Analysis
-
max time kernel
34s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 18:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe
-
Size
442KB
-
MD5
be1772b5b058ea75ff3602b262da393c
-
SHA1
be816b8f4b49c714159862e4e9f899c049a84020
-
SHA256
9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b
-
SHA512
414c707d03dcebbc2a8afafa01e0426306528cae19528328e950aba8c1dbe61470b8d8952daf5a8f1056b2342ad4c72cf688270f506d59185531f5fa848d7c81
-
SSDEEP
6144:7VwCZ9Yw2a2/A6Ilt+Owjgp5Gikym/89bifPidzIEZ/Vh:X12fv6UEF
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Aboaff32.exeDllhhaep.exeJhjphfgi.exeLohccp32.exeQpbglhjq.exeCbblda32.exeIeajkfmd.exeAcfmcc32.exeMpbdnk32.exeGbdhjm32.exeBnqned32.exeFjjpjgjj.exeMjaddn32.exeNbhhdnlh.exeOabkom32.exeQfonkfqd.exeAggiigmn.exeGcgnnlle.exeJmdepg32.exeKocmim32.exeLiqoflfh.exePciddedl.exeQackpado.exeEdfbaabj.exeNjhfcp32.exePpfomk32.exeHqfaldbo.exeDomqjm32.exeMlkjne32.exeAqjdgmgd.exeAobnniji.exeEijdkcgn.exeLdbofgme.exeNoemqe32.exeEfdhpjok.exeKfpifm32.exeOeehln32.exeMcjhmcok.exeOdgamdef.exeNefbga32.exeAfajafoa.exeDiibag32.exeGqnbhf32.exeOeckfndj.exeNdqkleln.exePofkha32.exeIimfld32.exeIhdpbq32.exeLgehno32.exeMimgeigj.exeBqgmfkhg.exePdbahpec.exeIdfnicfl.exeIiecgjba.exeOhhmcinf.exeBecpap32.exeDmjqpdje.exeFamope32.exeLonpma32.exeNjjcip32.exeAhgofi32.exeOklnff32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dllhhaep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhjphfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieajkfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfmcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbdhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbhhdnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oabkom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfonkfqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcgnnlle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdepg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liqoflfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pciddedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edfbaabj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppfomk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqfaldbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Domqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqjdgmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eijdkcgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldbofgme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noemqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdhpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfpifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afajafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqnbhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeckfndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndqkleln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijdkcgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimfld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdpbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimgeigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbahpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfnicfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiecgjba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Famope32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonpma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklnff32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Jajala32.exeJhffnk32.exeJkebjf32.exeKopokehd.exeKkileele.exeKnhhaaki.exeKbcdbp32.exeKcijeg32.exeKgefefnd.exeLfjcfb32.exeLjfogake.exeLiminmmk.exeLklejh32.exeLbemfbdk.exeLnlnlc32.exeMeffhnal.exeMfjoeeeh.exeMnaggcej.exeMpbdnk32.exeMfllkece.exeMdpldi32.exeMlkail32.exeMpgmijgc.exeMbeiefff.exeMfaefd32.exeNefbga32.exeNhdocl32.exeNlpkdkkd.exeNplfdj32.exeNehomq32.exeNoacef32.exeNdnlnm32.exeNledoj32.exeNmfqgbmm.exeNhlddkmc.exeNoemqe32.exeOgqaehak.exeOklnff32.exeOpifnm32.exeOlpgconp.exeOpkccm32.exeOnocmadb.exeOlbchn32.exeOoqpdj32.exeOhidmoaa.exeOpplolac.exeOaaifdhb.exeOlgmcmgh.exePkjmoj32.exePcaepg32.exePadeldeo.exePdbahpec.exePhnnho32.exePkljdj32.exePohfehdi.exePeanbblf.exePddnnp32.exePgckjk32.exePnmcfeia.exePqkobqhd.exePgegok32.exePnopldgn.exePdihiook.exePggdejno.exepid Process 1632 Jajala32.exe 2896 Jhffnk32.exe 2748 Jkebjf32.exe 3016 Kopokehd.exe 2636 Kkileele.exe 2712 Knhhaaki.exe 2676 Kbcdbp32.exe 1760 Kcijeg32.exe 1436 Kgefefnd.exe 2588 Lfjcfb32.exe 2992 Ljfogake.exe 2836 Liminmmk.exe 1568 Lklejh32.exe 1604 Lbemfbdk.exe 1972 Lnlnlc32.exe 2100 Meffhnal.exe 1092 Mfjoeeeh.exe 1248 Mnaggcej.exe 1284 Mpbdnk32.exe 888 Mfllkece.exe 984 Mdpldi32.exe 1416 Mlkail32.exe 1784 Mpgmijgc.exe 792 Mbeiefff.exe 1624 Mfaefd32.exe 2680 Nefbga32.exe 2828 Nhdocl32.exe 2256 Nlpkdkkd.exe 1992 Nplfdj32.exe 2792 Nehomq32.exe 2600 Noacef32.exe 2624 Ndnlnm32.exe 2176 Nledoj32.exe 2668 Nmfqgbmm.exe 2064 Nhlddkmc.exe 2184 Noemqe32.exe 2012 Ogqaehak.exe 1996 Oklnff32.exe 1564 Opifnm32.exe 1620 Olpgconp.exe 1836 Opkccm32.exe 1176 Onocmadb.exe 1540 Olbchn32.exe 3044 Ooqpdj32.exe 2276 Ohidmoaa.exe 1532 Opplolac.exe 2408 Oaaifdhb.exe 2476 Olgmcmgh.exe 2520 Pkjmoj32.exe 2104 Pcaepg32.exe 2764 Padeldeo.exe 2804 Pdbahpec.exe 2716 Phnnho32.exe 2556 Pkljdj32.exe 2672 Pohfehdi.exe 2452 Peanbblf.exe 2980 Pddnnp32.exe 564 Pgckjk32.exe 2532 Pnmcfeia.exe 1708 Pqkobqhd.exe 444 Pgegok32.exe 2368 Pnopldgn.exe 2360 Pdihiook.exe 2684 Pggdejno.exe -
Loads dropped DLL 64 IoCs
Processes:
9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exeJajala32.exeJhffnk32.exeJkebjf32.exeKopokehd.exeKkileele.exeKnhhaaki.exeKbcdbp32.exeKcijeg32.exeKgefefnd.exeLfjcfb32.exeLjfogake.exeLiminmmk.exeLklejh32.exeLbemfbdk.exeLnlnlc32.exeMeffhnal.exeMfjoeeeh.exeMnaggcej.exeMpbdnk32.exeMfllkece.exeMdpldi32.exeMlkail32.exeMpgmijgc.exeMbeiefff.exeMfaefd32.exeNefbga32.exeNhdocl32.exeNlpkdkkd.exeNplfdj32.exeNehomq32.exeNoacef32.exepid Process 1352 9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe 1352 9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe 1632 Jajala32.exe 1632 Jajala32.exe 2896 Jhffnk32.exe 2896 Jhffnk32.exe 2748 Jkebjf32.exe 2748 Jkebjf32.exe 3016 Kopokehd.exe 3016 Kopokehd.exe 2636 Kkileele.exe 2636 Kkileele.exe 2712 Knhhaaki.exe 2712 Knhhaaki.exe 2676 Kbcdbp32.exe 2676 Kbcdbp32.exe 1760 Kcijeg32.exe 1760 Kcijeg32.exe 1436 Kgefefnd.exe 1436 Kgefefnd.exe 2588 Lfjcfb32.exe 2588 Lfjcfb32.exe 2992 Ljfogake.exe 2992 Ljfogake.exe 2836 Liminmmk.exe 2836 Liminmmk.exe 1568 Lklejh32.exe 1568 Lklejh32.exe 1604 Lbemfbdk.exe 1604 Lbemfbdk.exe 1972 Lnlnlc32.exe 1972 Lnlnlc32.exe 2100 Meffhnal.exe 2100 Meffhnal.exe 1092 Mfjoeeeh.exe 1092 Mfjoeeeh.exe 1248 Mnaggcej.exe 1248 Mnaggcej.exe 1284 Mpbdnk32.exe 1284 Mpbdnk32.exe 888 Mfllkece.exe 888 Mfllkece.exe 984 Mdpldi32.exe 984 Mdpldi32.exe 1416 Mlkail32.exe 1416 Mlkail32.exe 1784 Mpgmijgc.exe 1784 Mpgmijgc.exe 792 Mbeiefff.exe 792 Mbeiefff.exe 1624 Mfaefd32.exe 1624 Mfaefd32.exe 2680 Nefbga32.exe 2680 Nefbga32.exe 2828 Nhdocl32.exe 2828 Nhdocl32.exe 2256 Nlpkdkkd.exe 2256 Nlpkdkkd.exe 1992 Nplfdj32.exe 1992 Nplfdj32.exe 2792 Nehomq32.exe 2792 Nehomq32.exe 2600 Noacef32.exe 2600 Noacef32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dkqnoh32.exeIhdpbq32.exePnopldgn.exeJnpkflne.exeCmhglq32.exeEjkkfjkj.exeIlnomp32.exeIigpli32.exeJkhldafl.exeFcnkhmdp.exeGkbcbn32.exeAboaff32.exeDcccpl32.exeIoakoq32.exeGmpjagfa.exeMmadbjkk.exeMpopnejo.exeAodkci32.exeCfpldf32.exeKcijeg32.exeMbeiefff.exePohfehdi.exeDeollamj.exeEdfbaabj.exeHblgnkdh.exeMclebc32.exeNbmaon32.exeOhiffh32.exePqphnp32.exeHjfcpo32.exeBajqfq32.exeBoidnh32.exeAccnekon.exeCffljlpc.exeGghkdp32.exeBjpaop32.exeCkjamgmk.exeBmcnqama.exeFmkilb32.exeBdqlajbb.exeCcdmnj32.exeHhjcic32.exeLbicoamh.exeBmhkmm32.exeHnpbjnpo.exeNcfoch32.exeCgkocj32.exeLgchgb32.exeMnaggcej.exeOklnff32.exeAnolkh32.exeLklejh32.exeQgjqjjll.exeOkdmjdol.exePgpgjepk.exePpkhhjei.exeGmpcgace.exeNehomq32.exeHnkion32.exeOiljam32.exeKnhhaaki.exeDinklffl.exeNpaich32.exePhnnho32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Dicnkdnf.exe Dkqnoh32.exe File created C:\Windows\SysWOW64\Imahkg32.exe Ihdpbq32.exe File created C:\Windows\SysWOW64\Fgbbce32.dll Pnopldgn.exe File created C:\Windows\SysWOW64\Kghpoa32.exe Jnpkflne.exe File created C:\Windows\SysWOW64\Nbkkmi32.dll Cmhglq32.exe File created C:\Windows\SysWOW64\Anciko32.dll Ejkkfjkj.exe File created C:\Windows\SysWOW64\Ijqoilii.exe Ilnomp32.exe File opened for modification C:\Windows\SysWOW64\Jhjphfgi.exe Iigpli32.exe File created C:\Windows\SysWOW64\Jenpajfb.exe Jkhldafl.exe File created C:\Windows\SysWOW64\Flfpabkp.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Gonocmbi.exe Gkbcbn32.exe File opened for modification C:\Windows\SysWOW64\Acqnnndl.exe Aboaff32.exe File created C:\Windows\SysWOW64\Dinklffl.exe Dcccpl32.exe File opened for modification C:\Windows\SysWOW64\Iigpli32.exe Ioakoq32.exe File opened for modification C:\Windows\SysWOW64\Gqlebf32.exe Gmpjagfa.exe File created C:\Windows\SysWOW64\Mpopnejo.exe Mmadbjkk.exe File created C:\Windows\SysWOW64\Mbnljqic.exe Mpopnejo.exe File created C:\Windows\SysWOW64\Kainfp32.dll Aodkci32.exe File opened for modification C:\Windows\SysWOW64\Clmdmm32.exe Cfpldf32.exe File created C:\Windows\SysWOW64\Kgefefnd.exe Kcijeg32.exe File created C:\Windows\SysWOW64\Knfmfh32.dll Mbeiefff.exe File created C:\Windows\SysWOW64\Hpblho32.dll Pohfehdi.exe File created C:\Windows\SysWOW64\Dqlapaeh.dll Deollamj.exe File created C:\Windows\SysWOW64\Pdmjki32.dll Edfbaabj.exe File created C:\Windows\SysWOW64\Jndape32.dll Hblgnkdh.exe File opened for modification C:\Windows\SysWOW64\Mjfnomde.exe Mclebc32.exe File created C:\Windows\SysWOW64\Napbjjom.exe Nbmaon32.exe File created C:\Windows\SysWOW64\Olebgfao.exe Ohiffh32.exe File opened for modification C:\Windows\SysWOW64\Qgjqjjll.exe Pqphnp32.exe File opened for modification C:\Windows\SysWOW64\Hnbopmnm.exe Hjfcpo32.exe File created C:\Windows\SysWOW64\Kfhpaf32.dll Bajqfq32.exe File created C:\Windows\SysWOW64\Bchqdi32.dll Boidnh32.exe File created C:\Windows\SysWOW64\Bgepiehf.dll Accnekon.exe File opened for modification C:\Windows\SysWOW64\Ckahkk32.exe Cffljlpc.exe File created C:\Windows\SysWOW64\Coikpclh.dll Gghkdp32.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bjpaop32.exe File created C:\Windows\SysWOW64\Pobghn32.dll Ckjamgmk.exe File opened for modification C:\Windows\SysWOW64\Bcmfmlen.exe Bmcnqama.exe File created C:\Windows\SysWOW64\Ghajacmo.exe Fmkilb32.exe File created C:\Windows\SysWOW64\Lkknbejg.dll Bdqlajbb.exe File created C:\Windows\SysWOW64\Ceeieced.exe Ccdmnj32.exe File created C:\Windows\SysWOW64\Ejecol32.dll Hhjcic32.exe File opened for modification C:\Windows\SysWOW64\Mjpkqonj.exe Lbicoamh.exe File created C:\Windows\SysWOW64\Iddklgpc.dll Bmhkmm32.exe File created C:\Windows\SysWOW64\Hbknkl32.exe Hnpbjnpo.exe File opened for modification C:\Windows\SysWOW64\Nhakcfab.exe Ncfoch32.exe File created C:\Windows\SysWOW64\Aeeeakip.dll Cgkocj32.exe File created C:\Windows\SysWOW64\Jeoggjip.dll Lgchgb32.exe File created C:\Windows\SysWOW64\Eqefma32.dll Mnaggcej.exe File created C:\Windows\SysWOW64\Gmfhfajb.dll Oklnff32.exe File created C:\Windows\SysWOW64\Odjoikgb.dll Anolkh32.exe File created C:\Windows\SysWOW64\Djjfkm32.dll Lklejh32.exe File created C:\Windows\SysWOW64\Qndigd32.exe Qgjqjjll.exe File created C:\Windows\SysWOW64\Opaebkmc.exe Okdmjdol.exe File created C:\Windows\SysWOW64\Pecgea32.exe Pgpgjepk.exe File created C:\Windows\SysWOW64\Pciddedl.exe Ppkhhjei.exe File created C:\Windows\SysWOW64\Gkbcbn32.exe Gmpcgace.exe File created C:\Windows\SysWOW64\Noacef32.exe Nehomq32.exe File created C:\Windows\SysWOW64\Bmlgia32.dll Hnkion32.exe File created C:\Windows\SysWOW64\Nllcmj32.dll Oiljam32.exe File created C:\Windows\SysWOW64\Kbcdbp32.exe Knhhaaki.exe File created C:\Windows\SysWOW64\Dllhhaep.exe Dinklffl.exe File created C:\Windows\SysWOW64\Epilaieh.dll Npaich32.exe File opened for modification C:\Windows\SysWOW64\Pkljdj32.exe Phnnho32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process 8068 7940 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ohhmcinf.exeBbgqjdce.exeFlfpabkp.exeLjddjj32.exeMlkail32.exeNhdocl32.exeFfibkj32.exeKcopdb32.exeOmqlpp32.exePgpgjepk.exeLbfook32.exeBceibfgj.exeBfccei32.exeCebcmdlg.exeCmbalfem.exeIdfnicfl.exeMpamde32.exeCcdmnj32.exeOnocmadb.exeCffljlpc.exeDkfbfjdf.exeFcmben32.exeBefmfpbi.exeHifpke32.exeKgefefnd.exeOpplolac.exeDpqnhadq.exeFdpkbf32.exeJenpajfb.exeJnkakl32.exeMlhnifmq.exeOhagbj32.exeQqbecp32.exeBpqain32.exeEfdhpjok.exeIigpli32.exeCeeieced.exeFdkklp32.exeAqbdkk32.exeBkjdndjo.exeKdhcli32.exeLnpgeopa.exeLngnfnji.exeFhbnbpjc.exeMfjoeeeh.exeOlpgconp.exePhnnho32.exeJkhldafl.exeNenkqi32.exePdbahpec.exeAgjmim32.exeGkephn32.exePpnnai32.exeBadnhbce.exeKfkpknkq.exeAobnniji.exeFamope32.exePhhjblpa.exeCbblda32.exeCpdgbm32.exeNlcibc32.exeDnpciaef.exeDllhhaep.exeGjicfk32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhmcinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgqjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfpabkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkail32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffibkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcopdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqlpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpgjepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfccei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebcmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbalfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfnicfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpamde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onocmadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffljlpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfbfjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgefefnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opplolac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqnhadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpkbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenpajfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkakl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhnifmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohagbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqbecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpqain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdhpjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigpli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeieced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdhcli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpgeopa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngnfnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjoeeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpgconp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnnho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhldafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbahpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjmim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkephn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badnhbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfkpknkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhjblpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllhhaep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjicfk32.exe -
Modifies registry class 64 IoCs
Processes:
Olkfmi32.exeCpfdhl32.exePifbjn32.exeCmpgpond.exeOnocmadb.exePdihiook.exeFfkoai32.exeMjpkqonj.exeMccbmh32.exeAjqljc32.exeAkabgebj.exeCnmfdb32.exeLiminmmk.exeEggndi32.exeCbppnbhm.exeGiiglhjb.exeGcokiaji.exeLmljgj32.exePmpbdm32.exeJajala32.exeAkfkbd32.exeBfagpiam.exeEhjona32.exeFqlicclo.exeOdjdmjgo.exeAjeeeblb.exeLfmbek32.exeMfokinhf.exeOfadnq32.exeOlbchn32.exePcbncfjd.exeMjfnomde.exeJhffnk32.exeOalhqohl.exeFfodjh32.exeHakkgc32.exeDaipqhdg.exeHpbdmo32.exeKcopdb32.exeKfpifm32.exeBehilopf.exeFgnadkic.exePdbdqh32.exeKcijeg32.exeKllnhg32.exeFhgnge32.exeIdadnd32.exePhfmllbd.exeOlbfagca.exeDiibag32.exeGbdhjm32.exeDpkibo32.exeBjbndpmd.exeCheido32.exeJckgicnp.exeHnjbeh32.exeMeffhnal.exeDeollamj.exePmkhjncg.exeJdaqmg32.exeLjfogake.exeKohnoc32.exeAggiigmn.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miidam32.dll" Cpfdhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqqamej.dll" Onocmadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojbapc32.dll" Pdihiook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnoge32.dll" Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akabgebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdljhf32.dll" Liminmmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giiglhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcokiaji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmljgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll" Pmpbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jajala32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akfkbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfagpiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfdej32.dll" Ehjona32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqlicclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odjdmjgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajeeeblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knqcbd32.dll" Mfokinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammmql32.dll" Olbchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcbncfjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhffnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oalhqohl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqojbd32.dll" Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daipqhdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpbdmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcopdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfpifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjpfaqc.dll" Behilopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdbdqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcijeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnjab32.dll" Fhgnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdelj32.dll" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phfmllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafqii32.dll" Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbdhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpebakpc.dll" Cheido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jckgicnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblifk32.dll" Ajqljc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgdim32.dll" Meffhnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deollamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmkhjncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdaqmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljfogake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfnel32.dll" Kohnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aggiigmn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exeJajala32.exeJhffnk32.exeJkebjf32.exeKopokehd.exeKkileele.exeKnhhaaki.exeKbcdbp32.exeKcijeg32.exeKgefefnd.exeLfjcfb32.exeLjfogake.exeLiminmmk.exeLklejh32.exeLbemfbdk.exeLnlnlc32.exedescription pid Process procid_target PID 1352 wrote to memory of 1632 1352 9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe 30 PID 1352 wrote to memory of 1632 1352 9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe 30 PID 1352 wrote to memory of 1632 1352 9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe 30 PID 1352 wrote to memory of 1632 1352 9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe 30 PID 1632 wrote to memory of 2896 1632 Jajala32.exe 31 PID 1632 wrote to memory of 2896 1632 Jajala32.exe 31 PID 1632 wrote to memory of 2896 1632 Jajala32.exe 31 PID 1632 wrote to memory of 2896 1632 Jajala32.exe 31 PID 2896 wrote to memory of 2748 2896 Jhffnk32.exe 32 PID 2896 wrote to memory of 2748 2896 Jhffnk32.exe 32 PID 2896 wrote to memory of 2748 2896 Jhffnk32.exe 32 PID 2896 wrote to memory of 2748 2896 Jhffnk32.exe 32 PID 2748 wrote to memory of 3016 2748 Jkebjf32.exe 33 PID 2748 wrote to memory of 3016 2748 Jkebjf32.exe 33 PID 2748 wrote to memory of 3016 2748 Jkebjf32.exe 33 PID 2748 wrote to memory of 3016 2748 Jkebjf32.exe 33 PID 3016 wrote to memory of 2636 3016 Kopokehd.exe 34 PID 3016 wrote to memory of 2636 3016 Kopokehd.exe 34 PID 3016 wrote to memory of 2636 3016 Kopokehd.exe 34 PID 3016 wrote to memory of 2636 3016 Kopokehd.exe 34 PID 2636 wrote to memory of 2712 2636 Kkileele.exe 35 PID 2636 wrote to memory of 2712 2636 Kkileele.exe 35 PID 2636 wrote to memory of 2712 2636 Kkileele.exe 35 PID 2636 wrote to memory of 2712 2636 Kkileele.exe 35 PID 2712 wrote to memory of 2676 2712 Knhhaaki.exe 36 PID 2712 wrote to memory of 2676 2712 Knhhaaki.exe 36 PID 2712 wrote to memory of 2676 2712 Knhhaaki.exe 36 PID 2712 wrote to memory of 2676 2712 Knhhaaki.exe 36 PID 2676 wrote to memory of 1760 2676 Kbcdbp32.exe 37 PID 2676 wrote to memory of 1760 2676 Kbcdbp32.exe 37 PID 2676 wrote to memory of 1760 2676 Kbcdbp32.exe 37 PID 2676 wrote to memory of 1760 2676 Kbcdbp32.exe 37 PID 1760 wrote to memory of 1436 1760 Kcijeg32.exe 38 PID 1760 wrote to memory of 1436 1760 Kcijeg32.exe 38 PID 1760 wrote to memory of 1436 1760 Kcijeg32.exe 38 PID 1760 wrote to memory of 1436 1760 Kcijeg32.exe 38 PID 1436 wrote to memory of 2588 1436 Kgefefnd.exe 39 PID 1436 wrote to memory of 2588 1436 Kgefefnd.exe 39 PID 1436 wrote to memory of 2588 1436 Kgefefnd.exe 39 PID 1436 wrote to memory of 2588 1436 Kgefefnd.exe 39 PID 2588 wrote to memory of 2992 2588 Lfjcfb32.exe 40 PID 2588 wrote to memory of 2992 2588 Lfjcfb32.exe 40 PID 2588 wrote to memory of 2992 2588 Lfjcfb32.exe 40 PID 2588 wrote to memory of 2992 2588 Lfjcfb32.exe 40 PID 2992 wrote to memory of 2836 2992 Ljfogake.exe 41 PID 2992 wrote to memory of 2836 2992 Ljfogake.exe 41 PID 2992 wrote to memory of 2836 2992 Ljfogake.exe 41 PID 2992 wrote to memory of 2836 2992 Ljfogake.exe 41 PID 2836 wrote to memory of 1568 2836 Liminmmk.exe 42 PID 2836 wrote to memory of 1568 2836 Liminmmk.exe 42 PID 2836 wrote to memory of 1568 2836 Liminmmk.exe 42 PID 2836 wrote to memory of 1568 2836 Liminmmk.exe 42 PID 1568 wrote to memory of 1604 1568 Lklejh32.exe 43 PID 1568 wrote to memory of 1604 1568 Lklejh32.exe 43 PID 1568 wrote to memory of 1604 1568 Lklejh32.exe 43 PID 1568 wrote to memory of 1604 1568 Lklejh32.exe 43 PID 1604 wrote to memory of 1972 1604 Lbemfbdk.exe 44 PID 1604 wrote to memory of 1972 1604 Lbemfbdk.exe 44 PID 1604 wrote to memory of 1972 1604 Lbemfbdk.exe 44 PID 1604 wrote to memory of 1972 1604 Lbemfbdk.exe 44 PID 1972 wrote to memory of 2100 1972 Lnlnlc32.exe 45 PID 1972 wrote to memory of 2100 1972 Lnlnlc32.exe 45 PID 1972 wrote to memory of 2100 1972 Lnlnlc32.exe 45 PID 1972 wrote to memory of 2100 1972 Lnlnlc32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe"C:\Users\Admin\AppData\Local\Temp\9500f0e146176d7a2b851511a9fa097186ae37d6693ea6a58417e8bac49b6e3b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe33⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe34⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe35⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe36⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe38⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe40⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe42⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe45⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe46⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe48⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe49⤵PID:2168
-
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe50⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe51⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe52⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe53⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe56⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe58⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe59⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe60⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe61⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe62⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe63⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe66⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe67⤵PID:1764
-
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe68⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe69⤵
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe70⤵PID:2732
-
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe72⤵PID:2744
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe74⤵PID:2232
-
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe75⤵PID:2988
-
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe76⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe78⤵PID:2248
-
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe79⤵PID:1800
-
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe80⤵PID:2320
-
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe81⤵PID:616
-
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe82⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe83⤵PID:1524
-
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe84⤵PID:2380
-
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe85⤵PID:2880
-
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe86⤵PID:940
-
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe88⤵PID:1196
-
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:660 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe90⤵PID:1396
-
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe91⤵PID:324
-
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe92⤵
- System Location Discovery: System Language Discovery
PID:340 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe93⤵PID:2840
-
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe94⤵
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe95⤵PID:988
-
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe96⤵PID:2008
-
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe98⤵PID:2756
-
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe99⤵PID:2788
-
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe100⤵PID:2688
-
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe101⤵PID:1932
-
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe102⤵PID:2296
-
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe103⤵PID:1016
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe104⤵PID:2912
-
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe106⤵PID:1408
-
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe107⤵PID:1940
-
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe108⤵PID:1480
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe109⤵PID:2260
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe110⤵PID:1140
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe111⤵PID:2852
-
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe112⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe113⤵PID:2160
-
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe114⤵PID:1696
-
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe115⤵PID:480
-
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe116⤵PID:2944
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe118⤵PID:1528
-
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe119⤵PID:840
-
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe120⤵PID:2936
-
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe121⤵
- Modifies registry class
PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-