Analysis
-
max time kernel
33s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 16:41
Static task
static1
Behavioral task
behavioral1
Sample
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe
Resource
win10v2004-20241007-en
General
-
Target
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe
-
Size
669KB
-
MD5
d424400d808b8a2789ff2ad5803c4080
-
SHA1
fa8ea06415a662a5d5e3877a44e61bb03bdd48d5
-
SHA256
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73d
-
SHA512
ef6d8fcde148843bb832d49942b216311fdc70cd78bf156425560c484667052f786b42e9f7ddd17aabe1078b71f06dcbdf861780ca03cd8ccdadda6b05287c45
-
SSDEEP
12288:Y5Q8GeVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:0xchMpQnqrdX72LbY6x46uR/qYglMi
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bhjngnod.exeAgilkijf.exeMbkkepio.exeNndhpqma.exeOinbglkm.exeIhooog32.exeNqakim32.exeHjkbfpah.exeIcjmpd32.exeJkdalb32.exeBnhjae32.exeCjljpjjk.exeCafbmdbh.exeFcegdnna.exePogaeg32.exeHimkgf32.exeKfenjq32.exeCconcjae.exeDomffn32.exeDfegjknm.exeEiocbd32.exeEiimci32.exeJbdokceo.exeMgaqohql.exeCfjdfg32.exeFaonqiod.exeNplkhh32.exeDieiap32.exeEabeal32.exeGojkecka.exeNplhooec.exeJlgcncli.exeLppkgi32.exePiiekp32.exeEoanij32.exeEpnldd32.exeEamdlf32.exeEaoaafli.exeImkqmh32.exePlljbkml.exeFomndhng.exeFnnobl32.exeFefpfi32.exeJafilj32.exeKidjfl32.exeGebiefle.exeHkkaik32.exeLfgaaa32.exeAcnpjj32.exeAqddcdbo.exeMdhnnl32.exeCnjbfhqa.exeNiilmi32.exeNfhpjaba.exefa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exeAnkabh32.exeGdgcnj32.exeMqjehngm.exeEkgfkl32.exeHedllgjk.exeOlehbh32.exeMkpieggc.exePahjgb32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhjngnod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agilkijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbkkepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oinbglkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihooog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqakim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjkbfpah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkdalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjljpjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cafbmdbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcegdnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pogaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Himkgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfenjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cconcjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Domffn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfegjknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiocbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiimci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdokceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgaqohql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faonqiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplkhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dieiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eabeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojkecka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplhooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlgcncli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lppkgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piiekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoanij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epnldd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamdlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaoaafli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkqmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plljbkml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fomndhng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fefpfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfenjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kidjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gebiefle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfgaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acnpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqddcdbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhnnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjbfhqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niilmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfhpjaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ankabh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqjehngm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekgfkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedllgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olehbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkpieggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahjgb32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lddoopbi.exeLbjlnd32.exeLdkeoo32.exeLjhngfkh.exeMipgnbnn.exeMkpppmko.exeMbmebgpi.exeNhljpmlm.exeNnfbmgcj.exeNplhooec.exeNpneeocq.exeOfmgmhgh.exeOohlaj32.exeOojhfj32.exeOedqcdim.exePcagkmaj.exePikohg32.exePlneoace.exeQchmll32.exeQefihg32.exeQoonqmqf.exeQlbnja32.exeAoakfl32.exeAhioobed.exeAkhkkmdh.exeAqddcdbo.exeAnhdmh32.exeAklefm32.exeAnkabh32.exeAqljdclg.exeAgebam32.exeAfhbljko.exeBjfkbhae.exeBikhce32.exeBmgddcnf.exeBfphmi32.exeBgqeea32.exeBaiingae.exeBipaodah.exeCakfcfoc.exeCcjbobnf.exeCgeopqfp.exeCjdkllec.exeCfkkam32.exeCmdcngbd.exeCfmhfm32.exeCikdbhhi.exeCmgpcg32.exeCcaipaho.exeCfoellgb.exeCcceeqfl.exeCipnng32.exeDlnjjc32.exeDomffn32.exeDibjcg32.exeDlqgob32.exeDanohi32.exeDkfcqo32.exeDbmlal32.exeDekhnh32.exeDkhpfo32.exeDmgmbj32.exeDhlapc32.exeDmiihjak.exepid Process 2256 Lddoopbi.exe 2208 Lbjlnd32.exe 2948 Ldkeoo32.exe 3036 Ljhngfkh.exe 2700 Mipgnbnn.exe 2760 Mkpppmko.exe 2528 Mbmebgpi.exe 2508 Nhljpmlm.exe 3040 Nnfbmgcj.exe 1324 Nplhooec.exe 1336 Npneeocq.exe 2040 Ofmgmhgh.exe 2008 Oohlaj32.exe 2224 Oojhfj32.exe 1964 Oedqcdim.exe 2600 Pcagkmaj.exe 1656 Pikohg32.exe 1992 Plneoace.exe 2408 Qchmll32.exe 1008 Qefihg32.exe 1696 Qoonqmqf.exe 1396 Qlbnja32.exe 1560 Aoakfl32.exe 1712 Ahioobed.exe 3044 Akhkkmdh.exe 1724 Aqddcdbo.exe 2452 Anhdmh32.exe 2220 Aklefm32.exe 2992 Ankabh32.exe 2612 Aqljdclg.exe 2644 Agebam32.exe 2340 Afhbljko.exe 2376 Bjfkbhae.exe 3012 Bikhce32.exe 2980 Bmgddcnf.exe 2412 Bfphmi32.exe 1728 Bgqeea32.exe 1752 Baiingae.exe 1496 Bipaodah.exe 1788 Cakfcfoc.exe 2064 Ccjbobnf.exe 2472 Cgeopqfp.exe 572 Cjdkllec.exe 2908 Cfkkam32.exe 1948 Cmdcngbd.exe 1704 Cfmhfm32.exe 1616 Cikdbhhi.exe 1628 Cmgpcg32.exe 1864 Ccaipaho.exe 2312 Cfoellgb.exe 2924 Ccceeqfl.exe 2996 Cipnng32.exe 720 Dlnjjc32.exe 1156 Domffn32.exe 2608 Dibjcg32.exe 1772 Dlqgob32.exe 2524 Danohi32.exe 840 Dkfcqo32.exe 536 Dbmlal32.exe 948 Dekhnh32.exe 2852 Dkhpfo32.exe 2156 Dmgmbj32.exe 2100 Dhlapc32.exe 844 Dmiihjak.exe -
Loads dropped DLL 64 IoCs
Processes:
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exeLddoopbi.exeLbjlnd32.exeLdkeoo32.exeLjhngfkh.exeMipgnbnn.exeMkpppmko.exeMbmebgpi.exeNhljpmlm.exeNnfbmgcj.exeNplhooec.exeNpneeocq.exeOfmgmhgh.exeOohlaj32.exeOojhfj32.exeOedqcdim.exePcagkmaj.exePikohg32.exePlneoace.exeQchmll32.exeQefihg32.exeQoonqmqf.exeQlbnja32.exeAoakfl32.exeAhioobed.exeAkhkkmdh.exeAqddcdbo.exeAnhdmh32.exeAklefm32.exeAnkabh32.exeAqljdclg.exeAgebam32.exepid Process 1820 fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe 1820 fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe 2256 Lddoopbi.exe 2256 Lddoopbi.exe 2208 Lbjlnd32.exe 2208 Lbjlnd32.exe 2948 Ldkeoo32.exe 2948 Ldkeoo32.exe 3036 Ljhngfkh.exe 3036 Ljhngfkh.exe 2700 Mipgnbnn.exe 2700 Mipgnbnn.exe 2760 Mkpppmko.exe 2760 Mkpppmko.exe 2528 Mbmebgpi.exe 2528 Mbmebgpi.exe 2508 Nhljpmlm.exe 2508 Nhljpmlm.exe 3040 Nnfbmgcj.exe 3040 Nnfbmgcj.exe 1324 Nplhooec.exe 1324 Nplhooec.exe 1336 Npneeocq.exe 1336 Npneeocq.exe 2040 Ofmgmhgh.exe 2040 Ofmgmhgh.exe 2008 Oohlaj32.exe 2008 Oohlaj32.exe 2224 Oojhfj32.exe 2224 Oojhfj32.exe 1964 Oedqcdim.exe 1964 Oedqcdim.exe 2600 Pcagkmaj.exe 2600 Pcagkmaj.exe 1656 Pikohg32.exe 1656 Pikohg32.exe 1992 Plneoace.exe 1992 Plneoace.exe 2408 Qchmll32.exe 2408 Qchmll32.exe 1008 Qefihg32.exe 1008 Qefihg32.exe 1696 Qoonqmqf.exe 1696 Qoonqmqf.exe 1396 Qlbnja32.exe 1396 Qlbnja32.exe 1560 Aoakfl32.exe 1560 Aoakfl32.exe 1712 Ahioobed.exe 1712 Ahioobed.exe 3044 Akhkkmdh.exe 3044 Akhkkmdh.exe 1724 Aqddcdbo.exe 1724 Aqddcdbo.exe 2452 Anhdmh32.exe 2452 Anhdmh32.exe 2220 Aklefm32.exe 2220 Aklefm32.exe 2992 Ankabh32.exe 2992 Ankabh32.exe 2612 Aqljdclg.exe 2612 Aqljdclg.exe 2644 Agebam32.exe 2644 Agebam32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gpccgppq.exeIokdaa32.exeMqhhbn32.exeOfefqf32.exePahjgb32.exeDippfplg.exeAnkabh32.exeNpfhjifm.exeIgioiacg.exeDenglpkc.exeGebiefle.exeKjlgaa32.exeMnakjaoc.exeIhooog32.exeLcfhpf32.exeAnfjpa32.exeJhahcjcf.exeOmjeba32.exeBdoeipjh.exeLaknfmgd.exeDieiap32.exeMbbkabdh.exeDjcpqidc.exeInajql32.exeEgfglocf.exeFebjmj32.exeFkocfa32.exeGojkecka.exeKanfgofa.exeHopgikop.exeAimkeb32.exeEphhmn32.exeMkpppmko.exeCfoellgb.exeCipnng32.exeKkigfdjo.exeNmhlnngi.exePopkeh32.exeQdkpomkb.exeHqkmahpp.exeIigehk32.exeJalmcl32.exeNbbhpegc.exeNlklik32.exeNbinad32.exeKbokda32.exeFangfcki.exeCafbmdbh.exeImidgh32.exePnodjb32.exeQefihg32.exeKphpdhdh.exeMqoocmcg.exeCfekkgla.exeDfegjknm.exeGafcahil.exeCohlnkeg.exeOojhfj32.exePlneoace.exeGnphfppi.exePpjjcogn.exedescription ioc Process File created C:\Windows\SysWOW64\Jlcffk32.dll Gpccgppq.exe File created C:\Windows\SysWOW64\Leialh32.dll Iokdaa32.exe File created C:\Windows\SysWOW64\Cbdfql32.dll Mqhhbn32.exe File opened for modification C:\Windows\SysWOW64\Oegflcbj.exe Ofefqf32.exe File created C:\Windows\SysWOW64\Ekaeoj32.dll Pahjgb32.exe File created C:\Windows\SysWOW64\Dkolblkk.exe Dippfplg.exe File opened for modification C:\Windows\SysWOW64\Aqljdclg.exe Ankabh32.exe File opened for modification C:\Windows\SysWOW64\Nlmiojla.exe Npfhjifm.exe File created C:\Windows\SysWOW64\Iabcbg32.exe Igioiacg.exe File created C:\Windows\SysWOW64\Gojcia32.dll Denglpkc.exe File created C:\Windows\SysWOW64\Gllabp32.exe Gebiefle.exe File created C:\Windows\SysWOW64\Ggadkn32.dll Kjlgaa32.exe File created C:\Windows\SysWOW64\Jbkicgjf.dll Mnakjaoc.exe File created C:\Windows\SysWOW64\Kifbahjj.dll Ihooog32.exe File created C:\Windows\SysWOW64\Aadlgk32.dll Lcfhpf32.exe File created C:\Windows\SysWOW64\Olohicod.dll Anfjpa32.exe File created C:\Windows\SysWOW64\Qbdjnieg.dll Jhahcjcf.exe File created C:\Windows\SysWOW64\Oaeacppk.exe Omjeba32.exe File created C:\Windows\SysWOW64\Bjlnaghp.exe Bdoeipjh.exe File created C:\Windows\SysWOW64\Lghgocek.exe Laknfmgd.exe File created C:\Windows\SysWOW64\Dbmnjenb.exe Dieiap32.exe File created C:\Windows\SysWOW64\Mdahnmck.exe Mbbkabdh.exe File opened for modification C:\Windows\SysWOW64\Dbneekan.exe Djcpqidc.exe File created C:\Windows\SysWOW64\Icnbic32.exe Inajql32.exe File created C:\Windows\SysWOW64\Ambcga32.dll Egfglocf.exe File created C:\Windows\SysWOW64\Bhimgpgk.dll Febjmj32.exe File created C:\Windows\SysWOW64\Fnnobl32.exe Fkocfa32.exe File opened for modification C:\Windows\SysWOW64\Gdgcnj32.exe Gojkecka.exe File created C:\Windows\SysWOW64\Khhndi32.exe Kanfgofa.exe File created C:\Windows\SysWOW64\Mbenmb32.dll Hopgikop.exe File created C:\Windows\SysWOW64\Ghbode32.dll Aimkeb32.exe File opened for modification C:\Windows\SysWOW64\Dhmchljg.exe Denglpkc.exe File created C:\Windows\SysWOW64\Efbpihoo.exe Ephhmn32.exe File created C:\Windows\SysWOW64\Cnnelfmp.dll Mkpppmko.exe File created C:\Windows\SysWOW64\Kfimea32.dll Cfoellgb.exe File created C:\Windows\SysWOW64\Dlnjjc32.exe Cipnng32.exe File opened for modification C:\Windows\SysWOW64\Kjlgaa32.exe Kkigfdjo.exe File created C:\Windows\SysWOW64\Ecoobjme.dll Nmhlnngi.exe File created C:\Windows\SysWOW64\Pejcab32.exe Popkeh32.exe File opened for modification C:\Windows\SysWOW64\Acnpjj32.exe Qdkpomkb.exe File opened for modification C:\Windows\SysWOW64\Hkpaoape.exe Hqkmahpp.exe File created C:\Windows\SysWOW64\Ibpjaagi.exe Iigehk32.exe File opened for modification C:\Windows\SysWOW64\Jkdalb32.exe Jalmcl32.exe File created C:\Windows\SysWOW64\Joeido32.dll Nbbhpegc.exe File opened for modification C:\Windows\SysWOW64\Npfhjifm.exe Nlklik32.exe File created C:\Windows\SysWOW64\Nalnmahf.exe Nbinad32.exe File created C:\Windows\SysWOW64\Khkdmh32.exe Kbokda32.exe File created C:\Windows\SysWOW64\Bkbjlk32.dll Fangfcki.exe File opened for modification C:\Windows\SysWOW64\Cnjbfhqa.exe Cafbmdbh.exe File opened for modification C:\Windows\SysWOW64\Ipgpcc32.exe Imidgh32.exe File opened for modification C:\Windows\SysWOW64\Ppqqbjkm.exe Pnodjb32.exe File opened for modification C:\Windows\SysWOW64\Qoonqmqf.exe Qefihg32.exe File created C:\Windows\SysWOW64\Biehgccp.dll Kphpdhdh.exe File opened for modification C:\Windows\SysWOW64\Mjgclcjh.exe Mqoocmcg.exe File created C:\Windows\SysWOW64\Afhklj32.dll Popkeh32.exe File created C:\Windows\SysWOW64\Kimhhpgd.dll Cfekkgla.exe File created C:\Windows\SysWOW64\Cafamgkk.dll Dfegjknm.exe File created C:\Windows\SysWOW64\Gknhjn32.exe Gafcahil.exe File opened for modification C:\Windows\SysWOW64\Dippfplg.exe Cohlnkeg.exe File created C:\Windows\SysWOW64\Ofcbjj32.dll Oojhfj32.exe File opened for modification C:\Windows\SysWOW64\Qchmll32.exe Plneoace.exe File opened for modification C:\Windows\SysWOW64\Gghloe32.exe Gnphfppi.exe File created C:\Windows\SysWOW64\Npfhjifm.exe Nlklik32.exe File created C:\Windows\SysWOW64\Daonbn32.dll Ppjjcogn.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5204 5412 WerFault.exe 545 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cmgpcg32.exeBgfdjfkh.exeGghloe32.exeElgioe32.exePopkeh32.exeGkiooocb.exeNiilmi32.exePlljbkml.exeFbdpjgjf.exeLpmeojbo.exeMnpbgbdd.exeIamjghnm.exeJhndcd32.exeKhpaidpk.exeGeplpfnh.exeFhnjdfcl.exeFkmfpabp.exeOjgokflc.exeBnhjae32.exeLafekm32.exeGpccgppq.exeGmjbchnq.exeJkdalb32.exeLfedlb32.exeHfmbfkhf.exeMliibj32.exeMojaceln.exeFgibijkb.exeHjnaehgj.exeOfmgmhgh.exePcagkmaj.exeMhlcnl32.exeMnneabff.exeKpnbcfkc.exeQoonqmqf.exeCakfcfoc.exePejcab32.exeConpdm32.exeNmnoll32.exeFpcghl32.exeNnfbmgcj.exeBmgddcnf.exeFnnobl32.exeGjiibm32.exeNnpofe32.exeNkjeod32.exePedokpcm.exeIqmcmaja.exeMmcbbo32.exeQlcgmpkp.exeCafbmdbh.exeBbdoec32.exeOedqcdim.exeDpmlcpdm.exeDmffhd32.exeCcjbobnf.exeIjmkkc32.exePdamhocm.exeJepoao32.exeNaokbq32.exeAnfjpa32.exeDenglpkc.exeAkhkkmdh.exeHfdpaqej.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgfdjfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghloe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgioe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiooocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niilmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plljbkml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdpjgjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmeojbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpbgbdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamjghnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpaidpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geplpfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhnjdfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmfpabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgokflc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafekm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpccgppq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjbchnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfedlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmbfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mliibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojaceln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgibijkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjnaehgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmgmhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcagkmaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhlcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnneabff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpnbcfkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoonqmqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakfcfoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejcab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conpdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfbmgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgddcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnobl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjiibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjeod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedokpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmcmaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcbbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlcgmpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cafbmdbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oedqcdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmlcpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmffhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjbobnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdamhocm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naokbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Denglpkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhkkmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdpaqej.exe -
Modifies registry class 64 IoCs
Processes:
Lcfhpf32.exeNiilmi32.exeCcjehkek.exeFholmo32.exeFkmfpabp.exeHqpahkmj.exeNmeohnil.exeDbmnjenb.exeBfnnpbnn.exeEfbpihoo.exeGcdmikma.exeQchmll32.exeFkapkq32.exeJpfcohfk.exeIabcbg32.exePjfdpckc.exeCgfqii32.exeEmnelbdi.exeLlcfck32.exeNnpofe32.exePkihpi32.exeJemkai32.exeNplkhh32.exeQefihg32.exeFefpfi32.exeIclfccmq.exePlljbkml.exeCconcjae.exeIbpjaagi.exeDcfknooi.exeEiocbd32.exeGaajfi32.exeKghkppbp.exeHndaao32.exeNlmiojla.exeBfcnfh32.exeJidngh32.exeAnkabh32.exeMqjehngm.exeFeppqc32.exeJlgcncli.exeKcahjqfa.exeMbkkepio.exeAgebam32.exeBfphmi32.exeLphlck32.exeOjlife32.exeHqkmahpp.exeOjakdd32.exePfobjdoe.exeGkgbioee.exeEphhmn32.exefa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exeJhahcjcf.exeOldooi32.exeFeccqime.exeNhffikob.exeBdoeipjh.exeFehmlh32.exeCbdkdffm.exeIhooog32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libghd32.dll" Niilmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccjehkek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fholmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkmfpabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hqpahkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmeohnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeoglnab.dll" Dbmnjenb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfnnpbnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajkfi32.dll" Gcdmikma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qchmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabcfg32.dll" Fkapkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpfcohfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppencmog.dll" Pjfdpckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccaicfb.dll" Emnelbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llcfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbldbo32.dll" Nnpofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkihpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jemkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nplkhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qefihg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fefpfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iclfccmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plljbkml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cconcjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneacffj.dll" Ibpjaagi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmaojjod.dll" Dcfknooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiocbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llloeb32.dll" Gaajfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmfala32.dll" Kghkppbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkenbb32.dll" Hndaao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlmiojla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmapo32.dll" Bfcnfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiocbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jidngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ankabh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqjehngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coccggfi.dll" Feppqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlgcncli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koedfbnf.dll" Kcahjqfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbkkepio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agebam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfphmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lphlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojlife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqkmahpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojakdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfobjdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkgbioee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ephhmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhahcjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqjehngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbmgkoo.dll" Oldooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feccqime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdoeipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fehmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbdkdffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihooog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmeohnil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exeLddoopbi.exeLbjlnd32.exeLdkeoo32.exeLjhngfkh.exeMipgnbnn.exeMkpppmko.exeMbmebgpi.exeNhljpmlm.exeNnfbmgcj.exeNplhooec.exeNpneeocq.exeOfmgmhgh.exeOohlaj32.exeOojhfj32.exeOedqcdim.exedescription pid Process procid_target PID 1820 wrote to memory of 2256 1820 fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe 28 PID 1820 wrote to memory of 2256 1820 fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe 28 PID 1820 wrote to memory of 2256 1820 fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe 28 PID 1820 wrote to memory of 2256 1820 fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe 28 PID 2256 wrote to memory of 2208 2256 Lddoopbi.exe 29 PID 2256 wrote to memory of 2208 2256 Lddoopbi.exe 29 PID 2256 wrote to memory of 2208 2256 Lddoopbi.exe 29 PID 2256 wrote to memory of 2208 2256 Lddoopbi.exe 29 PID 2208 wrote to memory of 2948 2208 Lbjlnd32.exe 30 PID 2208 wrote to memory of 2948 2208 Lbjlnd32.exe 30 PID 2208 wrote to memory of 2948 2208 Lbjlnd32.exe 30 PID 2208 wrote to memory of 2948 2208 Lbjlnd32.exe 30 PID 2948 wrote to memory of 3036 2948 Ldkeoo32.exe 31 PID 2948 wrote to memory of 3036 2948 Ldkeoo32.exe 31 PID 2948 wrote to memory of 3036 2948 Ldkeoo32.exe 31 PID 2948 wrote to memory of 3036 2948 Ldkeoo32.exe 31 PID 3036 wrote to memory of 2700 3036 Ljhngfkh.exe 32 PID 3036 wrote to memory of 2700 3036 Ljhngfkh.exe 32 PID 3036 wrote to memory of 2700 3036 Ljhngfkh.exe 32 PID 3036 wrote to memory of 2700 3036 Ljhngfkh.exe 32 PID 2700 wrote to memory of 2760 2700 Mipgnbnn.exe 33 PID 2700 wrote to memory of 2760 2700 Mipgnbnn.exe 33 PID 2700 wrote to memory of 2760 2700 Mipgnbnn.exe 33 PID 2700 wrote to memory of 2760 2700 Mipgnbnn.exe 33 PID 2760 wrote to memory of 2528 2760 Mkpppmko.exe 34 PID 2760 wrote to memory of 2528 2760 Mkpppmko.exe 34 PID 2760 wrote to memory of 2528 2760 Mkpppmko.exe 34 PID 2760 wrote to memory of 2528 2760 Mkpppmko.exe 34 PID 2528 wrote to memory of 2508 2528 Mbmebgpi.exe 35 PID 2528 wrote to memory of 2508 2528 Mbmebgpi.exe 35 PID 2528 wrote to memory of 2508 2528 Mbmebgpi.exe 35 PID 2528 wrote to memory of 2508 2528 Mbmebgpi.exe 35 PID 2508 wrote to memory of 3040 2508 Nhljpmlm.exe 36 PID 2508 wrote to memory of 3040 2508 Nhljpmlm.exe 36 PID 2508 wrote to memory of 3040 2508 Nhljpmlm.exe 36 PID 2508 wrote to memory of 3040 2508 Nhljpmlm.exe 36 PID 3040 wrote to memory of 1324 3040 Nnfbmgcj.exe 37 PID 3040 wrote to memory of 1324 3040 Nnfbmgcj.exe 37 PID 3040 wrote to memory of 1324 3040 Nnfbmgcj.exe 37 PID 3040 wrote to memory of 1324 3040 Nnfbmgcj.exe 37 PID 1324 wrote to memory of 1336 1324 Nplhooec.exe 38 PID 1324 wrote to memory of 1336 1324 Nplhooec.exe 38 PID 1324 wrote to memory of 1336 1324 Nplhooec.exe 38 PID 1324 wrote to memory of 1336 1324 Nplhooec.exe 38 PID 1336 wrote to memory of 2040 1336 Npneeocq.exe 39 PID 1336 wrote to memory of 2040 1336 Npneeocq.exe 39 PID 1336 wrote to memory of 2040 1336 Npneeocq.exe 39 PID 1336 wrote to memory of 2040 1336 Npneeocq.exe 39 PID 2040 wrote to memory of 2008 2040 Ofmgmhgh.exe 40 PID 2040 wrote to memory of 2008 2040 Ofmgmhgh.exe 40 PID 2040 wrote to memory of 2008 2040 Ofmgmhgh.exe 40 PID 2040 wrote to memory of 2008 2040 Ofmgmhgh.exe 40 PID 2008 wrote to memory of 2224 2008 Oohlaj32.exe 41 PID 2008 wrote to memory of 2224 2008 Oohlaj32.exe 41 PID 2008 wrote to memory of 2224 2008 Oohlaj32.exe 41 PID 2008 wrote to memory of 2224 2008 Oohlaj32.exe 41 PID 2224 wrote to memory of 1964 2224 Oojhfj32.exe 42 PID 2224 wrote to memory of 1964 2224 Oojhfj32.exe 42 PID 2224 wrote to memory of 1964 2224 Oojhfj32.exe 42 PID 2224 wrote to memory of 1964 2224 Oojhfj32.exe 42 PID 1964 wrote to memory of 2600 1964 Oedqcdim.exe 43 PID 1964 wrote to memory of 2600 1964 Oedqcdim.exe 43 PID 1964 wrote to memory of 2600 1964 Oedqcdim.exe 43 PID 1964 wrote to memory of 2600 1964 Oedqcdim.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe"C:\Users\Admin\AppData\Local\Temp\fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Lbjlnd32.exeC:\Windows\system32\Lbjlnd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ldkeoo32.exeC:\Windows\system32\Ldkeoo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Mipgnbnn.exeC:\Windows\system32\Mipgnbnn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Mkpppmko.exeC:\Windows\system32\Mkpppmko.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Qchmll32.exeC:\Windows\system32\Qchmll32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Qefihg32.exeC:\Windows\system32\Qefihg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Ahioobed.exeC:\Windows\system32\Ahioobed.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe33⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe34⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Bikhce32.exeC:\Windows\system32\Bikhce32.exe35⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Bfphmi32.exeC:\Windows\system32\Bfphmi32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe38⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Baiingae.exeC:\Windows\system32\Baiingae.exe39⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe40⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe43⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Cjdkllec.exeC:\Windows\system32\Cjdkllec.exe44⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe45⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe46⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe47⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Cikdbhhi.exeC:\Windows\system32\Cikdbhhi.exe48⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\Ccaipaho.exeC:\Windows\system32\Ccaipaho.exe50⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe52⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe54⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Dibjcg32.exeC:\Windows\system32\Dibjcg32.exe56⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe57⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Danohi32.exeC:\Windows\system32\Danohi32.exe58⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Dkfcqo32.exeC:\Windows\system32\Dkfcqo32.exe59⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe60⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Dekhnh32.exeC:\Windows\system32\Dekhnh32.exe61⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Dkhpfo32.exeC:\Windows\system32\Dkhpfo32.exe62⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe63⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Dhlapc32.exeC:\Windows\system32\Dhlapc32.exe64⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe65⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe66⤵PID:2684
-
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe67⤵PID:2188
-
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe68⤵PID:3064
-
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe69⤵PID:2112
-
C:\Windows\SysWOW64\Ekofgnna.exeC:\Windows\system32\Ekofgnna.exe70⤵PID:1280
-
C:\Windows\SysWOW64\Eplood32.exeC:\Windows\system32\Eplood32.exe71⤵PID:2360
-
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe72⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Eeiggk32.exeC:\Windows\system32\Eeiggk32.exe73⤵PID:3004
-
C:\Windows\SysWOW64\Epnldd32.exeC:\Windows\system32\Epnldd32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Ecmhqp32.exeC:\Windows\system32\Ecmhqp32.exe75⤵PID:1960
-
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe76⤵PID:1700
-
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1796 -
C:\Windows\SysWOW64\Eiimci32.exeC:\Windows\system32\Eiimci32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe80⤵PID:2564
-
C:\Windows\SysWOW64\Fhnjdfcl.exeC:\Windows\system32\Fhnjdfcl.exe81⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Fkmfpabp.exeC:\Windows\system32\Fkmfpabp.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe83⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Fkocfa32.exeC:\Windows\system32\Fkocfa32.exe84⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Fnnobl32.exeC:\Windows\system32\Fnnobl32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe86⤵PID:872
-
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe87⤵
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe88⤵PID:1944
-
C:\Windows\SysWOW64\Fjfllm32.exeC:\Windows\system32\Fjfllm32.exe89⤵PID:1608
-
C:\Windows\SysWOW64\Fqqdigko.exeC:\Windows\system32\Fqqdigko.exe90⤵PID:2784
-
C:\Windows\SysWOW64\Fcoaebjc.exeC:\Windows\system32\Fcoaebjc.exe91⤵PID:2336
-
C:\Windows\SysWOW64\Gjiibm32.exeC:\Windows\system32\Gjiibm32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe93⤵PID:3008
-
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe94⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Gccjpb32.exeC:\Windows\system32\Gccjpb32.exe95⤵PID:2768
-
C:\Windows\SysWOW64\Ghqchi32.exeC:\Windows\system32\Ghqchi32.exe96⤵PID:916
-
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Gkaljdaf.exeC:\Windows\system32\Gkaljdaf.exe99⤵PID:2900
-
C:\Windows\SysWOW64\Gnphfppi.exeC:\Windows\system32\Gnphfppi.exe100⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Gghloe32.exeC:\Windows\system32\Gghloe32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Goodpb32.exeC:\Windows\system32\Goodpb32.exe102⤵PID:1880
-
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe103⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe104⤵PID:2932
-
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe105⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe106⤵PID:2740
-
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Heqfdh32.exeC:\Windows\system32\Heqfdh32.exe108⤵PID:2672
-
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe109⤵PID:1720
-
C:\Windows\SysWOW64\Hmlkhk32.exeC:\Windows\system32\Hmlkhk32.exe110⤵PID:1152
-
C:\Windows\SysWOW64\Hpjgdf32.exeC:\Windows\system32\Hpjgdf32.exe111⤵PID:2108
-
C:\Windows\SysWOW64\Hfdpaqej.exeC:\Windows\system32\Hfdpaqej.exe112⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe113⤵PID:1748
-
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe114⤵PID:3068
-
C:\Windows\SysWOW64\Hiehbl32.exeC:\Windows\system32\Hiehbl32.exe115⤵PID:1780
-
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Ifiilp32.exeC:\Windows\system32\Ifiilp32.exe117⤵PID:668
-
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe118⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Ibpjaagi.exeC:\Windows\system32\Ibpjaagi.exe119⤵
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe120⤵PID:468
-
C:\Windows\SysWOW64\Ibbffq32.exeC:\Windows\system32\Ibbffq32.exe121⤵PID:1000
-
C:\Windows\SysWOW64\Ihooog32.exeC:\Windows\system32\Ihooog32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-