:\Windows\SysWOW64\Anmfbl32.exe Alkijdci.exe File created C:\Windows\SysWOW64\Ahbjoe32.exe Aednci32.exe File created C:\Windows\SysWOW64\Cohkokgj.exe Chnbbqpn.exe File created C:\Windows\SysWOW64\Bfgjjm32.exe Bombmcec.exe File opened for modification C:\Windows\SysWOW64\Dfgcakon.exe Ckpbnb32.exe File created C:\Windows\SysWOW64\Gqhejb32.dll Gflhoo32.exe File created C:\Windows\SysWOW64\Jcgmgn32.dll Pmnbfhal.exe File created C:\Windows\SysWOW64\Gdgiklme.dll Hlcjhkdp.exe File created C:\Windows\SysWOW64\Mohjdmko.dll Mjmoag32.exe File created C:\Windows\SysWOW64\Hffpdd32.dll Phfjcf32.exe File created C:\Windows\SysWOW64\Chnbbqpn.exe Cbdjeg32.exe File created C:\Windows\SysWOW64\Fmcjpl32.exe Fihnomjp.exe File created C:\Windows\SysWOW64\Ldklgegb.dll Fpgpgfmh.exe File created C:\Windows\SysWOW64\Flnqig32.dll Qadoba32.exe File created C:\Windows\SysWOW64\Glcaambb.exe Fmpqfq32.exe File created C:\Windows\SysWOW64\Ncqlkemc.exe Nmfcok32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 13004 12892 WerFault.exe 642 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nnafno32.exeBaegibae.exeHiiggoaf.exeMcbpjg32.exeGlcaambb.exeNjfagf32.exeOaqbkn32.exeGbeejp32.exeJpcapp32.exeNhdlao32.exeBfngdn32.exeHginecde.exeInqbclob.exeHlnjbedi.exePiijno32.exeDihlbf32.exeKflide32.exeOifeab32.exeNaecop32.exeQkipkani.exeMifljdjo.exeCjnffjkl.exeHplicjok.exePefabkej.exeGflhoo32.exeecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exeElnoopdj.exeMnkggfkb.exeImpliekg.exeKjeiodek.exeLlmhaold.exeCponen32.exeBombmcec.exeJlkipgpe.exeLqbncb32.exeBkobmnka.exeJebfng32.exeLlodgnja.exeBfpdin32.exeDbqqkkbo.exePmcclm32.exeAnmfbl32.exeKgflcifg.exeAmjbbfgo.exeCklhcfle.exeAaiimadl.exeLnjnqh32.exeEiieicml.exeFpgpgfmh.exeEehicoel.exeFmhdkknd.exeHlbcnd32.exeNggnadib.exeBkgeainn.exeJpdhkf32.exePalbgl32.exeOmnjojpo.exeAkffafgg.exeFpggamqc.exePhaahggp.exeEiloco32.exeOgekbb32.exeCkgohf32.exeFfmfchle.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baegibae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiiggoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcaambb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcapp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdlao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfngdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginecde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqbclob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnjbedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piijno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naecop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkipkani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnffjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplicjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefabkej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnoopdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkggfkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impliekg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmhaold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cponen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bombmcec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkipgpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkobmnka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llodgnja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqqkkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmfbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgflcifg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiimadl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiieicml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehicoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggnadib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgeainn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnjojpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akffafgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpggamqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phaahggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgohf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmfchle.exe -
Modifies registry class 64 IoCs
Processes:
Lgibpf32.exeBaegibae.exeNahgoe32.exeDbqqkkbo.exeIinqbn32.exeMccfdmmo.exeLcdciiec.exePedlgbkh.exeGdaociml.exeIlmmni32.exeIdcepgmg.exeJnhidk32.exeAeaanjkl.exeFpbflg32.exeFngcmcfe.exeOldamm32.exeCjnffjkl.exeMnjqmpgg.exeAaldccip.exeBkgeainn.exeCponen32.exeJgkmgk32.exeKjjbjd32.exeEejeiocj.exeIibccgep.exeMmmqhl32.exeHcpojd32.exeEnigke32.exeAkccap32.exeCndeii32.exeDkfadkgf.exeImgicgca.exeKnnhjcog.exeNmfcok32.exeGlcaambb.exeMaiccajf.exeNnkpnclp.exeOlicnfco.exePhfjcf32.exeNpiiffqe.exeObafpg32.exeDdgplado.exeOcgbld32.exeAkpoaj32.exeAajhndkb.exeAdhdjpjf.exeBhhiemoj.exePchlpfjb.exeAaiimadl.exeBaannc32.exeAodogdmn.exeBohibc32.exeBnmoijje.exeKpjgaoqm.exeOhpkmn32.exePocfpf32.exeDckdjomg.exeIciaqc32.exeKnhakh32.exeMgclpkac.exePhaahggp.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpopgneq.dll" Nahgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edmpgp32.dll" Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcdciiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdaociml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilmmni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeaanjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oldamm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjnffjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll" Aaldccip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll" Cponen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgkmgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnocia32.dll" Mmmqhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcpojd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akccap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imgicgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paedlhhc.dll" Maiccajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" Nnkpnclp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olicnfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffpdd32.dll" Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjehbcf.dll" Imgicgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npiiffqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqomgid.dll" Glcaambb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddgplado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocgbld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll" Aajhndkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhhiemoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbobfjdp.dll" Pchlpfjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfapoa32.dll" Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnmoijje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpjgaoqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll" Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohpkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfifmo32.dll" Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knhakh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgclpkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phaahggp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exeMbgjbkfg.exeMiaboe32.exeMbighjdd.exeMhfppabl.exeMblcnj32.exeMifljdjo.exeNjghbl32.exeNaaqofgj.exeNhkikq32.exeNbqmiinl.exeNhmeapmd.exeNognnj32.exeNeafjdkn.exeNahgoe32.exeNolgijpk.exeNhdlao32.exeOkchnk32.exeOehlkc32.exeOoqqdi32.exeOifeab32.exeOldamm32.exedescription pid Process procid_target PID 4872 wrote to memory of 4076 4872 ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exe 84 PID 4872 wrote to memory of 4076 4872 ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exe 84 PID 4872 wrote to memory of 4076 4872 ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exe 84 PID 4076 wrote to memory of 2328 4076 Mbgjbkfg.exe 85 PID 4076 wrote to memory of 2328 4076 Mbgjbkfg.exe 85 PID 4076 wrote to memory of 2328 4076 Mbgjbkfg.exe 85 PID 2328 wrote to memory of 1188 2328 Miaboe32.exe 86 PID 2328 wrote to memory of 1188 2328 Miaboe32.exe 86 PID 2328 wrote to memory of 1188 2328 Miaboe32.exe 86 PID 1188 wrote to memory of 2184 1188 Mbighjdd.exe 87 PID 1188 wrote to memory of 2184 1188 Mbighjdd.exe 87 PID 1188 wrote to memory of 2184 1188 Mbighjdd.exe 87 PID 2184 wrote to memory of 3212 2184 Mhfppabl.exe 88 PID 2184 wrote to memory of 3212 2184 Mhfppabl.exe 88 PID 2184 wrote to memory of 3212 2184 Mhfppabl.exe 88 PID 3212 wrote to memory of 1304 3212 Mblcnj32.exe 89 PID 3212 wrote to memory of 1304 3212 Mblcnj32.exe 89 PID 3212 wrote to memory of 1304 3212 Mblcnj32.exe 89 PID 1304 wrote to memory of 3656 1304 Mifljdjo.exe 90 PID 1304 wrote to memory of 3656 1304 Mifljdjo.exe 90 PID 1304 wrote to memory of 3656 1304 Mifljdjo.exe 90 PID 3656 wrote to memory of 4344 3656 Njghbl32.exe 91 PID 3656 wrote to memory of 4344 3656 Njghbl32.exe 91 PID 3656 wrote to memory of 4344 3656 Njghbl32.exe 91 PID 4344 wrote to memory of 2992 4344 Naaqofgj.exe 92 PID 4344 wrote to memory of 2992 4344 Naaqofgj.exe 92 PID 4344 wrote to memory of 2992 4344 Naaqofgj.exe 92 PID 2992 wrote to memory of 1268 2992 Nhkikq32.exe 93 PID 2992 wrote to memory of 1268 2992 Nhkikq32.exe 93 PID 2992 wrote to memory of 1268 2992 Nhkikq32.exe 93 PID 1268 wrote to memory of 4540 1268 Nbqmiinl.exe 94 PID 1268 wrote to memory of 4540 1268 Nbqmiinl.exe 94 PID 1268 wrote to memory of 4540 1268 Nbqmiinl.exe 94 PID 4540 wrote to memory of 708 4540 Nhmeapmd.exe 95 PID 4540 wrote to memory of 708 4540 Nhmeapmd.exe 95 PID 4540 wrote to memory of 708 4540 Nhmeapmd.exe 95 PID 708 wrote to memory of 3124 708 Nognnj32.exe 96 PID 708 wrote to memory of 3124 708 Nognnj32.exe 96 PID 708 wrote to memory of 3124 708 Nognnj32.exe 96 PID 3124 wrote to memory of 4680 3124 Neafjdkn.exe 97 PID 3124 wrote to memory of 4680 3124 Neafjdkn.exe 97 PID 3124 wrote to memory of 4680 3124 Neafjdkn.exe 97 PID 4680 wrote to memory of 4516 4680 Nahgoe32.exe 98 PID 4680 wrote to memory of 4516 4680 Nahgoe32.exe 98 PID 4680 wrote to memory of 4516 4680 Nahgoe32.exe 98 PID 4516 wrote to memory of 3900 4516 Nolgijpk.exe 99 PID 4516 wrote to memory of 3900 4516 Nolgijpk.exe 99 PID 4516 wrote to memory of 3900 4516 Nolgijpk.exe 99 PID 3900 wrote to memory of 3916 3900 Nhdlao32.exe 100 PID 3900 wrote to memory of 3916 3900 Nhdlao32.exe 100 PID 3900 wrote to memory of 3916 3900 Nhdlao32.exe 100 PID 3916 wrote to memory of 980 3916 Okchnk32.exe 101 PID 3916 wrote to memory of 980 3916 Okchnk32.exe 101 PID 3916 wrote to memory of 980 3916 Okchnk32.exe 101 PID 980 wrote to memory of 2068 980 Oehlkc32.exe 102 PID 980 wrote to memory of 2068 980 Oehlkc32.exe 102 PID 980 wrote to memory of 2068 980 Oehlkc32.exe 102 PID 2068 wrote to memory of 1860 2068 Ooqqdi32.exe 103 PID 2068 wrote to memory of 1860 2068 Ooqqdi32.exe 103 PID 2068 wrote to memory of 1860 2068 Ooqqdi32.exe 103 PID 1860 wrote to memory of 3828 1860 Oifeab32.exe 104 PID 1860 wrote to memory of 3828 1860 Oifeab32.exe 104 PID 1860 wrote to memory of 3828 1860 Oifeab32.exe 104 PID 3828 wrote to memory of 8 3828 Oldamm32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exe"C:\Users\Admin\AppData\Local\Temp\ecf63eb7c1219167fffa1f1554486fd36093d57cf48e94a85772b2a22c41bb5f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe23⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe25⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe27⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe28⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe30⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:416 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe34⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe36⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe38⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe39⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3772 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe46⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe47⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe49⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe51⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe52⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3776 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe54⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe55⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe58⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe61⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe62⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe66⤵
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe67⤵PID:4140
-
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe68⤵PID:4176
-
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe69⤵PID:676
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe70⤵PID:4880
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe71⤵PID:2368
-
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe72⤵PID:3620
-
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1328 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe74⤵PID:4020
-
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe76⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe77⤵PID:2212
-
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe78⤵
- Modifies registry class
PID:224 -
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe79⤵
- System Location Discovery: System Language Discovery
PID:4080 -
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe80⤵PID:464
-
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe82⤵PID:3716
-
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe83⤵PID:3600
-
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe84⤵PID:3768
-
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3512 -
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe87⤵PID:3504
-
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe88⤵PID:3252
-
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe89⤵PID:1476
-
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe90⤵PID:3016
-
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe91⤵PID:3952
-
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe92⤵PID:5012
-
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe93⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe94⤵PID:4520
-
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe95⤵PID:4492
-
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe96⤵PID:4696
-
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe98⤵PID:5136
-
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe99⤵PID:5192
-
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe100⤵
- System Location Discovery: System Language Discovery
PID:5240 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5284 -
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe103⤵PID:5396
-
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe104⤵PID:5444
-
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe106⤵PID:5532
-
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe107⤵PID:5580
-
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe108⤵PID:5624
-
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe109⤵PID:5672
-
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe111⤵PID:5764
-
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe112⤵
- Drops file in System32 directory
PID:5808 -
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe114⤵PID:5904
-
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe115⤵PID:5948
-
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe116⤵PID:5988
-
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe117⤵PID:6040
-
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe118⤵PID:6084
-
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe120⤵PID:5144
-
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe121⤵PID:5232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-