Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe
Resource
win10v2004-20241007-en
General
-
Target
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe
-
Size
112KB
-
MD5
c2ddc875422d1af76b58beffca89c109
-
SHA1
6db9d55b71726260f1ff266c02d794025d2979c3
-
SHA256
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32
-
SHA512
3ede5efdc14a22890c33cf84a0201c93e356d37c3d152c064b2234ead9265265db0ef932e08281cb4e861ff05e0254f9867117d0931b1aa67224c4edf44b907e
-
SSDEEP
3072:Uwe5BbcAyqTMJZAH73xnGfeCrywCF5FeJLCQnFIBOaCUjKaVLjd:UpO2MJihnbQywe5FeJLbnCBbC+nVLjd
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qglmpi32.exeMlfacfpc.exeJlkngc32.exeKlngkfge.exeJaeafklf.exeCpdgbm32.exeNpjlhcmd.exeCnfqccna.exeDmbcen32.exeNlfmbibo.exeQqfkln32.exeCeeieced.exeKjokokha.exeLonpma32.exePmkhjncg.exeMiehak32.exeOplelf32.exePgfjhcge.exeKklkcn32.exeMfglep32.exePiqpkpml.exeAdcdbl32.exeAopahjll.exeMmdjkhdh.exeNabopjmj.exeAohdmdoh.exeDgmbkk32.exeHhhgcc32.exeAnlhkbhq.exeBammlq32.exeCbffoabe.exeGjdjklek.exeIfoqjo32.exeJlphbbbg.exeNapbjjom.exeHinqgg32.exeAdifpk32.exeEfdhpjok.exeMpmcielb.exeAfdiondb.exeDegiggjm.exeMdiefffn.exePleofj32.exeLbfook32.exeLkakicam.exePhfmllbd.exeAcfmcc32.exeFjdnlhco.exeDkigoimd.exeOaqbln32.exeEacljf32.exeFgigil32.exeGljpncgc.exeHmeolj32.exeKofaicon.exeJbjpom32.exeOhncbdbd.exeQjklenpa.exeFfmkfifa.exeDahifbpk.exeAakjdo32.exePphkbj32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qglmpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfacfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpdgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npjlhcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlfmbibo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceeieced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lonpma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkhjncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oplelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklkcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piqpkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adcdbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopahjll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabopjmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgmbkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anlhkbhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bammlq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjdjklek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifoqjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hinqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adifpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdhpjok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmcielb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Degiggjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pleofj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkakicam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfmllbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjdnlhco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkigoimd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaqbln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgigil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gljpncgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncbdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffmkfifa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlfacfpc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Pggdejno.exePmdmmalf.exeQjhmfekp.exeQmgibqjc.exeQglmpi32.exeQqdbiopj.exeAjmfad32.exeAojojl32.exeAeggbbci.exeAmnocpdk.exeAbkhkgbb.exeAapemc32.exeAjhiei32.exeAennba32.exeAgljom32.exeBadnhbce.exeBgnfdm32.exeBagkmb32.exeBgqcjlhp.exeBaigca32.exeBplhnoej.exeBbjdjjdn.exeBffpki32.exeBmbemb32.exeBpqain32.exeChlfnp32.exeCpcnonob.exeCjmopkla.exeCafgle32.exeChqoipkk.exeCkolek32.exeCffljlpc.exeCakqgeoi.exeCkcepj32.exeDanmmd32.exeDpqnhadq.exeDiibag32.exeDgmbkk32.exeDepbfhpe.exeDmgkgeah.exeDebplg32.exeDllhhaep.exeDiphbfdi.exeDlndnacm.exeDegiggjm.exeElqaca32.exeEoompl32.exeEamilh32.exeEhgbhbgn.exeEoajel32.exeEapfagno.exeEdnbncmb.exeEgmojnlf.exeEjkkfjkj.exeEpecbd32.exeEccpoo32.exeEkjgpm32.exeEjmhkiig.exeEpgphcqd.exeEdclib32.exeEfdhpjok.exeEjpdai32.exeElnqmd32.exeEolmip32.exepid process 1736 Pggdejno.exe 2248 Pmdmmalf.exe 2240 Qjhmfekp.exe 2972 Qmgibqjc.exe 2900 Qglmpi32.exe 2076 Qqdbiopj.exe 2672 Ajmfad32.exe 2720 Aojojl32.exe 672 Aeggbbci.exe 2504 Amnocpdk.exe 2204 Abkhkgbb.exe 2920 Aapemc32.exe 2040 Ajhiei32.exe 2376 Aennba32.exe 600 Agljom32.exe 2300 Badnhbce.exe 2608 Bgnfdm32.exe 976 Bagkmb32.exe 892 Bgqcjlhp.exe 1092 Baigca32.exe 1036 Bplhnoej.exe 396 Bbjdjjdn.exe 876 Bffpki32.exe 304 Bmbemb32.exe 1936 Bpqain32.exe 2468 Chlfnp32.exe 2192 Cpcnonob.exe 2232 Cjmopkla.exe 2880 Cafgle32.exe 2820 Chqoipkk.exe 2956 Ckolek32.exe 2684 Cffljlpc.exe 2540 Cakqgeoi.exe 3060 Ckcepj32.exe 2912 Danmmd32.exe 3052 Dpqnhadq.exe 2548 Diibag32.exe 1084 Dgmbkk32.exe 1900 Depbfhpe.exe 2372 Dmgkgeah.exe 2368 Debplg32.exe 1032 Dllhhaep.exe 1328 Diphbfdi.exe 1524 Dlndnacm.exe 900 Degiggjm.exe 1192 Elqaca32.exe 2596 Eoompl32.exe 2568 Eamilh32.exe 2444 Ehgbhbgn.exe 2436 Eoajel32.exe 2236 Eapfagno.exe 2948 Ednbncmb.exe 2812 Egmojnlf.exe 2792 Ejkkfjkj.exe 2780 Epecbd32.exe 3044 Eccpoo32.exe 1284 Ekjgpm32.exe 2516 Ejmhkiig.exe 1256 Epgphcqd.exe 2360 Edclib32.exe 1612 Efdhpjok.exe 2336 Ejpdai32.exe 2228 Elnqmd32.exe 836 Eolmip32.exe -
Loads dropped DLL 64 IoCs
Processes:
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exePggdejno.exePmdmmalf.exeQjhmfekp.exeQmgibqjc.exeQglmpi32.exeQqdbiopj.exeAjmfad32.exeAojojl32.exeAeggbbci.exeAmnocpdk.exeAbkhkgbb.exeAapemc32.exeAjhiei32.exeAennba32.exeAgljom32.exeBadnhbce.exeBgnfdm32.exeBagkmb32.exeBgqcjlhp.exeBaigca32.exeBplhnoej.exeBbjdjjdn.exeBffpki32.exeBmbemb32.exeBpqain32.exeChlfnp32.exeCpcnonob.exeCjmopkla.exeCafgle32.exeChqoipkk.exeCkolek32.exepid process 2500 b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe 2500 b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe 1736 Pggdejno.exe 1736 Pggdejno.exe 2248 Pmdmmalf.exe 2248 Pmdmmalf.exe 2240 Qjhmfekp.exe 2240 Qjhmfekp.exe 2972 Qmgibqjc.exe 2972 Qmgibqjc.exe 2900 Qglmpi32.exe 2900 Qglmpi32.exe 2076 Qqdbiopj.exe 2076 Qqdbiopj.exe 2672 Ajmfad32.exe 2672 Ajmfad32.exe 2720 Aojojl32.exe 2720 Aojojl32.exe 672 Aeggbbci.exe 672 Aeggbbci.exe 2504 Amnocpdk.exe 2504 Amnocpdk.exe 2204 Abkhkgbb.exe 2204 Abkhkgbb.exe 2920 Aapemc32.exe 2920 Aapemc32.exe 2040 Ajhiei32.exe 2040 Ajhiei32.exe 2376 Aennba32.exe 2376 Aennba32.exe 600 Agljom32.exe 600 Agljom32.exe 2300 Badnhbce.exe 2300 Badnhbce.exe 2608 Bgnfdm32.exe 2608 Bgnfdm32.exe 976 Bagkmb32.exe 976 Bagkmb32.exe 892 Bgqcjlhp.exe 892 Bgqcjlhp.exe 1092 Baigca32.exe 1092 Baigca32.exe 1036 Bplhnoej.exe 1036 Bplhnoej.exe 396 Bbjdjjdn.exe 396 Bbjdjjdn.exe 876 Bffpki32.exe 876 Bffpki32.exe 304 Bmbemb32.exe 304 Bmbemb32.exe 1936 Bpqain32.exe 1936 Bpqain32.exe 2468 Chlfnp32.exe 2468 Chlfnp32.exe 2192 Cpcnonob.exe 2192 Cpcnonob.exe 2232 Cjmopkla.exe 2232 Cjmopkla.exe 2880 Cafgle32.exe 2880 Cafgle32.exe 2820 Chqoipkk.exe 2820 Chqoipkk.exe 2956 Ckolek32.exe 2956 Ckolek32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hjcppidk.exeJgabdlfb.exeCcjoli32.exeFcbecl32.exeDldkmlhl.exeDgbeiiqe.exeNlefhcnc.exeQjhmfekp.exeKdpfadlm.exeAknlofim.exePgcmbcih.exePiqpkpml.exeGpcoib32.exeJpogbgmi.exeCbepdhgc.exeHidcef32.exeEkjgpm32.exeDacpkc32.exeKjahej32.exeMdiefffn.exeCpmjhk32.exeCkcepj32.exeKoddccaa.exeOalhqohl.exeGfcnegnk.exeHpkompgg.exeIhpfgalh.exeBbjdjjdn.exeCjakccop.exeOoicid32.exeFoafdoag.exeMlfacfpc.exeCmhglq32.exeHfegij32.exeKaajei32.exeBigkel32.exeDgmbkk32.exeCmedlk32.exeKgclio32.exeIedfqeka.exeElnqmd32.exeFfmkfifa.exeNlfmbibo.exeEecafd32.exeIefcfe32.exePepcelel.exeFdkklp32.exeBgffhkoj.exeOaqbln32.exeFqdiga32.exeJmdepg32.exeMqklqhpg.exeNameek32.exeDiibag32.exeGkbcbn32.exeAhgofi32.exeKfbfkmeh.exeLqejbiim.exeEjkkfjkj.exeEggndi32.exeKlngkfge.exedescription ioc process File created C:\Windows\SysWOW64\Hemqpf32.exe Hjcppidk.exe File opened for modification C:\Windows\SysWOW64\Jioopgef.exe Jgabdlfb.exe File created C:\Windows\SysWOW64\Cpmahlfd.dll Ccjoli32.exe File created C:\Windows\SysWOW64\Fkiolmdc.dll Fcbecl32.exe File created C:\Windows\SysWOW64\Dbncjf32.exe Dldkmlhl.exe File created C:\Windows\SysWOW64\Dknajh32.exe Dgbeiiqe.exe File created C:\Windows\SysWOW64\Gkclcjqj.dll Nlefhcnc.exe File created C:\Windows\SysWOW64\Qmgibqjc.exe Qjhmfekp.exe File created C:\Windows\SysWOW64\Egpfmb32.dll Kdpfadlm.exe File opened for modification C:\Windows\SysWOW64\Anlhkbhq.exe Aknlofim.exe File created C:\Windows\SysWOW64\Pkoicb32.exe Pgcmbcih.exe File created C:\Windows\SysWOW64\Ipnlibhd.dll Piqpkpml.exe File created C:\Windows\SysWOW64\Dlbabncd.dll Gpcoib32.exe File created C:\Windows\SysWOW64\Bbodaa32.dll Jpogbgmi.exe File created C:\Windows\SysWOW64\Bjnalhgb.dll Cbepdhgc.exe File created C:\Windows\SysWOW64\Hpnkbpdd.exe Hidcef32.exe File created C:\Windows\SysWOW64\Ejmhkiig.exe Ekjgpm32.exe File opened for modification C:\Windows\SysWOW64\Dhmhhmlm.exe Dacpkc32.exe File created C:\Windows\SysWOW64\Knmdeioh.exe Kjahej32.exe File created C:\Windows\SysWOW64\Nlemad32.dll Mdiefffn.exe File opened for modification C:\Windows\SysWOW64\Daofpchf.exe Cpmjhk32.exe File created C:\Windows\SysWOW64\Pppcjfnh.dll Ckcepj32.exe File opened for modification C:\Windows\SysWOW64\Kgkleabc.exe Koddccaa.exe File created C:\Windows\SysWOW64\Hopjqipp.dll Oalhqohl.exe File created C:\Windows\SysWOW64\Ghajacmo.exe Gfcnegnk.exe File created C:\Windows\SysWOW64\Jcfnin32.dll Hpkompgg.exe File created C:\Windows\SysWOW64\Giqhcmil.dll Ihpfgalh.exe File created C:\Windows\SysWOW64\Bffpki32.exe Bbjdjjdn.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cjakccop.exe File created C:\Windows\SysWOW64\Mjceldap.dll Ooicid32.exe File created C:\Windows\SysWOW64\Njekpl32.dll Foafdoag.exe File created C:\Windows\SysWOW64\Macilmnk.exe Mlfacfpc.exe File created C:\Windows\SysWOW64\Cpfdhl32.exe Cmhglq32.exe File created C:\Windows\SysWOW64\Hidcef32.exe Hfegij32.exe File created C:\Windows\SysWOW64\Behjbjcf.dll Kaajei32.exe File created C:\Windows\SysWOW64\Bnjdhe32.dll Bigkel32.exe File created C:\Windows\SysWOW64\Depbfhpe.exe Dgmbkk32.exe File opened for modification C:\Windows\SysWOW64\Cnfqccna.exe Cmedlk32.exe File opened for modification C:\Windows\SysWOW64\Kjahej32.exe Kgclio32.exe File created C:\Windows\SysWOW64\Idgglb32.exe Iedfqeka.exe File opened for modification C:\Windows\SysWOW64\Eolmip32.exe Elnqmd32.exe File created C:\Windows\SysWOW64\Filgbdfd.exe Ffmkfifa.exe File opened for modification C:\Windows\SysWOW64\Nenakoho.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Fgdnnl32.exe Eecafd32.exe File opened for modification C:\Windows\SysWOW64\Ijclol32.exe Iefcfe32.exe File opened for modification C:\Windows\SysWOW64\Pljlbf32.exe Pepcelel.exe File opened for modification C:\Windows\SysWOW64\Bffpki32.exe Bbjdjjdn.exe File created C:\Windows\SysWOW64\Fjlcglnk.dll Fdkklp32.exe File opened for modification C:\Windows\SysWOW64\Bkbaii32.exe Bgffhkoj.exe File created C:\Windows\SysWOW64\Afoddn32.dll Oaqbln32.exe File created C:\Windows\SysWOW64\Ddonghfa.dll Fqdiga32.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Jmdepg32.exe File opened for modification C:\Windows\SysWOW64\Mgedmb32.exe Mqklqhpg.exe File opened for modification C:\Windows\SysWOW64\Nidmfh32.exe Nameek32.exe File created C:\Windows\SysWOW64\Dgmbkk32.exe Diibag32.exe File created C:\Windows\SysWOW64\Gonocmbi.exe Gkbcbn32.exe File created C:\Windows\SysWOW64\Mggabaea.exe Mdiefffn.exe File opened for modification C:\Windows\SysWOW64\Akfkbd32.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Feafacjb.dll Kfbfkmeh.exe File created C:\Windows\SysWOW64\Heapkela.dll Lqejbiim.exe File opened for modification C:\Windows\SysWOW64\Epecbd32.exe Ejkkfjkj.exe File opened for modification C:\Windows\SysWOW64\Eiekpd32.exe Eggndi32.exe File opened for modification C:\Windows\SysWOW64\Kpicle32.exe Klngkfge.exe File created C:\Windows\SysWOW64\Ghmhnp32.dll Klngkfge.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6560 6520 WerFault.exe Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Akfkbd32.exeGljpncgc.exeGcahoqhf.exePmpbdm32.exeOaqbln32.exeNidmfh32.exeIigpli32.exeDldkmlhl.exeNedhjj32.exeJaoqqflp.exeIbmgpoia.exeOhojmjep.exeBbgqjdce.exeFpmbfbgo.exeIjnbcmkk.exeGqiimfam.exeLngnfnji.exeBnihdemo.exeDdfebnoo.exeEihgfd32.exeMacilmnk.exeMaefamlh.exeBefmfpbi.exeAobnniji.exeHblgnkdh.exeQjklenpa.exeHemqpf32.exeAjmijmnn.exeAnlhkbhq.exeBbmcibjp.exeCafgle32.exeJnnnalph.exeKnbhlkkc.exeHjdfjo32.exeAmcbankf.exeCcdmnj32.exeNjjcip32.exeLneaqn32.exeMmadbjkk.exeNabopjmj.exeDoecog32.exeEppcmncq.exeIakgefqe.exeKpicle32.exeAakjdo32.exeFqglggcp.exeMpmcielb.exeMkddnf32.exeCmhglq32.exeFjegog32.exeChqoipkk.exeMiehak32.exeAciqcifh.exeAkabgebj.exeBgnfdm32.exeKfebambf.exeKdklfe32.exeDgbeiiqe.exeEnlidg32.exeKhielcfh.exeOemgplgo.exeCbppnbhm.exeBpqain32.exeChlfnp32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljpncgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcahoqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigpli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldkmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaoqqflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmgpoia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohojmjep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgqjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmbfbgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnbcmkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqiimfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngnfnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnihdemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfebnoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihgfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macilmnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblgnkdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemqpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlhkbhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cafgle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnnalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbhlkkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdfjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcbankf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjcip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lneaqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabopjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doecog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppcmncq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakgefqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpicle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqglggcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmcielb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkddnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chqoipkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miehak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aciqcifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnfdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfebambf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbeiiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khielcfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemgplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpqain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlfnp32.exe -
Modifies registry class 64 IoCs
Processes:
Kfnmpn32.exeCgfkmgnj.exeBgdibkam.exeEdclib32.exeLngnfnji.exeMelifl32.exeAficjnpm.exeMklcadfn.exeAodkci32.exeBoidnh32.exeFpmbfbgo.exeBpqain32.exeNlfmbibo.exeNbhhdnlh.exeJgfcja32.exeDbncjf32.exeEoajel32.exePlmpblnb.exePebpkk32.exeGkglnm32.exeKpgffe32.exeEjkkfjkj.exeIfoqjo32.exeMmadbjkk.exeBecpap32.exeEcbhdi32.exeBigkel32.exePggdejno.exeAakjdo32.exeCmhglq32.exeMkqqnq32.exeGbaken32.exeImnbbi32.exeJnkakl32.exeObdojcef.exeIlofhffj.exeJgdfdbhk.exeKbigpn32.exeNenakoho.exeIpeaco32.exeHinqgg32.exeKpcqnf32.exeLgmeid32.exeCehfkb32.exeQglmpi32.exeCffljlpc.exeJabdql32.exeBgblmk32.exeCpmjhk32.exeDgbeiiqe.exeNmqpam32.exeDaofpchf.exeb42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exeHnheohcl.exeFgcejm32.exeGmecmg32.exeJaeafklf.exeDfphcj32.exeKdefgj32.exeEhkhaqpk.exeMgedmb32.exeMfokinhf.exeOekjjl32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfnmpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgdibkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbqmnm32.dll" Edclib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komnbg32.dll" Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdodbpja.dll" Melifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mklcadfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aodkci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boidnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpmbfbgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpqain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagflkia.dll" Nbhhdnlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgfcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefcohi.dll" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhapjlg.dll" Eoajel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damfcpfg.dll" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhnd32.dll" Pebpkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icehdl32.dll" Kpgffe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejkkfjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifoqjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkadj32.dll" Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecbhdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bigkel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pggdejno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll" Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmhglq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkqqnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbaken32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjpmh32.dll" Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilofhffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgdfdbhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmefhb32.dll" Kbigpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nenakoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hinqgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpcqnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minbnnfl.dll" Lgmeid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cehfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qglmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meccmfen.dll" Cffljlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jabdql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mklcadfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpmjhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgbeiiqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmqpam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daofpchf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgcejm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmecmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkgob32.dll" Dfphcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdefgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgedmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfokinhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oekjjl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exePggdejno.exePmdmmalf.exeQjhmfekp.exeQmgibqjc.exeQglmpi32.exeQqdbiopj.exeAjmfad32.exeAojojl32.exeAeggbbci.exeAmnocpdk.exeAbkhkgbb.exeAapemc32.exeAjhiei32.exeAennba32.exeAgljom32.exedescription pid process target process PID 2500 wrote to memory of 1736 2500 b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe Pggdejno.exe PID 2500 wrote to memory of 1736 2500 b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe Pggdejno.exe PID 2500 wrote to memory of 1736 2500 b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe Pggdejno.exe PID 2500 wrote to memory of 1736 2500 b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe Pggdejno.exe PID 1736 wrote to memory of 2248 1736 Pggdejno.exe Pmdmmalf.exe PID 1736 wrote to memory of 2248 1736 Pggdejno.exe Pmdmmalf.exe PID 1736 wrote to memory of 2248 1736 Pggdejno.exe Pmdmmalf.exe PID 1736 wrote to memory of 2248 1736 Pggdejno.exe Pmdmmalf.exe PID 2248 wrote to memory of 2240 2248 Pmdmmalf.exe Qjhmfekp.exe PID 2248 wrote to memory of 2240 2248 Pmdmmalf.exe Qjhmfekp.exe PID 2248 wrote to memory of 2240 2248 Pmdmmalf.exe Qjhmfekp.exe PID 2248 wrote to memory of 2240 2248 Pmdmmalf.exe Qjhmfekp.exe PID 2240 wrote to memory of 2972 2240 Qjhmfekp.exe Qmgibqjc.exe PID 2240 wrote to memory of 2972 2240 Qjhmfekp.exe Qmgibqjc.exe PID 2240 wrote to memory of 2972 2240 Qjhmfekp.exe Qmgibqjc.exe PID 2240 wrote to memory of 2972 2240 Qjhmfekp.exe Qmgibqjc.exe PID 2972 wrote to memory of 2900 2972 Qmgibqjc.exe Qglmpi32.exe PID 2972 wrote to memory of 2900 2972 Qmgibqjc.exe Qglmpi32.exe PID 2972 wrote to memory of 2900 2972 Qmgibqjc.exe Qglmpi32.exe PID 2972 wrote to memory of 2900 2972 Qmgibqjc.exe Qglmpi32.exe PID 2900 wrote to memory of 2076 2900 Qglmpi32.exe Qqdbiopj.exe PID 2900 wrote to memory of 2076 2900 Qglmpi32.exe Qqdbiopj.exe PID 2900 wrote to memory of 2076 2900 Qglmpi32.exe Qqdbiopj.exe PID 2900 wrote to memory of 2076 2900 Qglmpi32.exe Qqdbiopj.exe PID 2076 wrote to memory of 2672 2076 Qqdbiopj.exe Ajmfad32.exe PID 2076 wrote to memory of 2672 2076 Qqdbiopj.exe Ajmfad32.exe PID 2076 wrote to memory of 2672 2076 Qqdbiopj.exe Ajmfad32.exe PID 2076 wrote to memory of 2672 2076 Qqdbiopj.exe Ajmfad32.exe PID 2672 wrote to memory of 2720 2672 Ajmfad32.exe Aojojl32.exe PID 2672 wrote to memory of 2720 2672 Ajmfad32.exe Aojojl32.exe PID 2672 wrote to memory of 2720 2672 Ajmfad32.exe Aojojl32.exe PID 2672 wrote to memory of 2720 2672 Ajmfad32.exe Aojojl32.exe PID 2720 wrote to memory of 672 2720 Aojojl32.exe Aeggbbci.exe PID 2720 wrote to memory of 672 2720 Aojojl32.exe Aeggbbci.exe PID 2720 wrote to memory of 672 2720 Aojojl32.exe Aeggbbci.exe PID 2720 wrote to memory of 672 2720 Aojojl32.exe Aeggbbci.exe PID 672 wrote to memory of 2504 672 Aeggbbci.exe Amnocpdk.exe PID 672 wrote to memory of 2504 672 Aeggbbci.exe Amnocpdk.exe PID 672 wrote to memory of 2504 672 Aeggbbci.exe Amnocpdk.exe PID 672 wrote to memory of 2504 672 Aeggbbci.exe Amnocpdk.exe PID 2504 wrote to memory of 2204 2504 Amnocpdk.exe Abkhkgbb.exe PID 2504 wrote to memory of 2204 2504 Amnocpdk.exe Abkhkgbb.exe PID 2504 wrote to memory of 2204 2504 Amnocpdk.exe Abkhkgbb.exe PID 2504 wrote to memory of 2204 2504 Amnocpdk.exe Abkhkgbb.exe PID 2204 wrote to memory of 2920 2204 Abkhkgbb.exe Aapemc32.exe PID 2204 wrote to memory of 2920 2204 Abkhkgbb.exe Aapemc32.exe PID 2204 wrote to memory of 2920 2204 Abkhkgbb.exe Aapemc32.exe PID 2204 wrote to memory of 2920 2204 Abkhkgbb.exe Aapemc32.exe PID 2920 wrote to memory of 2040 2920 Aapemc32.exe Ajhiei32.exe PID 2920 wrote to memory of 2040 2920 Aapemc32.exe Ajhiei32.exe PID 2920 wrote to memory of 2040 2920 Aapemc32.exe Ajhiei32.exe PID 2920 wrote to memory of 2040 2920 Aapemc32.exe Ajhiei32.exe PID 2040 wrote to memory of 2376 2040 Ajhiei32.exe Aennba32.exe PID 2040 wrote to memory of 2376 2040 Ajhiei32.exe Aennba32.exe PID 2040 wrote to memory of 2376 2040 Ajhiei32.exe Aennba32.exe PID 2040 wrote to memory of 2376 2040 Ajhiei32.exe Aennba32.exe PID 2376 wrote to memory of 600 2376 Aennba32.exe Agljom32.exe PID 2376 wrote to memory of 600 2376 Aennba32.exe Agljom32.exe PID 2376 wrote to memory of 600 2376 Aennba32.exe Agljom32.exe PID 2376 wrote to memory of 600 2376 Aennba32.exe Agljom32.exe PID 600 wrote to memory of 2300 600 Agljom32.exe Badnhbce.exe PID 600 wrote to memory of 2300 600 Agljom32.exe Badnhbce.exe PID 600 wrote to memory of 2300 600 Agljom32.exe Badnhbce.exe PID 600 wrote to memory of 2300 600 Agljom32.exe Badnhbce.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe"C:\Users\Admin\AppData\Local\Temp\b42fd3c7b30c3e078719490d2729c0af1ccedf82e9c31ab041c17a9c9eeffd32.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe34⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe36⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe37⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe40⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe41⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe42⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe43⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe44⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe45⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe47⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe48⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe49⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe50⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe52⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe53⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe54⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe56⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe57⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe59⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe60⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe63⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe65⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe66⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe67⤵PID:1000
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe68⤵PID:868
-
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe69⤵PID:2180
-
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe70⤵PID:2588
-
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe72⤵PID:2876
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe73⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe74⤵PID:2712
-
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe75⤵PID:2620
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe76⤵PID:3028
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe78⤵PID:544
-
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe79⤵PID:536
-
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe80⤵PID:772
-
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe81⤵
- System Location Discovery: System Language Discovery
PID:296 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe82⤵PID:1792
-
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe83⤵PID:1688
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe84⤵PID:1972
-
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe85⤵
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe86⤵PID:1984
-
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe87⤵PID:2120
-
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe89⤵PID:2772
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe90⤵PID:2728
-
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe91⤵PID:1624
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe92⤵PID:3056
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe93⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe94⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe95⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe96⤵PID:1528
-
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe98⤵
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe100⤵PID:1572
-
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe101⤵PID:2892
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe102⤵PID:2936
-
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe103⤵PID:2700
-
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe105⤵PID:2908
-
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:484 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe108⤵PID:1508
-
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe109⤵PID:1340
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe111⤵PID:2340
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe112⤵PID:2156
-
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe113⤵PID:2448
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe114⤵PID:2828
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe115⤵PID:2724
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe116⤵
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe117⤵PID:2868
-
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe118⤵PID:3000
-
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe119⤵PID:2964
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe120⤵PID:1856
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe121⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe122⤵PID:2432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-