Analysis
-
max time kernel
95s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 03:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce91da5c6abab304cae23bef7fd315d5fcb5ca41eb366a60a4dd4ffaa8ec915f.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ce91da5c6abab304cae23bef7fd315d5fcb5ca41eb366a60a4dd4ffaa8ec915f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ce91da5c6abab304cae23bef7fd315d5fcb5ca41eb366a60a4dd4ffaa8ec915f.exe
-
Size
159KB
-
MD5
7ef93d6735cd5dabe67fc61f560d90cc
-
SHA1
b91a6ec47f63393ad47b6e173201bf54d094d7c4
-
SHA256
ce91da5c6abab304cae23bef7fd315d5fcb5ca41eb366a60a4dd4ffaa8ec915f
-
SHA512
82c96e664d6dc3e843971f33bcf49f8128adb04465379a9ab709ea532ef407ffa3e9a9b1045b3c37a4a89c0e1b33e9d860defc4e5ddb9e3f118132bd907643e2
-
SSDEEP
3072:tqrz/rzEug5kIxCuE6jBYoibwf1nFzwSAJB8FgBY5nd/M9dA:AVeLnWof1n6xJmPM9dA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lcfidb32.exeJcanll32.exeHecjke32.exeMcoljagj.exeIhphkl32.exeQmgelf32.exeBklfgo32.exeMqdcnl32.exeBpkdjofm.exeHkdjfb32.exePlkpcfal.exeBkkple32.exeIinqbn32.exeEnpmld32.exeOfhknodl.exeDhbebj32.exeJohggfha.exeGmeakf32.exeKqnbkl32.exePmpolgoi.exeIdhnkf32.exeCdlqqcnl.exeOdjeljhd.exeLoighj32.exeKekbjo32.exeDapkni32.exeIgjngh32.exeNgjkfd32.exeFqbliicp.exeGpecbk32.exeHlpfhe32.exeGbeejp32.exeKfpcoefj.exeKjhloj32.exeMgphpe32.exeJpbjfjci.exeBclang32.exeAogbfi32.exeJjlmclqa.exeLckiihok.exeEnnqfenp.exeNmbjcljl.exeAhfmpnql.exeDfoplpla.exeKclgmq32.exeJihbip32.exePidlqb32.exeCmklglpn.exeIgdnabjh.exeOidhlb32.exeLjaoeini.exeMkhapk32.exeCfcqpa32.exeFkkeclfh.exeJdfjld32.exeCocacl32.exeFhmigagd.exeEmjgim32.exeFqgedh32.exeKakmna32.exeHnaqgd32.exeKdinljnk.exeFikbocki.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hecjke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcoljagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihphkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bklfgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqdcnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plkpcfal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkple32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johggfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjeljhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqbliicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlpfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbeejp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpcoefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhloj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgphpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbjfjci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclang32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqdcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aogbfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlmclqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckiihok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahfmpnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfoplpla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pidlqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmklglpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oidhlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfcqpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkkeclfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhmigagd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqgedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kakmna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnaqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdinljnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikbocki.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Bqmeal32.exeBclang32.exeBihjfnmm.exeCpbbch32.exeCflkpblf.exeCikglnkj.exeCcqkigkp.exeCjjcfabm.exeCpglnhad.exeCgndoeag.exeCmklglpn.exeCfcqpa32.exeCaienjfd.exeCgcmjd32.exeCjaifp32.exeDpnbog32.exeDfhjkabi.exeDiffglam.exeDclkee32.exeDiicml32.exeDapkni32.exeDpckjfgg.exeDcogje32.exeDhjckcgi.exeDjhpgofm.exeDmglcj32.exeDabhdinj.exeDpehof32.exeDdadpdmn.exeDfoplpla.exeDjklmo32.exeDinmhkke.exeDmihij32.exeDpgeee32.exeDdcqedkk.exeDhomfc32.exeDfamapjo.exeEipinkib.exeEmlenj32.exeEdemkd32.exeEhailbaa.exeEfdjgo32.exeEjpfhnpe.exeEibfck32.exeEaindh32.exeEplnpeol.exeEdhjqc32.exeEfffmo32.exeEjbbmnnb.exeEidbij32.exeEalkjh32.exeEpokedmj.exeEdjgfcec.exeEhfcfb32.exeEjdocm32.exeEigonjcj.exeEdmclccp.exeEfkphnbd.exeEmehdh32.exeEdopabqn.exeFmgejhgn.exeFacqkg32.exeFhmigagd.exeFkkeclfh.exepid Process 4924 Bqmeal32.exe 3152 Bclang32.exe 4536 Bihjfnmm.exe 996 Cpbbch32.exe 4416 Cflkpblf.exe 2052 Cikglnkj.exe 2564 Ccqkigkp.exe 4012 Cjjcfabm.exe 1172 Cpglnhad.exe 1836 Cgndoeag.exe 4808 Cmklglpn.exe 1896 Cfcqpa32.exe 3208 Caienjfd.exe 2428 Cgcmjd32.exe 4184 Cjaifp32.exe 4936 Dpnbog32.exe 2848 Dfhjkabi.exe 4040 Diffglam.exe 1008 Dclkee32.exe 2016 Diicml32.exe 2512 Dapkni32.exe 1344 Dpckjfgg.exe 4448 Dcogje32.exe 900 Dhjckcgi.exe 440 Djhpgofm.exe 872 Dmglcj32.exe 112 Dabhdinj.exe 628 Dpehof32.exe 3028 Ddadpdmn.exe 4340 Dfoplpla.exe 2040 Djklmo32.exe 3020 Dinmhkke.exe 3884 Dmihij32.exe 1312 Dpgeee32.exe 2092 Ddcqedkk.exe 5088 Dhomfc32.exe 3392 Dfamapjo.exe 4992 Eipinkib.exe 4948 Emlenj32.exe 1216 Edemkd32.exe 4624 Ehailbaa.exe 3460 Efdjgo32.exe 3548 Ejpfhnpe.exe 324 Eibfck32.exe 4452 Eaindh32.exe 4172 Eplnpeol.exe 768 Edhjqc32.exe 2388 Efffmo32.exe 2772 Ejbbmnnb.exe 3648 Eidbij32.exe 960 Ealkjh32.exe 520 Epokedmj.exe 1508 Edjgfcec.exe 4544 Ehfcfb32.exe 1532 Ejdocm32.exe 1840 Eigonjcj.exe 1120 Edmclccp.exe 4264 Efkphnbd.exe 2240 Emehdh32.exe 4480 Edopabqn.exe 1492 Fmgejhgn.exe 4712 Facqkg32.exe 3200 Fhmigagd.exe 4108 Fkkeclfh.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lgkpdcmi.exeAoofle32.exeBnhenj32.exeNgndaccj.exeNnhmnn32.exeDnmaea32.exeIjfnmc32.exeOndljl32.exeOcaebc32.exeBkgeainn.exeIeccbbkn.exeIjogmdqm.exePiphgq32.exeHplicjok.exePalbgl32.exeEeelnp32.exeIbaeen32.exeMljmhflh.exeDmihij32.exePldcjeia.exeHbenoi32.exeDmennnni.exeFeoodn32.exeFbplml32.exeNoppeaed.exeIlmmni32.exeLjaoeini.exeCkclhn32.exePdhkcb32.exeJhgiim32.exeKadpdp32.exeNfnamjhk.exeDhomfc32.exeGfheof32.exeMgphpe32.exeAfpjel32.exeFimodc32.exeHbohpn32.exeFmgejhgn.exeOlbdhn32.exeLqndhcdc.exePaoollik.exeMbdiknlb.exeJlhljhbg.exeGbeejp32.exeNiojoeel.exeIepaaico.exeIliinc32.exeDhjckcgi.exeEjdocm32.exeGnhnaf32.exeOiknlagg.exeDcpmen32.exeOlfghg32.exeEhfcfb32.exeGpcfmkff.exePoimpapp.exeCponen32.exeLcmodajm.exeHhimhobl.exeIgqkqiai.exeLbpdblmo.exeNmgjia32.exedescription ioc Process File created C:\Windows\SysWOW64\Lbpdblmo.exe Lgkpdcmi.exe File created C:\Windows\SysWOW64\Aanbhp32.exe Aoofle32.exe File created C:\Windows\SysWOW64\Bepmoh32.exe Bnhenj32.exe File opened for modification C:\Windows\SysWOW64\Nnhmnn32.exe Ngndaccj.exe File created C:\Windows\SysWOW64\Nagiji32.exe Nnhmnn32.exe File opened for modification C:\Windows\SysWOW64\Dhbebj32.exe Dnmaea32.exe File opened for modification C:\Windows\SysWOW64\Iqpfjnba.exe Ijfnmc32.exe File opened for modification C:\Windows\SysWOW64\Ocaebc32.exe Ondljl32.exe File created C:\Windows\SysWOW64\Pfoann32.exe Ocaebc32.exe File created C:\Windows\SysWOW64\Baannc32.exe Bkgeainn.exe File created C:\Windows\SysWOW64\Ihbponja.exe Ieccbbkn.exe File created C:\Windows\SysWOW64\Iafonaao.exe Ijogmdqm.exe File created C:\Windows\SysWOW64\Pchlpfjb.exe Piphgq32.exe File created C:\Windows\SysWOW64\Hgfapd32.exe Hplicjok.exe File opened for modification C:\Windows\SysWOW64\Pkegpb32.exe Palbgl32.exe File created C:\Windows\SysWOW64\Ekodjiol.exe Eeelnp32.exe File created C:\Windows\SysWOW64\Iepaaico.exe Ibaeen32.exe File created C:\Windows\SysWOW64\Mcdeeq32.exe Mljmhflh.exe File created C:\Windows\SysWOW64\Cpjdachc.dll Dmihij32.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Pldcjeia.exe File created C:\Windows\SysWOW64\Hecjke32.exe Hbenoi32.exe File opened for modification C:\Windows\SysWOW64\Dodjjimm.exe Dmennnni.exe File opened for modification C:\Windows\SysWOW64\Fligqhga.exe Feoodn32.exe File created C:\Windows\SysWOW64\Fqbliicp.exe Fbplml32.exe File created C:\Windows\SysWOW64\Kofljo32.dll Noppeaed.exe File opened for modification C:\Windows\SysWOW64\Idcepgmg.exe Ilmmni32.exe File created C:\Windows\SysWOW64\Lmpkadnm.exe Ljaoeini.exe File created C:\Windows\SysWOW64\Cdlqqcnl.exe Ckclhn32.exe File created C:\Windows\SysWOW64\Pffgom32.exe Pdhkcb32.exe File opened for modification C:\Windows\SysWOW64\Joqafgni.exe Jhgiim32.exe File opened for modification C:\Windows\SysWOW64\Lljdai32.exe Kadpdp32.exe File created C:\Windows\SysWOW64\Nimmifgo.exe Nfnamjhk.exe File created C:\Windows\SysWOW64\Dfamapjo.exe Dhomfc32.exe File opened for modification C:\Windows\SysWOW64\Gigaka32.exe Gfheof32.exe File opened for modification C:\Windows\SysWOW64\Mnjqmpgg.exe Mgphpe32.exe File opened for modification C:\Windows\SysWOW64\Aogbfi32.exe Afpjel32.exe File created C:\Windows\SysWOW64\Ikfhji32.dll Fimodc32.exe File created C:\Windows\SysWOW64\Hiipmhmk.exe Hbohpn32.exe File created C:\Windows\SysWOW64\Facqkg32.exe Fmgejhgn.exe File created C:\Windows\SysWOW64\Nekhop32.dll Olbdhn32.exe File created C:\Windows\SysWOW64\Lclpdncg.exe Lqndhcdc.exe File created C:\Windows\SysWOW64\Ihbjebjh.dll Paoollik.exe File created C:\Windows\SysWOW64\Mfpell32.exe Mbdiknlb.exe File opened for modification C:\Windows\SysWOW64\Jcbdgb32.exe Jlhljhbg.exe File created C:\Windows\SysWOW64\Hipmfjee.exe Gbeejp32.exe File created C:\Windows\SysWOW64\Ooibkpmi.exe Niojoeel.exe File created C:\Windows\SysWOW64\Gmophg32.dll Iepaaico.exe File opened for modification C:\Windows\SysWOW64\Ibcaknbi.exe Iliinc32.exe File opened for modification C:\Windows\SysWOW64\Djhpgofm.exe Dhjckcgi.exe File opened for modification C:\Windows\SysWOW64\Eigonjcj.exe Ejdocm32.exe File created C:\Windows\SysWOW64\Bildbk32.dll Gnhnaf32.exe File opened for modification C:\Windows\SysWOW64\Oafcqcea.exe Oiknlagg.exe File created C:\Windows\SysWOW64\Neqhhf32.dll Dcpmen32.exe File created C:\Windows\SysWOW64\Jfniqp32.dll Olfghg32.exe File opened for modification C:\Windows\SysWOW64\Ejdocm32.exe Ehfcfb32.exe File created C:\Windows\SysWOW64\Gbabigfj.exe Gpcfmkff.exe File opened for modification C:\Windows\SysWOW64\Pecellgl.exe Poimpapp.exe File opened for modification C:\Windows\SysWOW64\Cgifbhid.exe Cponen32.exe File created C:\Windows\SysWOW64\Mjggal32.exe Lcmodajm.exe File opened for modification C:\Windows\SysWOW64\Hppeim32.exe Hhimhobl.exe File opened for modification C:\Windows\SysWOW64\Mfpell32.exe Mbdiknlb.exe File created C:\Windows\SysWOW64\Gmemic32.dll Igqkqiai.exe File created C:\Windows\SysWOW64\Kaedkn32.dll Lbpdblmo.exe File created C:\Windows\SysWOW64\Ncabfkqo.exe Nmgjia32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5276 6464 WerFault.exe 996 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Igjngh32.exeMjbogmdb.exeQdoacabq.exeLfiokmkc.exeEagaoh32.exeJdaaaeqg.exeBnfihkqm.exeAhfmpnql.exeBgkiaj32.exeMjggal32.exeEjdocm32.exeJbiejoaj.exeMebcop32.exeCbpajgmf.exeOjemig32.exeGfeaopqo.exeBkgeainn.exeLcggio32.exeQmhlgmmm.exeNnhmnn32.exeKakmna32.exePmkofa32.exeOmpfej32.exeEmbddb32.exeFikbocki.exeIjqmhnko.exeJcgnbaeo.exeNmgjia32.exeChqogq32.exeDfoplpla.exeLjdceo32.exeIcknfcol.exeNapjdpcn.exeOcgbld32.exeDafppp32.exeIgqkqiai.exeJoahqn32.exeNimmifgo.exeCgcmjd32.exePamiaboj.exeEibfck32.exeLgkpdcmi.exePibdmp32.exeMepfiq32.exeLfjfecno.exeMgloefco.exeJjmcnbdm.exeNkqkhk32.exeHeegad32.exeHhimhobl.exeKadpdp32.exeNfjola32.exeNfqnbjfi.exeLbinam32.exeDolmodpi.exeGiqkkf32.exeObjpoh32.exeNeccpd32.exeBaannc32.exeGkdpbpih.exeNiojoeel.exeIefphb32.exeJbojlfdp.exeOihagaji.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjbogmdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfiokmkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaaaeqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfihkqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfmpnql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjggal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdocm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbiejoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojemig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgeainn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcggio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhlgmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhmnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakmna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompfej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikbocki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgnbaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chqogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoplpla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icknfcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napjdpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafppp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqkqiai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joahqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimmifgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcmjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamiaboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibfck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkpdcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pibdmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mepfiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgloefco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcnbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkqkhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heegad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhimhobl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfqnbjfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbinam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolmodpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giqkkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objpoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neccpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdpbpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niojoeel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbojlfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihagaji.exe -
Modifies registry class 64 IoCs
Processes:
Kkcfid32.exeFligqhga.exeQjiipk32.exeNndjndbh.exeNnfgcd32.exeIpgkjlmg.exeCjjlkk32.exeDdligq32.exePfccogfc.exeIliinc32.exeMjbogmdb.exeBopocbcq.exeFbjmhh32.exeHdjbiheb.exeLnohlgep.exeCkmonl32.exeHpchib32.exeDhbebj32.exeEjdocm32.exeGbabigfj.exeOdjeljhd.exeDpgeee32.exeNhbolp32.exeBkkple32.exeJqhafffk.exeHiipmhmk.exeLomjicei.exeDodjjimm.exeOafcqcea.exeQklmpalf.exeChiblk32.exeIefphb32.exeAaenbd32.exeGhmbno32.exeJnkldqkc.exeKelkaj32.exeCfpffeaj.exeMoipoh32.exeDinmhkke.exeOmegjomb.exeGeohklaa.exeIbcaknbi.exeOpqofe32.exeDdnobj32.exeOfckhj32.exeOnocomdo.exeHhimhobl.exeCfnqklgh.exeCfqmpl32.exeAhippdbe.exeFngcmcfe.exeNqoloc32.exePfojdh32.exeAnclbkbp.exeJilfifme.exeAkpoaj32.exeCnhgjaml.exeEqgmmk32.exeNimmifgo.exeJgogbgei.exeAlpbecod.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmped32.dll" Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmiadfmi.dll" Fligqhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjiipk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nndjndbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll" Ipgkjlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngqpijkf.dll" Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddligq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaabap32.dll" Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcmfp32.dll" Mjbogmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bopocbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbjmhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdjbiheb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchcpi32.dll" Ckmonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagpdj32.dll" Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpfopn.dll" Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankcfdg.dll" Gbabigfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odjeljhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpgeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdkgc32.dll" Nhbolp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkkple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnekbm32.dll" Lomjicei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpgeee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danihi32.dll" Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll" Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iefphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladnhcdo.dll" Ghmbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnkldqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kelkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moipoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllbhl32.dll" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omegjomb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geohklaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebqnm32.dll" Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgegjnih.dll" Opqofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddnobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll" Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll" Hhimhobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfnqklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecalcl32.dll" Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqoloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejoaandc.dll" Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jilfifme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll" Cnhgjaml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqgmmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclbolkk.dll" Jgogbgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgaff32.dll" Alpbecod.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ce91da5c6abab304cae23bef7fd315d5fcb5ca41eb366a60a4dd4ffaa8ec915f.exeBqmeal32.exeBclang32.exeBihjfnmm.exeCpbbch32.exeCflkpblf.exeCikglnkj.exeCcqkigkp.exeCjjcfabm.exeCpglnhad.exeCgndoeag.exeCmklglpn.exeCfcqpa32.exeCaienjfd.exeCgcmjd32.exeCjaifp32.exeDpnbog32.exeDfhjkabi.exeDiffglam.exeDclkee32.exeDiicml32.exeDapkni32.exedescription pid Process procid_target PID 4116 wrote to memory of 4924 4116 ce91da5c6abab304cae23bef7fd315d5fcb5ca41eb366a60a4dd4ffaa8ec915f.exe 83 PID 4116 wrote to memory of 4924 4116 ce91da5c6abab304cae23bef7fd315d5fcb5ca41eb366a60a4dd4ffaa8ec915f.exe 83 PID 4116 wrote to memory of 4924 4116 ce91da5c6abab304cae23bef7fd315d5fcb5ca41eb366a60a4dd4ffaa8ec915f.exe 83 PID 4924 wrote to memory of 3152 4924 Bqmeal32.exe 84 PID 4924 wrote to memory of 3152 4924 Bqmeal32.exe 84 PID 4924 wrote to memory of 3152 4924 Bqmeal32.exe 84 PID 3152 wrote to memory of 4536 3152 Bclang32.exe 85 PID 3152 wrote to memory of 4536 3152 Bclang32.exe 85 PID 3152 wrote to memory of 4536 3152 Bclang32.exe 85 PID 4536 wrote to memory of 996 4536 Bihjfnmm.exe 86 PID 4536 wrote to memory of 996 4536 Bihjfnmm.exe 86 PID 4536 wrote to memory of 996 4536 Bihjfnmm.exe 86 PID 996 wrote to memory of 4416 996 Cpbbch32.exe 87 PID 996 wrote to memory of 4416 996 Cpbbch32.exe 87 PID 996 wrote to memory of 4416 996 Cpbbch32.exe 87 PID 4416 wrote to memory of 2052 4416 Cflkpblf.exe 88 PID 4416 wrote to memory of 2052 4416 Cflkpblf.exe 88 PID 4416 wrote to memory of 2052 4416 Cflkpblf.exe 88 PID 2052 wrote to memory of 2564 2052 Cikglnkj.exe 89 PID 2052 wrote to memory of 2564 2052 Cikglnkj.exe 89 PID 2052 wrote to memory of 2564 2052 Cikglnkj.exe 89 PID 2564 wrote to memory of 4012 2564 Ccqkigkp.exe 90 PID 2564 wrote to memory of 4012 2564 Ccqkigkp.exe 90 PID 2564 wrote to memory of 4012 2564 Ccqkigkp.exe 90 PID 4012 wrote to memory of 1172 4012 Cjjcfabm.exe 91 PID 4012 wrote to memory of 1172 4012 Cjjcfabm.exe 91 PID 4012 wrote to memory of 1172 4012 Cjjcfabm.exe 91 PID 1172 wrote to memory of 1836 1172 Cpglnhad.exe 92 PID 1172 wrote to memory of 1836 1172 Cpglnhad.exe 92 PID 1172 wrote to memory of 1836 1172 Cpglnhad.exe 92 PID 1836 wrote to memory of 4808 1836 Cgndoeag.exe 93 PID 1836 wrote to memory of 4808 1836 Cgndoeag.exe 93 PID 1836 wrote to memory of 4808 1836 Cgndoeag.exe 93 PID 4808 wrote to memory of 1896 4808 Cmklglpn.exe 94 PID 4808 wrote to memory of 1896 4808 Cmklglpn.exe 94 PID 4808 wrote to memory of 1896 4808 Cmklglpn.exe 94 PID 1896 wrote to memory of 3208 1896 Cfcqpa32.exe 95 PID 1896 wrote to memory of 3208 1896 Cfcqpa32.exe 95 PID 1896 wrote to memory of 3208 1896 Cfcqpa32.exe 95 PID 3208 wrote to memory of 2428 3208 Caienjfd.exe 96 PID 3208 wrote to memory of 2428 3208 Caienjfd.exe 96 PID 3208 wrote to memory of 2428 3208 Caienjfd.exe 96 PID 2428 wrote to memory of 4184 2428 Cgcmjd32.exe 97 PID 2428 wrote to memory of 4184 2428 Cgcmjd32.exe 97 PID 2428 wrote to memory of 4184 2428 Cgcmjd32.exe 97 PID 4184 wrote to memory of 4936 4184 Cjaifp32.exe 98 PID 4184 wrote to memory of 4936 4184 Cjaifp32.exe 98 PID 4184 wrote to memory of 4936 4184 Cjaifp32.exe 98 PID 4936 wrote to memory of 2848 4936 Dpnbog32.exe 99 PID 4936 wrote to memory of 2848 4936 Dpnbog32.exe 99 PID 4936 wrote to memory of 2848 4936 Dpnbog32.exe 99 PID 2848 wrote to memory of 4040 2848 Dfhjkabi.exe 100 PID 2848 wrote to memory of 4040 2848 Dfhjkabi.exe 100 PID 2848 wrote to memory of 4040 2848 Dfhjkabi.exe 100 PID 4040 wrote to memory of 1008 4040 Diffglam.exe 101 PID 4040 wrote to memory of 1008 4040 Diffglam.exe 101 PID 4040 wrote to memory of 1008 4040 Diffglam.exe 101 PID 1008 wrote to memory of 2016 1008 Dclkee32.exe 102 PID 1008 wrote to memory of 2016 1008 Dclkee32.exe 102 PID 1008 wrote to memory of 2016 1008 Dclkee32.exe 102 PID 2016 wrote to memory of 2512 2016 Diicml32.exe 103 PID 2016 wrote to memory of 2512 2016 Diicml32.exe 103 PID 2016 wrote to memory of 2512 2016 Diicml32.exe 103 PID 2512 wrote to memory of 1344 2512 Dapkni32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce91da5c6abab304cae23bef7fd315d5fcb5ca41eb366a60a4dd4ffaa8ec915f.exe"C:\Users\Admin\AppData\Local\Temp\ce91da5c6abab304cae23bef7fd315d5fcb5ca41eb366a60a4dd4ffaa8ec915f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe23⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe24⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe26⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe27⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe28⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe29⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe30⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4340 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe32⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3884 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe36⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe38⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe39⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe40⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe41⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe42⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe43⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe44⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe45⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe47⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe48⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe49⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe50⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe51⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe52⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe53⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe54⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe55⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe58⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe59⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe60⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe61⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe62⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe64⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe67⤵PID:2376
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe68⤵PID:4764
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe69⤵PID:4320
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe70⤵PID:4352
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe71⤵PID:3616
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe72⤵PID:3812
-
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe73⤵PID:2932
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe74⤵PID:1740
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe75⤵PID:2208
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe76⤵PID:1732
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1720 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe78⤵PID:2352
-
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe79⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe80⤵PID:2312
-
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe81⤵PID:1628
-
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe82⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe83⤵PID:2316
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe84⤵PID:1144
-
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe85⤵PID:3920
-
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe86⤵
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe87⤵PID:1260
-
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe88⤵PID:3724
-
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe89⤵PID:3472
-
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe90⤵PID:700
-
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe92⤵PID:1960
-
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe93⤵PID:2036
-
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe94⤵PID:1040
-
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe95⤵PID:4232
-
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe96⤵PID:4732
-
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe97⤵PID:4700
-
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe98⤵PID:4008
-
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe99⤵PID:2348
-
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe100⤵PID:1804
-
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4944 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe102⤵
- Drops file in System32 directory
PID:516 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe103⤵PID:4052
-
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4424 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe105⤵PID:1716
-
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe106⤵PID:4592
-
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe107⤵PID:956
-
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe108⤵PID:904
-
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe109⤵PID:5052
-
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe110⤵
- Drops file in System32 directory
PID:4508 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe111⤵PID:4516
-
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe112⤵PID:5152
-
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5184 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe114⤵PID:5244
-
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe115⤵PID:5304
-
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe116⤵PID:5380
-
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe117⤵PID:5432
-
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe118⤵PID:5488
-
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe119⤵PID:5524
-
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe120⤵PID:5572
-
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe121⤵PID:5616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-