Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 18:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe
-
Size
1.0MB
-
MD5
8d402960dc5b94b0fb590ca12924b700
-
SHA1
4cca42a10cf72213f7b696a370d8f2079fb6260f
-
SHA256
450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333b
-
SHA512
8bbd7cec80d912413ab02330b38d8ec8015ac411169ce29ab98f2c49a5321cf12da97880afa7220bc8d8592608f0372fc36b7a1f04c3d0d6e7910018f16faddc
-
SSDEEP
12288:k2tVYkY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6IfKTLR+6CwUkEoF:XVYgsaDZgQjGkwlks/6HnE6
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dgnjqe32.exeIogpag32.exeJlqjkk32.exeLfhhjklc.exeLgkkmm32.exeDpnladjl.exePmmeon32.exeAlnalh32.exeAqbdkk32.exeIacjjacb.exeNjnmbk32.exeElajgpmj.exeGoplilpf.exeKdpfadlm.exeGcjmmdbf.exeOdmckcmq.exeDbabho32.exeEikfdl32.exeCpfmmf32.exeEphbal32.exeJoidhh32.exeCkeqga32.exeMmgfqh32.exeOiffkkbk.exeQndkpmkm.exeEmoldlmc.exeGgapbcne.exeFgigil32.exeLgqkbb32.exeEdoefl32.exeNdqkleln.exeHohkmj32.exeKkdnhi32.exeMdmkoepk.exeGmpcgace.exeKgnbnpkp.exeNlqmmd32.exeOhbikbkb.exePmehdh32.exeCnejim32.exeCileqlmg.exeNmofdf32.exeAphjjf32.exeBfcodkcb.exeEeagimdf.exeEknmhk32.exeBmlael32.exeHmbndmkb.exeFoolgh32.exeCcgklc32.exeAcicla32.exeJjhgbd32.exeHgpjhn32.exeEoblnd32.exeOhdfqbio.exeDbiocd32.exeInbnhihl.exeMgbaml32.exeNdfnecgp.exePpinkcnp.exeAnlhkbhq.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgnjqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgkkmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnladjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iacjjacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elajgpmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goplilpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eikfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ephbal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qndkpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoldlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggapbcne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgigil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edoefl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edoefl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkdnhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmkoepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbnpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqmmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohbikbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnejim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmofdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeagimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eknmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbndmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgqkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foolgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acicla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoblnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohdfqbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbiocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inbnhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgbaml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppinkcnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlhkbhq.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Pgnjde32.exePmgbao32.exePckajebj.exeQododfek.exeAnlhkbhq.exeAmaelomh.exeBcpgdhpp.exeBiaign32.exeBmcnqama.exeCjjkpe32.exeCpiqmlfm.exeClpabm32.exeDdpobo32.exeDmhdkdlg.exeElajgpmj.exeEldglp32.exeEknmhk32.exeEecafd32.exeFajbke32.exeFggkcl32.exeFdkklp32.exeFgigil32.exeFgldnkkf.exeFqdiga32.exeFqfemqod.exeGbhbdi32.exeGdhkfd32.exeGmpcgace.exeGonocmbi.exeGoplilpf.exeGneijien.exeGqdefddb.exeGepafc32.exeHgpjhn32.exeHmoofdea.exeHpnkbpdd.exeHpphhp32.exeHboddk32.exeIflmjihl.exeIhniaa32.exeIhpfgalh.exeIjnbcmkk.exeInlkik32.exeIakgefqe.exeIoohokoo.exeIamdkfnc.exeJmdepg32.exeJpbalb32.exeJikeeh32.exeJpdnbbah.exeJdpjba32.exeJimbkh32.exeJedcpi32.exeJlnklcej.exeJhdlad32.exeJondnnbk.exeKhghgchk.exeKlbdgb32.exeKdnild32.exeKglehp32.exeKdpfadlm.exeKgnbnpkp.exeKjmnjkjd.exeKcecbq32.exepid Process 1976 Pgnjde32.exe 2676 Pmgbao32.exe 1832 Pckajebj.exe 2848 Qododfek.exe 2316 Anlhkbhq.exe 2728 Amaelomh.exe 2128 Bcpgdhpp.exe 1140 Biaign32.exe 1044 Bmcnqama.exe 1844 Cjjkpe32.exe 1348 Cpiqmlfm.exe 1688 Clpabm32.exe 2440 Ddpobo32.exe 2528 Dmhdkdlg.exe 3024 Elajgpmj.exe 2984 Eldglp32.exe 1196 Eknmhk32.exe 1784 Eecafd32.exe 2776 Fajbke32.exe 1748 Fggkcl32.exe 844 Fdkklp32.exe 2064 Fgigil32.exe 2208 Fgldnkkf.exe 1860 Fqdiga32.exe 1560 Fqfemqod.exe 2532 Gbhbdi32.exe 840 Gdhkfd32.exe 2540 Gmpcgace.exe 2428 Gonocmbi.exe 2720 Goplilpf.exe 2716 Gneijien.exe 2616 Gqdefddb.exe 2596 Gepafc32.exe 3048 Hgpjhn32.exe 1108 Hmoofdea.exe 2016 Hpnkbpdd.exe 1344 Hpphhp32.exe 2896 Hboddk32.exe 2932 Iflmjihl.exe 1988 Ihniaa32.exe 2516 Ihpfgalh.exe 1396 Ijnbcmkk.exe 848 Inlkik32.exe 956 Iakgefqe.exe 2268 Ioohokoo.exe 1468 Iamdkfnc.exe 772 Jmdepg32.exe 1912 Jpbalb32.exe 2228 Jikeeh32.exe 884 Jpdnbbah.exe 3068 Jdpjba32.exe 1496 Jimbkh32.exe 2296 Jedcpi32.exe 2836 Jlnklcej.exe 2788 Jhdlad32.exe 2760 Jondnnbk.exe 576 Khghgchk.exe 1948 Klbdgb32.exe 1304 Kdnild32.exe 976 Kglehp32.exe 2892 Kdpfadlm.exe 2188 Kgnbnpkp.exe 2976 Kjmnjkjd.exe 1260 Kcecbq32.exe -
Loads dropped DLL 64 IoCs
Processes:
450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exePgnjde32.exePmgbao32.exePckajebj.exeQododfek.exeAnlhkbhq.exeAmaelomh.exeBcpgdhpp.exeBiaign32.exeBmcnqama.exeCjjkpe32.exeCpiqmlfm.exeClpabm32.exeDdpobo32.exeDmhdkdlg.exeElajgpmj.exeEldglp32.exeEknmhk32.exeEecafd32.exeFajbke32.exeFggkcl32.exeFdkklp32.exeFgigil32.exeFgldnkkf.exeFqdiga32.exeFqfemqod.exeGbhbdi32.exeGdhkfd32.exeGmpcgace.exeGonocmbi.exeGoplilpf.exeGneijien.exepid Process 3004 450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe 3004 450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe 1976 Pgnjde32.exe 1976 Pgnjde32.exe 2676 Pmgbao32.exe 2676 Pmgbao32.exe 1832 Pckajebj.exe 1832 Pckajebj.exe 2848 Qododfek.exe 2848 Qododfek.exe 2316 Anlhkbhq.exe 2316 Anlhkbhq.exe 2728 Amaelomh.exe 2728 Amaelomh.exe 2128 Bcpgdhpp.exe 2128 Bcpgdhpp.exe 1140 Biaign32.exe 1140 Biaign32.exe 1044 Bmcnqama.exe 1044 Bmcnqama.exe 1844 Cjjkpe32.exe 1844 Cjjkpe32.exe 1348 Cpiqmlfm.exe 1348 Cpiqmlfm.exe 1688 Clpabm32.exe 1688 Clpabm32.exe 2440 Ddpobo32.exe 2440 Ddpobo32.exe 2528 Dmhdkdlg.exe 2528 Dmhdkdlg.exe 3024 Elajgpmj.exe 3024 Elajgpmj.exe 2984 Eldglp32.exe 2984 Eldglp32.exe 1196 Eknmhk32.exe 1196 Eknmhk32.exe 1784 Eecafd32.exe 1784 Eecafd32.exe 2776 Fajbke32.exe 2776 Fajbke32.exe 1748 Fggkcl32.exe 1748 Fggkcl32.exe 844 Fdkklp32.exe 844 Fdkklp32.exe 2064 Fgigil32.exe 2064 Fgigil32.exe 2208 Fgldnkkf.exe 2208 Fgldnkkf.exe 1860 Fqdiga32.exe 1860 Fqdiga32.exe 1560 Fqfemqod.exe 1560 Fqfemqod.exe 2532 Gbhbdi32.exe 2532 Gbhbdi32.exe 840 Gdhkfd32.exe 840 Gdhkfd32.exe 2540 Gmpcgace.exe 2540 Gmpcgace.exe 2428 Gonocmbi.exe 2428 Gonocmbi.exe 2720 Goplilpf.exe 2720 Goplilpf.exe 2716 Gneijien.exe 2716 Gneijien.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dfpaic32.exeFgigil32.exeJedcpi32.exeKgnbnpkp.exeNmflee32.exeOhdfqbio.exeEdlafebn.exeIbcphc32.exeKhnapkjg.exeJpdnbbah.exeDcllbhdn.exeJhjbqo32.exeQgmpibam.exeGnbejb32.exeGmhkin32.exeHgnokgcc.exeLfhhjklc.exeObhdcanc.exePhnpagdp.exeFajbke32.exePohhna32.exeFahhnn32.exeMfgnnhkc.exePehcij32.exeGhbljk32.exeJlqjkk32.exeAjmijmnn.exeFeiddbbj.exeKgkonj32.exeIladfn32.exeDpnladjl.exeDbabho32.exeGamnhq32.exeCnkjnb32.exeFoolgh32.exeBogjaamh.exeCogfqe32.exeCoicfd32.exeDpklkgoj.exeBqlfaj32.exeLdahkaij.exeLkbmbl32.exeLkicbk32.exeNjeccjcd.exeOecmogln.exePmjaohol.exeKglehp32.exeIgmbgk32.exeInbnhihl.exeOiffkkbk.exeJeclebja.exeKhghgchk.exeMmgfqh32.exeMpebmc32.exeIkjhki32.exeAnlhkbhq.exeCkeqga32.exeMbchni32.exePopgboae.exedescription ioc Process File created C:\Windows\SysWOW64\Dbfbnddq.exe Dfpaic32.exe File opened for modification C:\Windows\SysWOW64\Fgldnkkf.exe Fgigil32.exe File opened for modification C:\Windows\SysWOW64\Jlnklcej.exe Jedcpi32.exe File opened for modification C:\Windows\SysWOW64\Kjmnjkjd.exe Kgnbnpkp.exe File created C:\Windows\SysWOW64\Oeaqig32.exe Nmflee32.exe File created C:\Windows\SysWOW64\Oehgjfhi.exe Ohdfqbio.exe File opened for modification C:\Windows\SysWOW64\Elgfkhpi.exe Edlafebn.exe File created C:\Windows\SysWOW64\Iogpag32.exe Ibcphc32.exe File created C:\Windows\SysWOW64\Kipmhc32.exe Khnapkjg.exe File opened for modification C:\Windows\SysWOW64\Jdpjba32.exe Jpdnbbah.exe File created C:\Windows\SysWOW64\Djfdob32.exe Dcllbhdn.exe File created C:\Windows\SysWOW64\Ehdigjnf.dll Jhjbqo32.exe File created C:\Windows\SysWOW64\Qnghel32.exe Qgmpibam.exe File opened for modification C:\Windows\SysWOW64\Gconbj32.exe Gnbejb32.exe File created C:\Windows\SysWOW64\Jjmfenoo.dll Gmhkin32.exe File opened for modification C:\Windows\SysWOW64\Hqgddm32.exe Hgnokgcc.exe File created C:\Windows\SysWOW64\Dimkiekk.dll Lfhhjklc.exe File created C:\Windows\SysWOW64\Oplelf32.exe Obhdcanc.exe File created C:\Windows\SysWOW64\Pohhna32.exe Phnpagdp.exe File created C:\Windows\SysWOW64\Mbgogp32.dll Fajbke32.exe File created C:\Windows\SysWOW64\Pgcmbcih.exe Pohhna32.exe File created C:\Windows\SysWOW64\Fhbpkh32.exe Fahhnn32.exe File opened for modification C:\Windows\SysWOW64\Mopbgn32.exe Mfgnnhkc.exe File created C:\Windows\SysWOW64\Dmidng32.dll Pehcij32.exe File created C:\Windows\SysWOW64\Pjddaagq.dll Ghbljk32.exe File created C:\Windows\SysWOW64\Keioca32.exe Jlqjkk32.exe File created C:\Windows\SysWOW64\Bdoaqh32.dll Ajmijmnn.exe File created C:\Windows\SysWOW64\Ddmidgbj.dll Feiddbbj.exe File opened for modification C:\Windows\SysWOW64\Klhgfq32.exe Kgkonj32.exe File created C:\Windows\SysWOW64\Iejiodbl.exe Iladfn32.exe File created C:\Windows\SysWOW64\Dblhmoio.exe Dpnladjl.exe File opened for modification C:\Windows\SysWOW64\Dgnjqe32.exe Dbabho32.exe File created C:\Windows\SysWOW64\Giaidnkf.exe Ghbljk32.exe File created C:\Windows\SysWOW64\Gdnfjl32.exe Gamnhq32.exe File opened for modification C:\Windows\SysWOW64\Cbffoabe.exe Cnkjnb32.exe File opened for modification C:\Windows\SysWOW64\Feiddbbj.exe Foolgh32.exe File opened for modification C:\Windows\SysWOW64\Fpohakbp.exe Feiddbbj.exe File opened for modification C:\Windows\SysWOW64\Iogpag32.exe Ibcphc32.exe File opened for modification C:\Windows\SysWOW64\Bknjfb32.exe Bogjaamh.exe File created C:\Windows\SysWOW64\Bccblb32.dll Cogfqe32.exe File created C:\Windows\SysWOW64\Hkhgoifc.dll Coicfd32.exe File created C:\Windows\SysWOW64\Ejaphpnp.exe Dpklkgoj.exe File opened for modification C:\Windows\SysWOW64\Oplelf32.exe Obhdcanc.exe File created C:\Windows\SysWOW64\Mfakaoam.dll Bqlfaj32.exe File created C:\Windows\SysWOW64\Ammhpd32.dll Ldahkaij.exe File created C:\Windows\SysWOW64\Lnqjnhge.exe Lkbmbl32.exe File created C:\Windows\SysWOW64\Ocaadj32.dll Lkicbk32.exe File created C:\Windows\SysWOW64\Apjlggne.dll Njeccjcd.exe File created C:\Windows\SysWOW64\Nijjkf32.dll Oecmogln.exe File created C:\Windows\SysWOW64\Ppinkcnp.exe Pmjaohol.exe File created C:\Windows\SysWOW64\Oncobd32.dll Kglehp32.exe File opened for modification C:\Windows\SysWOW64\Imjkpb32.exe Igmbgk32.exe File opened for modification C:\Windows\SysWOW64\Jigbebhb.exe Inbnhihl.exe File created C:\Windows\SysWOW64\Dkodahqi.dll Oiffkkbk.exe File created C:\Windows\SysWOW64\Ofkggbgh.dll Jeclebja.exe File created C:\Windows\SysWOW64\Klbdgb32.exe Khghgchk.exe File created C:\Windows\SysWOW64\Mpebmc32.exe Mmgfqh32.exe File created C:\Windows\SysWOW64\Mcqombic.exe Mpebmc32.exe File created C:\Windows\SysWOW64\Miqnbfnp.dll Ikjhki32.exe File created C:\Windows\SysWOW64\Iikepamg.dll Anlhkbhq.exe File created C:\Windows\SysWOW64\Gddgejcp.dll Mpebmc32.exe File created C:\Windows\SysWOW64\Qhihii32.dll Ckeqga32.exe File opened for modification C:\Windows\SysWOW64\Njnmbk32.exe Mbchni32.exe File created C:\Windows\SysWOW64\Qhilkege.exe Popgboae.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4352 4228 WerFault.exe 426 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hboddk32.exeOiffkkbk.exeIacjjacb.exeAlageg32.exeLgqkbb32.exeBqijljfd.exeFeachqgb.exeJjjdhc32.exeHpphhp32.exeMokilo32.exeBhkeohhn.exeBacihmoo.exeEldiehbk.exeIbcphc32.exeNmfbpk32.exeCalcpm32.exeFoolgh32.exeMbchni32.exeNmofdf32.exeBkpglbaj.exeNlnpgd32.exeFpjofl32.exeAphjjf32.exeLbfook32.exeBqeqqk32.exeNnjicjbf.exeBogjaamh.exeCkeqga32.exeBcpgdhpp.exeNjhfcp32.exeGdcjpncm.exeMomfan32.exeJmipdo32.exeMcckcbgp.exeEcfnmh32.exeLkbmbl32.exeEmoldlmc.exeGmhkin32.exeHmbndmkb.exeQkfocaki.exeAdlcfjgh.exeDbiocd32.exeFapeic32.exeGamnhq32.exeJcnoejch.exeJpjifjdg.exeAdipfd32.exePgnjde32.exeKddomchg.exeMnmpdlac.exeDcllbhdn.exeFpohakbp.exeFabaocfl.exeJaecod32.exeJmdepg32.exeNdfnecgp.exeGglbfg32.exeClpabm32.exeGonocmbi.exePohhna32.exeCkpckece.exeBqlfaj32.exeElcpbigl.exeIpjdameg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hboddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacjjacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feachqgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpphhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokilo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkeohhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacihmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldiehbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foolgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbchni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpglbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjicjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogjaamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeqga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpgdhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhfcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcjpncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmipdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcckcbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfnmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoldlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbndmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adlcfjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapeic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnoejch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjifjdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adipfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnjde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcllbhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpohakbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabaocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaecod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfnecgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpckece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqlfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpbigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe -
Modifies registry class 64 IoCs
Processes:
Dbfbnddq.exeGdcjpncm.exeAhmefdcp.exeIoohokoo.exePmmeon32.exeCbblda32.exeCbffoabe.exeCcjoli32.exeLemdncoa.exeAdipfd32.exeBhkeohhn.exeEdlafebn.exeEpeoaffo.exeGglbfg32.exeGbhbdi32.exeFchkbg32.exeFeiddbbj.exeKkdnhi32.exeCnejim32.exeIacjjacb.exeNppofado.exeQdompf32.exe450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exeLnhgim32.exeNlqmmd32.exeNjjcip32.exeIbfmmb32.exeDblhmoio.exeGiaidnkf.exeHonnki32.exeFgigil32.exeGepafc32.exeGnbejb32.exeCcnifd32.exeEinjdb32.exeLopfhk32.exeAlageg32.exeKlbdgb32.exeQndkpmkm.exeQgmpibam.exeBqeqqk32.exeDfpaic32.exeDgnjqe32.exeJikeeh32.exeLkjjma32.exeNhlgmd32.exeMdogedmh.exeBgghac32.exeMnomjl32.exeAgpeaa32.exeQododfek.exeObjaha32.exeOiffkkbk.exeApppkekc.exeGonocmbi.exeLonpma32.exeIcdcllpc.exeKhjgel32.exeNnjicjbf.exeOaghki32.exeOemgplgo.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbfbnddq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdcjpncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahmefdcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioohokoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmmeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Cbffoabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccjoli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lemdncoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmma32.dll" Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhjhg32.dll" Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkifia32.dll" Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckobc32.dll" Gglbfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fchkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmidgbj.dll" Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkdnhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekcqmj32.dll" Iacjjacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgfmi32.dll" Qdompf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll" Lnhgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpdidmdg.dll" Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibfmmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dblhmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giaidnkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgigil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeqncja.dll" Gepafc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfenf32.dll" Ccnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocimkc32.dll" Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igejec32.dll" Alageg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgmpibam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibgpofm.dll" Dfpaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjiflem.dll" Dgnjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhaomoi.dll" Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdpgmhn.dll" Mdogedmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgghac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agpeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apppkekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhakqek.dll" Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepoia32.dll" Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkman32.dll" Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khjgel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnjicjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gglbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oemgplgo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exePgnjde32.exePmgbao32.exePckajebj.exeQododfek.exeAnlhkbhq.exeAmaelomh.exeBcpgdhpp.exeBiaign32.exeBmcnqama.exeCjjkpe32.exeCpiqmlfm.exeClpabm32.exeDdpobo32.exeDmhdkdlg.exeElajgpmj.exedescription pid Process procid_target PID 3004 wrote to memory of 1976 3004 450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe 30 PID 3004 wrote to memory of 1976 3004 450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe 30 PID 3004 wrote to memory of 1976 3004 450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe 30 PID 3004 wrote to memory of 1976 3004 450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe 30 PID 1976 wrote to memory of 2676 1976 Pgnjde32.exe 31 PID 1976 wrote to memory of 2676 1976 Pgnjde32.exe 31 PID 1976 wrote to memory of 2676 1976 Pgnjde32.exe 31 PID 1976 wrote to memory of 2676 1976 Pgnjde32.exe 31 PID 2676 wrote to memory of 1832 2676 Pmgbao32.exe 32 PID 2676 wrote to memory of 1832 2676 Pmgbao32.exe 32 PID 2676 wrote to memory of 1832 2676 Pmgbao32.exe 32 PID 2676 wrote to memory of 1832 2676 Pmgbao32.exe 32 PID 1832 wrote to memory of 2848 1832 Pckajebj.exe 33 PID 1832 wrote to memory of 2848 1832 Pckajebj.exe 33 PID 1832 wrote to memory of 2848 1832 Pckajebj.exe 33 PID 1832 wrote to memory of 2848 1832 Pckajebj.exe 33 PID 2848 wrote to memory of 2316 2848 Qododfek.exe 34 PID 2848 wrote to memory of 2316 2848 Qododfek.exe 34 PID 2848 wrote to memory of 2316 2848 Qododfek.exe 34 PID 2848 wrote to memory of 2316 2848 Qododfek.exe 34 PID 2316 wrote to memory of 2728 2316 Anlhkbhq.exe 35 PID 2316 wrote to memory of 2728 2316 Anlhkbhq.exe 35 PID 2316 wrote to memory of 2728 2316 Anlhkbhq.exe 35 PID 2316 wrote to memory of 2728 2316 Anlhkbhq.exe 35 PID 2728 wrote to memory of 2128 2728 Amaelomh.exe 36 PID 2728 wrote to memory of 2128 2728 Amaelomh.exe 36 PID 2728 wrote to memory of 2128 2728 Amaelomh.exe 36 PID 2728 wrote to memory of 2128 2728 Amaelomh.exe 36 PID 2128 wrote to memory of 1140 2128 Bcpgdhpp.exe 37 PID 2128 wrote to memory of 1140 2128 Bcpgdhpp.exe 37 PID 2128 wrote to memory of 1140 2128 Bcpgdhpp.exe 37 PID 2128 wrote to memory of 1140 2128 Bcpgdhpp.exe 37 PID 1140 wrote to memory of 1044 1140 Biaign32.exe 38 PID 1140 wrote to memory of 1044 1140 Biaign32.exe 38 PID 1140 wrote to memory of 1044 1140 Biaign32.exe 38 PID 1140 wrote to memory of 1044 1140 Biaign32.exe 38 PID 1044 wrote to memory of 1844 1044 Bmcnqama.exe 39 PID 1044 wrote to memory of 1844 1044 Bmcnqama.exe 39 PID 1044 wrote to memory of 1844 1044 Bmcnqama.exe 39 PID 1044 wrote to memory of 1844 1044 Bmcnqama.exe 39 PID 1844 wrote to memory of 1348 1844 Cjjkpe32.exe 40 PID 1844 wrote to memory of 1348 1844 Cjjkpe32.exe 40 PID 1844 wrote to memory of 1348 1844 Cjjkpe32.exe 40 PID 1844 wrote to memory of 1348 1844 Cjjkpe32.exe 40 PID 1348 wrote to memory of 1688 1348 Cpiqmlfm.exe 41 PID 1348 wrote to memory of 1688 1348 Cpiqmlfm.exe 41 PID 1348 wrote to memory of 1688 1348 Cpiqmlfm.exe 41 PID 1348 wrote to memory of 1688 1348 Cpiqmlfm.exe 41 PID 1688 wrote to memory of 2440 1688 Clpabm32.exe 42 PID 1688 wrote to memory of 2440 1688 Clpabm32.exe 42 PID 1688 wrote to memory of 2440 1688 Clpabm32.exe 42 PID 1688 wrote to memory of 2440 1688 Clpabm32.exe 42 PID 2440 wrote to memory of 2528 2440 Ddpobo32.exe 43 PID 2440 wrote to memory of 2528 2440 Ddpobo32.exe 43 PID 2440 wrote to memory of 2528 2440 Ddpobo32.exe 43 PID 2440 wrote to memory of 2528 2440 Ddpobo32.exe 43 PID 2528 wrote to memory of 3024 2528 Dmhdkdlg.exe 44 PID 2528 wrote to memory of 3024 2528 Dmhdkdlg.exe 44 PID 2528 wrote to memory of 3024 2528 Dmhdkdlg.exe 44 PID 2528 wrote to memory of 3024 2528 Dmhdkdlg.exe 44 PID 3024 wrote to memory of 2984 3024 Elajgpmj.exe 45 PID 3024 wrote to memory of 2984 3024 Elajgpmj.exe 45 PID 3024 wrote to memory of 2984 3024 Elajgpmj.exe 45 PID 3024 wrote to memory of 2984 3024 Elajgpmj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe"C:\Users\Admin\AppData\Local\Temp\450f9cc75b54bb0c5c1a254cd0d18100842be44cc016623c20c935ffc966333bN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1196 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe33⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe36⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe37⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe40⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe41⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe42⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe43⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe44⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe45⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe47⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe49⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe52⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe53⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe55⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe56⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe57⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe60⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe64⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe65⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe66⤵
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe67⤵PID:1952
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe68⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe70⤵PID:1528
-
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe71⤵PID:2524
-
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe72⤵PID:2404
-
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe73⤵PID:1316
-
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe74⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe75⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe78⤵PID:2652
-
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe79⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe80⤵PID:1740
-
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe81⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe82⤵PID:2372
-
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe83⤵PID:952
-
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe84⤵PID:1916
-
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe86⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe87⤵PID:2356
-
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe88⤵PID:1168
-
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe89⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe91⤵PID:2756
-
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe93⤵PID:2340
-
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe94⤵PID:824
-
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe95⤵PID:404
-
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe96⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe99⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe100⤵
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe101⤵
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe102⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe103⤵PID:2732
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe104⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe105⤵PID:1864
-
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe106⤵PID:792
-
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe108⤵PID:2916
-
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe109⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe110⤵PID:1248
-
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe111⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe113⤵PID:2176
-
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe115⤵PID:1968
-
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe116⤵PID:2884
-
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe117⤵PID:2320
-
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe118⤵PID:1584
-
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe119⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Qgmpibam.exeC:\Windows\system32\Qgmpibam.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-