Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe
-
Size
93KB
-
MD5
c78773cdf05f552f441e4b0be5516999
-
SHA1
460e2aee8606e18ccfa69999efbc5f9b0f55a8ea
-
SHA256
f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6
-
SHA512
42c26426ff8fc4886787971be5f426a36ad2125dfa112db8e942cd850dd62943df0ce7fb3277a5553863dfd78b1faa03d7f615ea408ef2abb54fa16ac12a006c
-
SSDEEP
1536:VoyY5jIwLstLdiZv1tGJDFP8gMebMFUkBygE1GhghhhhhhhENCKT4jiwg58w:qDIj5xl8gMeoFUkUgjcY58w
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gjojef32.exeInbnhihl.exeNjgpij32.exeEpnhpglg.exeEojlbb32.exef40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exeGgnmbn32.exeOjomdoof.exeKalipcmb.exeCceogcfj.exeEppcmncq.exeKljdkpfl.exeMnglnj32.exeCkeqga32.exeHakkgc32.exeMkqqnq32.exeObbdml32.exeMpgobc32.exeMobomnoq.exeModlbmmn.exePacajg32.exePciddedl.exeEecafd32.exeLgehno32.exeMdiefffn.exeCbjlhpkb.exeJaoqqflp.exeIichjc32.exeBffbdadk.exeHejmpqop.exePdbmfb32.exeFeddombd.exeHiqoeplo.exeJpgjgboe.exeKpkpadnl.exeAnbkipok.exeAndgop32.exeGpidki32.exeIlnomp32.exeHcdgmimg.exeObeacl32.exeDgiaefgg.exeAmcbankf.exeCeebklai.exeKhohkamc.exeBhbkpgbf.exeJhmofo32.exeNmcopebh.exeBbhccm32.exeCmmcpi32.exeDilapopb.exeEimcjl32.exeJehlkhig.exeJhahanie.exeCfanmogq.exeEfedga32.exeAgbpnh32.exeOemgplgo.exeHdbpekam.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjojef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inbnhihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eojlbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kalipcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cceogcfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnglnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckeqga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obbdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mobomnoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pacajg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciddedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iichjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffbdadk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejmpqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdbmfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feddombd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpgjgboe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anbkipok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpidki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcdgmimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obeacl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgiaefgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcbankf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khohkamc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbkpgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhmofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcopebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eimcjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jehlkhig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhahanie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oemgplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbpekam.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Nbniid32.exeNjdqka32.exeNdmecgba.exeNmejllia.exeNoffdd32.exeNeqnqofm.exeOpfbngfb.exeObdojcef.exeOioggmmc.exeOlmcchlg.exeObgkpb32.exeOeehln32.exeOlophhjd.exeOonldcih.exeOdjdmjgo.exeOgiaif32.exeOmcifpnp.exeOpaebkmc.exeOgknoe32.exeOmefkplm.exePdonhj32.exePgnjde32.exePmgbao32.exePdakniag.exePecgea32.exePlmpblnb.exePphkbj32.exePhcpgm32.exePciddedl.exePegqpacp.exePckajebj.exePanaeb32.exePhhjblpa.exePldebkhj.exeQnebjc32.exeQfljkp32.exeQgmfchei.exeQkibcg32.exeQngopb32.exeQdaglmcb.exeAgpcihcf.exeAkkoig32.exeAcfdnihk.exeAgbpnh32.exeAqjdgmgd.exeAciqcifh.exeAfgmodel.exeAnneqafn.exeAqmamm32.exeAckmih32.exeAggiigmn.exeAjeeeblb.exeAmcbankf.exeAobnniji.exeAflfjc32.exeAmfognic.exeAkiobk32.exeBcpgdhpp.exeBfncpcoc.exeBeackp32.exeBimoloog.exeBkklhjnk.exeBnihdemo.exeBfqpecma.exepid Process 2088 Nbniid32.exe 1864 Njdqka32.exe 2752 Ndmecgba.exe 2656 Nmejllia.exe 2704 Noffdd32.exe 2708 Neqnqofm.exe 2740 Opfbngfb.exe 2580 Obdojcef.exe 1040 Oioggmmc.exe 1688 Olmcchlg.exe 2392 Obgkpb32.exe 2012 Oeehln32.exe 2008 Olophhjd.exe 1424 Oonldcih.exe 2400 Odjdmjgo.exe 2216 Ogiaif32.exe 1540 Omcifpnp.exe 2320 Opaebkmc.exe 1692 Ogknoe32.exe 1868 Omefkplm.exe 2292 Pdonhj32.exe 960 Pgnjde32.exe 896 Pmgbao32.exe 2180 Pdakniag.exe 3020 Pecgea32.exe 2388 Plmpblnb.exe 2360 Pphkbj32.exe 2768 Phcpgm32.exe 2796 Pciddedl.exe 2824 Pegqpacp.exe 2684 Pckajebj.exe 2600 Panaeb32.exe 2612 Phhjblpa.exe 1612 Pldebkhj.exe 2456 Qnebjc32.exe 1532 Qfljkp32.exe 552 Qgmfchei.exe 1344 Qkibcg32.exe 2844 Qngopb32.exe 2384 Qdaglmcb.exe 2852 Agpcihcf.exe 1148 Akkoig32.exe 628 Acfdnihk.exe 2464 Agbpnh32.exe 1552 Aqjdgmgd.exe 796 Aciqcifh.exe 3008 Afgmodel.exe 908 Anneqafn.exe 2784 Aqmamm32.exe 3024 Ackmih32.exe 2780 Aggiigmn.exe 2764 Ajeeeblb.exe 2564 Amcbankf.exe 2788 Aobnniji.exe 2548 Aflfjc32.exe 3000 Amfognic.exe 1712 Akiobk32.exe 1608 Bcpgdhpp.exe 2648 Bfncpcoc.exe 3048 Beackp32.exe 2136 Bimoloog.exe 1512 Bkklhjnk.exe 1732 Bnihdemo.exe 2984 Bfqpecma.exe -
Loads dropped DLL 64 IoCs
Processes:
f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exeNbniid32.exeNjdqka32.exeNdmecgba.exeNmejllia.exeNoffdd32.exeNeqnqofm.exeOpfbngfb.exeObdojcef.exeOioggmmc.exeOlmcchlg.exeObgkpb32.exeOeehln32.exeOlophhjd.exeOonldcih.exeOdjdmjgo.exeOgiaif32.exeOmcifpnp.exeOpaebkmc.exeOgknoe32.exeOmefkplm.exePdonhj32.exePgnjde32.exePmgbao32.exePdakniag.exePecgea32.exePlmpblnb.exePphkbj32.exePhcpgm32.exePciddedl.exePegqpacp.exePckajebj.exepid Process 2976 f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe 2976 f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe 2088 Nbniid32.exe 2088 Nbniid32.exe 1864 Njdqka32.exe 1864 Njdqka32.exe 2752 Ndmecgba.exe 2752 Ndmecgba.exe 2656 Nmejllia.exe 2656 Nmejllia.exe 2704 Noffdd32.exe 2704 Noffdd32.exe 2708 Neqnqofm.exe 2708 Neqnqofm.exe 2740 Opfbngfb.exe 2740 Opfbngfb.exe 2580 Obdojcef.exe 2580 Obdojcef.exe 1040 Oioggmmc.exe 1040 Oioggmmc.exe 1688 Olmcchlg.exe 1688 Olmcchlg.exe 2392 Obgkpb32.exe 2392 Obgkpb32.exe 2012 Oeehln32.exe 2012 Oeehln32.exe 2008 Olophhjd.exe 2008 Olophhjd.exe 1424 Oonldcih.exe 1424 Oonldcih.exe 2400 Odjdmjgo.exe 2400 Odjdmjgo.exe 2216 Ogiaif32.exe 2216 Ogiaif32.exe 1540 Omcifpnp.exe 1540 Omcifpnp.exe 2320 Opaebkmc.exe 2320 Opaebkmc.exe 1692 Ogknoe32.exe 1692 Ogknoe32.exe 1868 Omefkplm.exe 1868 Omefkplm.exe 2292 Pdonhj32.exe 2292 Pdonhj32.exe 960 Pgnjde32.exe 960 Pgnjde32.exe 896 Pmgbao32.exe 896 Pmgbao32.exe 2180 Pdakniag.exe 2180 Pdakniag.exe 3020 Pecgea32.exe 3020 Pecgea32.exe 2388 Plmpblnb.exe 2388 Plmpblnb.exe 2360 Pphkbj32.exe 2360 Pphkbj32.exe 2768 Phcpgm32.exe 2768 Phcpgm32.exe 2796 Pciddedl.exe 2796 Pciddedl.exe 2824 Pegqpacp.exe 2824 Pegqpacp.exe 2684 Pckajebj.exe 2684 Pckajebj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jieaofmp.exeDlifadkk.exeGdkjdl32.exeCcbphk32.exeApgagg32.exeImaapa32.exeOlpilg32.exePmpbdm32.exeCepipm32.exeKglehp32.exeCkhdggom.exeFennoa32.exeIgmbgk32.exeCogfqe32.exeCbiiog32.exeEhlmljkm.exeEoepnk32.exeCgaaah32.exeHfbcidmk.exeOpialpld.exeDkigoimd.exeMhhgpc32.exeKpafapbk.exeDkdmfe32.exeKjahej32.exePmkhjncg.exeDlofgj32.exeQdaglmcb.exeHfepod32.exeFeddombd.exeIeofkp32.exeOpfegp32.exeEafkhn32.exeHfpfdeon.exeHboddk32.exeMkdffoij.exeLkjjma32.exeEeiheo32.exeLhcafa32.exeLnecigcp.exeHakkgc32.exeDmgmpnhl.exePciddedl.exeJaoqqflp.exeJhdlad32.exeDbaice32.exeEoblnd32.exeObdojcef.exeOeehln32.exeOejcpf32.exeKbbobkol.exeAjehnk32.exeFfaaoh32.exeEifmimch.exeGolbnm32.exeFgldnkkf.exeBnknoogp.exeBecpap32.exeAchjibcl.exedescription ioc Process File created C:\Windows\SysWOW64\Kmqmod32.exe Jieaofmp.exe File created C:\Windows\SysWOW64\Mommgm32.dll Dlifadkk.exe File created C:\Windows\SysWOW64\Ghgfekpn.exe Gdkjdl32.exe File created C:\Windows\SysWOW64\Beimfpfn.dll Ccbphk32.exe File created C:\Windows\SysWOW64\Acfmcc32.exe Apgagg32.exe File created C:\Windows\SysWOW64\Ipomlm32.exe Imaapa32.exe File opened for modification C:\Windows\SysWOW64\Odgamdef.exe Olpilg32.exe File opened for modification C:\Windows\SysWOW64\Paknelgk.exe Pmpbdm32.exe File created C:\Windows\SysWOW64\Cgoelh32.exe Cepipm32.exe File created C:\Windows\SysWOW64\Chpmbe32.dll File opened for modification C:\Windows\SysWOW64\Kocmim32.exe Kglehp32.exe File opened for modification C:\Windows\SysWOW64\Cocphf32.exe Ckhdggom.exe File opened for modification C:\Windows\SysWOW64\Fhljkm32.exe Fennoa32.exe File created C:\Windows\SysWOW64\Ifpcchai.exe Igmbgk32.exe File created C:\Windows\SysWOW64\Kdhdfgep.dll Jieaofmp.exe File created C:\Windows\SysWOW64\Npepblac.dll Cogfqe32.exe File opened for modification C:\Windows\SysWOW64\Cehfkb32.exe Cbiiog32.exe File created C:\Windows\SysWOW64\Hbpmap32.dll Ehlmljkm.exe File created C:\Windows\SysWOW64\Pfhmhm32.dll Eoepnk32.exe File created C:\Windows\SysWOW64\Cjonncab.exe Cgaaah32.exe File created C:\Windows\SysWOW64\Klncqmjg.dll Hfbcidmk.exe File created C:\Windows\SysWOW64\Onlahm32.exe Opialpld.exe File created C:\Windows\SysWOW64\Clgqde32.dll Dkigoimd.exe File opened for modification C:\Windows\SysWOW64\Mmccqbpm.exe Mhhgpc32.exe File created C:\Windows\SysWOW64\Kbpbmkan.exe Kpafapbk.exe File opened for modification C:\Windows\SysWOW64\Dppigchi.exe Dkdmfe32.exe File created C:\Windows\SysWOW64\Cefhdnca.dll Kjahej32.exe File created C:\Windows\SysWOW64\Pafdjmkq.exe Pmkhjncg.exe File created C:\Windows\SysWOW64\Dpjbgh32.exe Dlofgj32.exe File created C:\Windows\SysWOW64\Agpcihcf.exe Qdaglmcb.exe File opened for modification C:\Windows\SysWOW64\Hiclkp32.exe Hfepod32.exe File created C:\Windows\SysWOW64\Lknocpdc.dll Feddombd.exe File created C:\Windows\SysWOW64\Igmbgk32.exe Ieofkp32.exe File opened for modification C:\Windows\SysWOW64\Obeacl32.exe Opfegp32.exe File created C:\Windows\SysWOW64\Eimcjl32.exe Eafkhn32.exe File created C:\Windows\SysWOW64\Bocndipc.dll File created C:\Windows\SysWOW64\Qnhhline.dll Hfpfdeon.exe File opened for modification C:\Windows\SysWOW64\Hemqpf32.exe Hboddk32.exe File opened for modification C:\Windows\SysWOW64\Mopbgn32.exe Mkdffoij.exe File opened for modification C:\Windows\SysWOW64\Loefnpnn.exe Lkjjma32.exe File created C:\Windows\SysWOW64\Ehhdaj32.exe Eeiheo32.exe File created C:\Windows\SysWOW64\Pacmhh32.dll Lhcafa32.exe File created C:\Windows\SysWOW64\Dokmejcg.dll Lnecigcp.exe File opened for modification C:\Windows\SysWOW64\Hpnkbpdd.exe Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Dpeiligo.exe Dmgmpnhl.exe File opened for modification C:\Windows\SysWOW64\Pegqpacp.exe Pciddedl.exe File created C:\Windows\SysWOW64\Flnlpo32.dll Jaoqqflp.exe File opened for modification C:\Windows\SysWOW64\Jkchmo32.exe Jhdlad32.exe File opened for modification C:\Windows\SysWOW64\Djiqdb32.exe Dbaice32.exe File created C:\Windows\SysWOW64\Cnoegakl.dll Eoblnd32.exe File opened for modification C:\Windows\SysWOW64\Oioggmmc.exe Obdojcef.exe File created C:\Windows\SysWOW64\Olophhjd.exe Oeehln32.exe File opened for modification C:\Windows\SysWOW64\Odmckcmq.exe Oejcpf32.exe File created C:\Windows\SysWOW64\Fbieeo32.dll Kbbobkol.exe File created C:\Windows\SysWOW64\Nedmma32.dll Ajehnk32.exe File created C:\Windows\SysWOW64\Fjlmpfhg.exe Ffaaoh32.exe File created C:\Windows\SysWOW64\Licpomcb.dll Eifmimch.exe File created C:\Windows\SysWOW64\Ekcqmj32.dll Ieofkp32.exe File created C:\Windows\SysWOW64\Imggplgm.exe File created C:\Windows\SysWOW64\Gbjojh32.exe Golbnm32.exe File opened for modification C:\Windows\SysWOW64\Ffodjh32.exe Fgldnkkf.exe File created C:\Windows\SysWOW64\Dgnenf32.dll Bnknoogp.exe File created C:\Windows\SysWOW64\Bgblmk32.exe Becpap32.exe File created C:\Windows\SysWOW64\Afffenbp.exe Achjibcl.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 11204 11176 1152 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cgcnghpl.exeKpkpadnl.exeQdlggg32.exeBqeqqk32.exeOonldcih.exeOeindm32.exeAgbbgqhh.exeDnhbmpkn.exeDcdkef32.exeGhibjjnk.exeEeldkonl.exeFennoa32.exePicojhcm.exeEanldqgf.exeQfljkp32.exeDejbqb32.exeEknmhk32.exeMqjefamk.exeBefmfpbi.exeBdcifi32.exeFlocfmnl.exeJimbkh32.exeOemgplgo.exeAndgop32.exeHiqoeplo.exeHfepod32.exeModlbmmn.exeDlifadkk.exeEmoldlmc.exeCiohqa32.exeHjcppidk.exeQlgkki32.exeAdipfd32.exeElkofg32.exeHakkgc32.exeIdicbbpi.exeIladfn32.exeIpeaco32.exeCgoelh32.exeJioopgef.exeFmaeho32.exeFpoolael.exeGceailog.exeHebnlb32.exeOlpbaa32.exeFdpgph32.exeAfgmodel.exeBehilopf.exeInjndk32.exeEldiehbk.exeFaonom32.exeEelkeeah.exeFcphnm32.exeOhdfqbio.exePciddedl.exeMjcjog32.exeGkebafoa.exeHneeilgj.exeOdgamdef.exeHcojam32.exeOmcifpnp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpadnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonldcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbbgqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhbmpkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeldkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fennoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picojhcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eanldqgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfljkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejbqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flocfmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemgplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andgop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiqoeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfepod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifadkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoldlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciohqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcppidk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adipfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkofg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idicbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iladfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgoelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jioopgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoolael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmodel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldiehbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcphnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdfqbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcjog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkebafoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hneeilgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgamdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcojam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcifpnp.exe -
Modifies registry class 64 IoCs
Processes:
Bbjmpcab.exeChfbgn32.exeLbfook32.exeAjckilei.exeHcepqh32.exeCfanmogq.exePdonhj32.exeKhghgchk.exeCnkjnb32.exeJhoklnkg.exeNnjicjbf.exeOjomdoof.exeBjjaikoa.exeLpcoeb32.exeApmcefmf.exeDmijfmfi.exeCqdfehii.exeKddomchg.exeQndkpmkm.exeAhgofi32.exeHcdnhoac.exeGoiongbc.exeFmaeho32.exeGhacfmic.exeMjcaimgg.exeCegoqlof.exeIhpfgalh.exeNmflee32.exePioeoi32.exeGkcekfad.exeBqijljfd.exeDlgjldnm.exeEppefg32.exeGockgdeh.exeJhbold32.exeJoidhh32.exeCkeqga32.exeEimcjl32.exeKhadpa32.exeBbbpenco.exeLjnqdhga.exeFlfpabkp.exeKokmmkcm.exeCogfqe32.exeDnefhpma.exeGckdgjeb.exeBfncpcoc.exeGfejjgli.exeEcfnmh32.exeJaecod32.exeJfgebjnm.exeAchjibcl.exeLhcafa32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhigm32.dll" Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknbpmpk.dll" Chfbgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbfook32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajckilei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcepqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfanmogq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdonhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhebgh32.dll" Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhoklnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnjicjbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojomdoof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igejec32.dll" Apmcefmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcepfhka.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimllb32.dll" Dmijfmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhniklfm.dll" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll" Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqhdl32.dll" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjoaognb.dll" Goiongbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qobmnf32.dll" Fmaeho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll" Cegoqlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mappnp32.dll" Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfqea32.dll" Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdjjm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlgjldnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbnjifp.dll" Gockgdeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majdmi32.dll" Jhbold32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckeqga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbbpenco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhgaocl.dll" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdekpjbk.dll" Kokmmkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnefhpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gckdgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfncpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefkjiak.dll" Gfejjgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajpmc32.dll" Jaecod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoebflm.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhcafa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exeNbniid32.exeNjdqka32.exeNdmecgba.exeNmejllia.exeNoffdd32.exeNeqnqofm.exeOpfbngfb.exeObdojcef.exeOioggmmc.exeOlmcchlg.exeObgkpb32.exeOeehln32.exeOlophhjd.exeOonldcih.exeOdjdmjgo.exedescription pid Process procid_target PID 2976 wrote to memory of 2088 2976 f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe 30 PID 2976 wrote to memory of 2088 2976 f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe 30 PID 2976 wrote to memory of 2088 2976 f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe 30 PID 2976 wrote to memory of 2088 2976 f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe 30 PID 2088 wrote to memory of 1864 2088 Nbniid32.exe 31 PID 2088 wrote to memory of 1864 2088 Nbniid32.exe 31 PID 2088 wrote to memory of 1864 2088 Nbniid32.exe 31 PID 2088 wrote to memory of 1864 2088 Nbniid32.exe 31 PID 1864 wrote to memory of 2752 1864 Njdqka32.exe 32 PID 1864 wrote to memory of 2752 1864 Njdqka32.exe 32 PID 1864 wrote to memory of 2752 1864 Njdqka32.exe 32 PID 1864 wrote to memory of 2752 1864 Njdqka32.exe 32 PID 2752 wrote to memory of 2656 2752 Ndmecgba.exe 33 PID 2752 wrote to memory of 2656 2752 Ndmecgba.exe 33 PID 2752 wrote to memory of 2656 2752 Ndmecgba.exe 33 PID 2752 wrote to memory of 2656 2752 Ndmecgba.exe 33 PID 2656 wrote to memory of 2704 2656 Nmejllia.exe 34 PID 2656 wrote to memory of 2704 2656 Nmejllia.exe 34 PID 2656 wrote to memory of 2704 2656 Nmejllia.exe 34 PID 2656 wrote to memory of 2704 2656 Nmejllia.exe 34 PID 2704 wrote to memory of 2708 2704 Noffdd32.exe 35 PID 2704 wrote to memory of 2708 2704 Noffdd32.exe 35 PID 2704 wrote to memory of 2708 2704 Noffdd32.exe 35 PID 2704 wrote to memory of 2708 2704 Noffdd32.exe 35 PID 2708 wrote to memory of 2740 2708 Neqnqofm.exe 36 PID 2708 wrote to memory of 2740 2708 Neqnqofm.exe 36 PID 2708 wrote to memory of 2740 2708 Neqnqofm.exe 36 PID 2708 wrote to memory of 2740 2708 Neqnqofm.exe 36 PID 2740 wrote to memory of 2580 2740 Opfbngfb.exe 37 PID 2740 wrote to memory of 2580 2740 Opfbngfb.exe 37 PID 2740 wrote to memory of 2580 2740 Opfbngfb.exe 37 PID 2740 wrote to memory of 2580 2740 Opfbngfb.exe 37 PID 2580 wrote to memory of 1040 2580 Obdojcef.exe 38 PID 2580 wrote to memory of 1040 2580 Obdojcef.exe 38 PID 2580 wrote to memory of 1040 2580 Obdojcef.exe 38 PID 2580 wrote to memory of 1040 2580 Obdojcef.exe 38 PID 1040 wrote to memory of 1688 1040 Oioggmmc.exe 39 PID 1040 wrote to memory of 1688 1040 Oioggmmc.exe 39 PID 1040 wrote to memory of 1688 1040 Oioggmmc.exe 39 PID 1040 wrote to memory of 1688 1040 Oioggmmc.exe 39 PID 1688 wrote to memory of 2392 1688 Olmcchlg.exe 40 PID 1688 wrote to memory of 2392 1688 Olmcchlg.exe 40 PID 1688 wrote to memory of 2392 1688 Olmcchlg.exe 40 PID 1688 wrote to memory of 2392 1688 Olmcchlg.exe 40 PID 2392 wrote to memory of 2012 2392 Obgkpb32.exe 41 PID 2392 wrote to memory of 2012 2392 Obgkpb32.exe 41 PID 2392 wrote to memory of 2012 2392 Obgkpb32.exe 41 PID 2392 wrote to memory of 2012 2392 Obgkpb32.exe 41 PID 2012 wrote to memory of 2008 2012 Oeehln32.exe 42 PID 2012 wrote to memory of 2008 2012 Oeehln32.exe 42 PID 2012 wrote to memory of 2008 2012 Oeehln32.exe 42 PID 2012 wrote to memory of 2008 2012 Oeehln32.exe 42 PID 2008 wrote to memory of 1424 2008 Olophhjd.exe 43 PID 2008 wrote to memory of 1424 2008 Olophhjd.exe 43 PID 2008 wrote to memory of 1424 2008 Olophhjd.exe 43 PID 2008 wrote to memory of 1424 2008 Olophhjd.exe 43 PID 1424 wrote to memory of 2400 1424 Oonldcih.exe 44 PID 1424 wrote to memory of 2400 1424 Oonldcih.exe 44 PID 1424 wrote to memory of 2400 1424 Oonldcih.exe 44 PID 1424 wrote to memory of 2400 1424 Oonldcih.exe 44 PID 2400 wrote to memory of 2216 2400 Odjdmjgo.exe 45 PID 2400 wrote to memory of 2216 2400 Odjdmjgo.exe 45 PID 2400 wrote to memory of 2216 2400 Odjdmjgo.exe 45 PID 2400 wrote to memory of 2216 2400 Odjdmjgo.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe"C:\Users\Admin\AppData\Local\Temp\f40a284d8a4c619341a135ba88daf514553ed7198e02ace5837cba5faac66de6.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe33⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe34⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe35⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe36⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe38⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe39⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe40⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe42⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe43⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe44⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe46⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe47⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe49⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe50⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe51⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe52⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe53⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe55⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe56⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe57⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe58⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe59⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe61⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe62⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe63⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe64⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe65⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe66⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe67⤵PID:1632
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe68⤵PID:2172
-
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe69⤵PID:2856
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe70⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe71⤵PID:2860
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe72⤵PID:1700
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe73⤵
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe74⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe75⤵PID:1640
-
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe76⤵PID:2832
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe77⤵PID:2336
-
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe78⤵PID:2616
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe79⤵PID:1476
-
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe80⤵PID:276
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe81⤵PID:700
-
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe82⤵PID:484
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe83⤵PID:2420
-
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe84⤵PID:2476
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe85⤵PID:2804
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe86⤵PID:2748
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe87⤵PID:2620
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe88⤵PID:2452
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe89⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe90⤵PID:2836
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe91⤵
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe92⤵PID:608
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe93⤵PID:976
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe94⤵PID:844
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe95⤵PID:996
-
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe96⤵PID:2352
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe97⤵PID:1528
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe98⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe99⤵PID:1516
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe100⤵PID:1724
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe101⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe102⤵PID:2432
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe103⤵PID:2380
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe104⤵PID:1716
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe106⤵PID:2152
-
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe107⤵PID:1340
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe108⤵PID:2964
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe109⤵PID:2700
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe110⤵PID:1856
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe111⤵PID:1956
-
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe112⤵PID:2544
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe113⤵PID:1032
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe114⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe115⤵PID:2192
-
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe116⤵PID:1620
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe117⤵PID:1060
-
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe118⤵PID:2512
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe119⤵PID:588
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe120⤵PID:2068
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe121⤵PID:1248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-