Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 12:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe
-
Size
88KB
-
MD5
e887b13e912d06baf41d1dce6cf972d0
-
SHA1
fe88161bdcfffa13a977b11250ddb233811ea5f8
-
SHA256
ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebf
-
SHA512
52e9a828126b196a10b1c1f4f2868cfcf6f6cecf7c57ffb08a809964ac7bec7aae9dc5c436afb8883160d683f4f15a1f3860c8afd94fddfd480768f29cd5b9b2
-
SSDEEP
1536:RZWWtGeHv0t3I7/NvwTS0KhAF1VdTz3QfhZhJnouy8L:OWtfv0t3qeTxKheVdTz3QDhZoutL
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Iahkpg32.exeLdbofgme.exeCgaaah32.exeGfhgpg32.exeGgkqmoma.exeMpgobc32.exeCebeem32.exeCegoqlof.exeIjclol32.exeKncaojfb.exeGbadjg32.exeIflmjihl.exeKgnbnpkp.exeKgclio32.exeQnghel32.exeFgnadkic.exeFqfemqod.exeFcnkhmdp.exeHmmbqegc.exeKhghgchk.exeKgqocoin.exeMdghaf32.exeNfahomfd.exeEcnoijbd.exeFgdnnl32.exeBmbgfkje.exeCgfkmgnj.exeNhjjgd32.exeBbbpenco.exeJehlkhig.exeLonpma32.exeMklcadfn.exePghfnc32.exeApedah32.exeDdblgn32.exeHpnkbpdd.exeBmlael32.exeHqfaldbo.exeKjokokha.exeLoqmba32.exeOfadnq32.exeObokcqhk.exeCillkbac.exeGbhbdi32.exeKcgphp32.exeKjahej32.exeAgolnbok.exeJfliim32.exeJondnnbk.exeInjndk32.exeLgehno32.exeMgjnhaco.exeNefdpjkl.exeNameek32.exeQjklenpa.exeHjofdi32.exeIeomef32.exeBgcbhd32.exeCkjamgmk.exeAkcomepg.exeBnknoogp.exeEecafd32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggkqmoma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgobc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegoqlof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijclol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqfemqod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcnkhmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmmbqegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgqocoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecnoijbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdnnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehlkhig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddblgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnkbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqfaldbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcgphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjahej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agolnbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfliim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nefdpjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nameek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjklenpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjofdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieomef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcbhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnknoogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecafd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnkhmdp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Boidnh32.exeBnldjekl.exeBiaign32.exeBammlq32.exeBehilopf.exeBnqned32.exeBejfao32.exeCmfkfa32.exeCpdgbm32.exeCfnoogbo.exeCillkbac.exeCcbphk32.exeCjlheehe.exeCmjdaqgi.exeCpiqmlfm.exeCiaefa32.exeCmmagpef.exeCbiiog32.exeCfeepelg.exeChfbgn32.exeCpmjhk32.exeCblfdg32.exeDejbqb32.exeDldkmlhl.exeDjgkii32.exeDbncjf32.exeDdpobo32.exeDdblgn32.exeDhmhhmlm.exeDmjqpdje.exeDafmqb32.exeDgbeiiqe.exeDiaaeepi.exeDkqnoh32.exeDicnkdnf.exeEdibhmml.exeEggndi32.exeEldglp32.exeEcnoijbd.exeEpbpbnan.exeEoepnk32.exeEijdkcgn.exeEhmdgp32.exeEklqcl32.exeEeaepd32.exeElkmmodo.exeEoiiijcc.exeEecafd32.exeFgdnnl32.exeFkpjnkig.exeFnofjfhk.exeFajbke32.exeFpmbfbgo.exeFhdjgoha.exeFggkcl32.exeFkbgckgd.exeFamope32.exeFdkklp32.exeFcnkhmdp.exeFjhcegll.exeFlfpabkp.exeFqalaa32.exeFdmhbplb.exeFfodjh32.exepid Process 2480 Boidnh32.exe 2368 Bnldjekl.exe 2848 Biaign32.exe 2796 Bammlq32.exe 2748 Behilopf.exe 2816 Bnqned32.exe 280 Bejfao32.exe 2772 Cmfkfa32.exe 672 Cpdgbm32.exe 1944 Cfnoogbo.exe 1372 Cillkbac.exe 2168 Ccbphk32.exe 1272 Cjlheehe.exe 1080 Cmjdaqgi.exe 2968 Cpiqmlfm.exe 2240 Ciaefa32.exe 2304 Cmmagpef.exe 2580 Cbiiog32.exe 1280 Cfeepelg.exe 1108 Chfbgn32.exe 1656 Cpmjhk32.exe 880 Cblfdg32.exe 1548 Dejbqb32.exe 2340 Dldkmlhl.exe 2488 Djgkii32.exe 3036 Dbncjf32.exe 2152 Ddpobo32.exe 1968 Ddblgn32.exe 2744 Dhmhhmlm.exe 2868 Dmjqpdje.exe 2836 Dafmqb32.exe 2740 Dgbeiiqe.exe 2672 Diaaeepi.exe 2260 Dkqnoh32.exe 1916 Dicnkdnf.exe 964 Edibhmml.exe 272 Eggndi32.exe 2668 Eldglp32.exe 380 Ecnoijbd.exe 2884 Epbpbnan.exe 2960 Eoepnk32.exe 2216 Eijdkcgn.exe 1092 Ehmdgp32.exe 952 Eklqcl32.exe 1688 Eeaepd32.exe 2092 Elkmmodo.exe 696 Eoiiijcc.exe 700 Eecafd32.exe 2320 Fgdnnl32.exe 2532 Fkpjnkig.exe 2404 Fnofjfhk.exe 2752 Fajbke32.exe 2708 Fpmbfbgo.exe 2916 Fhdjgoha.exe 2612 Fggkcl32.exe 2652 Fkbgckgd.exe 1248 Famope32.exe 2028 Fdkklp32.exe 324 Fcnkhmdp.exe 2900 Fjhcegll.exe 560 Flfpabkp.exe 2136 Fqalaa32.exe 1868 Fdmhbplb.exe 376 Ffodjh32.exe -
Loads dropped DLL 64 IoCs
Processes:
ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exeBoidnh32.exeBnldjekl.exeBiaign32.exeBammlq32.exeBehilopf.exeBnqned32.exeBejfao32.exeCmfkfa32.exeCpdgbm32.exeCfnoogbo.exeCillkbac.exeCcbphk32.exeCjlheehe.exeCmjdaqgi.exeCpiqmlfm.exeCiaefa32.exeCmmagpef.exeCbiiog32.exeCfeepelg.exeChfbgn32.exeCpmjhk32.exeCblfdg32.exeDejbqb32.exeDldkmlhl.exeDjgkii32.exeDbncjf32.exeDdpobo32.exeDdblgn32.exeDhmhhmlm.exeDmjqpdje.exeDafmqb32.exepid Process 2424 ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe 2424 ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe 2480 Boidnh32.exe 2480 Boidnh32.exe 2368 Bnldjekl.exe 2368 Bnldjekl.exe 2848 Biaign32.exe 2848 Biaign32.exe 2796 Bammlq32.exe 2796 Bammlq32.exe 2748 Behilopf.exe 2748 Behilopf.exe 2816 Bnqned32.exe 2816 Bnqned32.exe 280 Bejfao32.exe 280 Bejfao32.exe 2772 Cmfkfa32.exe 2772 Cmfkfa32.exe 672 Cpdgbm32.exe 672 Cpdgbm32.exe 1944 Cfnoogbo.exe 1944 Cfnoogbo.exe 1372 Cillkbac.exe 1372 Cillkbac.exe 2168 Ccbphk32.exe 2168 Ccbphk32.exe 1272 Cjlheehe.exe 1272 Cjlheehe.exe 1080 Cmjdaqgi.exe 1080 Cmjdaqgi.exe 2968 Cpiqmlfm.exe 2968 Cpiqmlfm.exe 2240 Ciaefa32.exe 2240 Ciaefa32.exe 2304 Cmmagpef.exe 2304 Cmmagpef.exe 2580 Cbiiog32.exe 2580 Cbiiog32.exe 1280 Cfeepelg.exe 1280 Cfeepelg.exe 1108 Chfbgn32.exe 1108 Chfbgn32.exe 1656 Cpmjhk32.exe 1656 Cpmjhk32.exe 880 Cblfdg32.exe 880 Cblfdg32.exe 1548 Dejbqb32.exe 1548 Dejbqb32.exe 2340 Dldkmlhl.exe 2340 Dldkmlhl.exe 2488 Djgkii32.exe 2488 Djgkii32.exe 3036 Dbncjf32.exe 3036 Dbncjf32.exe 2152 Ddpobo32.exe 2152 Ddpobo32.exe 1968 Ddblgn32.exe 1968 Ddblgn32.exe 2744 Dhmhhmlm.exe 2744 Dhmhhmlm.exe 2868 Dmjqpdje.exe 2868 Dmjqpdje.exe 2836 Dafmqb32.exe 2836 Dafmqb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nipdkieg.exePafdjmkq.exeAficjnpm.exeBfdenafn.exeGjojef32.exeKkgahoel.exeCfkloq32.exeCkjamgmk.exeGiipab32.exeCmpgpond.exeDiaaeepi.exeIeomef32.exeGifclb32.exeHmoofdea.exeKnmdeioh.exeBcjcme32.exeHpkompgg.exeNidmfh32.exeKdbbgdjj.exeBmnnkl32.exeAfdiondb.exeIjclol32.exeIflmjihl.exeLnjcomcf.exeOabkom32.exeFgdnnl32.exeKpkpadnl.exeBkegah32.exeCbdiia32.exeGbohehoj.exeJgabdlfb.exeNabopjmj.exeCfeepelg.exeGbadjg32.exeKpgffe32.exeOfhjopbg.exeCjlheehe.exeCillkbac.exeDkqnoh32.exeEpbpbnan.exeMnomjl32.exeOmpefj32.exeOemgplgo.exece721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exeGqdefddb.exeOdedge32.exeQnghel32.exeAkcomepg.exeEoepnk32.exeMfmndn32.exePhnpagdp.exeAgjobffl.exeCmjdaqgi.exeAlnalh32.exeIjehdl32.exeKncaojfb.exeKgnbnpkp.exeLfkeokjp.exeHmalldcn.exeCgcnghpl.exedescription ioc Process File created C:\Windows\SysWOW64\Kheoph32.dll Nipdkieg.exe File created C:\Windows\SysWOW64\Pebpkk32.exe Pafdjmkq.exe File created C:\Windows\SysWOW64\Komjgdhc.dll Aficjnpm.exe File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe Bfdenafn.exe File opened for modification C:\Windows\SysWOW64\Gmmfaa32.exe Gjojef32.exe File opened for modification C:\Windows\SysWOW64\Kgnbnpkp.exe Kkgahoel.exe File created C:\Windows\SysWOW64\Gjhmge32.dll Cfkloq32.exe File created C:\Windows\SysWOW64\Pobghn32.dll Ckjamgmk.exe File opened for modification C:\Windows\SysWOW64\Ggkqmoma.exe Giipab32.exe File created C:\Windows\SysWOW64\Nloone32.dll Cmpgpond.exe File opened for modification C:\Windows\SysWOW64\Dkqnoh32.exe Diaaeepi.exe File created C:\Windows\SysWOW64\Ipeaco32.exe Ieomef32.exe File opened for modification C:\Windows\SysWOW64\Gkephn32.exe Gifclb32.exe File opened for modification C:\Windows\SysWOW64\Hpnkbpdd.exe Hmoofdea.exe File created C:\Windows\SysWOW64\Bkdbhahq.dll Knmdeioh.exe File created C:\Windows\SysWOW64\Lloeec32.dll Bcjcme32.exe File created C:\Windows\SysWOW64\Hgbfnngi.exe Hpkompgg.exe File opened for modification C:\Windows\SysWOW64\Nhgnaehm.exe Nidmfh32.exe File created C:\Windows\SysWOW64\Kgqocoin.exe Kdbbgdjj.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Maanne32.dll Afdiondb.exe File opened for modification C:\Windows\SysWOW64\Ioohokoo.exe Ijclol32.exe File created C:\Windows\SysWOW64\Ieomef32.exe Iflmjihl.exe File created C:\Windows\SysWOW64\Kcnfobob.dll Lnjcomcf.exe File created C:\Windows\SysWOW64\Oemgplgo.exe Oabkom32.exe File created C:\Windows\SysWOW64\Ebaijflc.dll Fgdnnl32.exe File opened for modification C:\Windows\SysWOW64\Lonpma32.exe Kpkpadnl.exe File opened for modification C:\Windows\SysWOW64\Ccmpce32.exe Bkegah32.exe File created C:\Windows\SysWOW64\Cebeem32.exe Cbdiia32.exe File created C:\Windows\SysWOW64\Gqahqd32.exe Gbohehoj.exe File created C:\Windows\SysWOW64\Jedcpi32.exe Jgabdlfb.exe File opened for modification C:\Windows\SysWOW64\Nenkqi32.exe Nabopjmj.exe File created C:\Windows\SysWOW64\Jajjnjlc.dll Cfeepelg.exe File created C:\Windows\SysWOW64\Gmmfaa32.exe Gjojef32.exe File created C:\Windows\SysWOW64\Gqdefddb.exe Gbadjg32.exe File created C:\Windows\SysWOW64\Qggpmn32.dll Ijclol32.exe File created C:\Windows\SysWOW64\Icehdl32.dll Kpgffe32.exe File created C:\Windows\SysWOW64\Enjmdhnf.dll Ofhjopbg.exe File created C:\Windows\SysWOW64\Mmlkmc32.dll Cjlheehe.exe File created C:\Windows\SysWOW64\Miidam32.dll Cillkbac.exe File created C:\Windows\SysWOW64\Dicnkdnf.exe Dkqnoh32.exe File created C:\Windows\SysWOW64\Eoepnk32.exe Epbpbnan.exe File created C:\Windows\SysWOW64\Kpdjfphd.dll Mnomjl32.exe File created C:\Windows\SysWOW64\Olbfagca.exe Ompefj32.exe File opened for modification C:\Windows\SysWOW64\Phlclgfc.exe Oemgplgo.exe File opened for modification C:\Windows\SysWOW64\Boidnh32.exe ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe File created C:\Windows\SysWOW64\Coglpp32.dll Gqdefddb.exe File created C:\Windows\SysWOW64\Okhdnm32.dll Odedge32.exe File created C:\Windows\SysWOW64\Cpqmndme.dll Qnghel32.exe File opened for modification C:\Windows\SysWOW64\Aoojnc32.exe Akcomepg.exe File created C:\Windows\SysWOW64\Eijdkcgn.exe Eoepnk32.exe File created C:\Windows\SysWOW64\Cacldi32.dll Mfmndn32.exe File created C:\Windows\SysWOW64\Nfdgghho.dll Phnpagdp.exe File created C:\Windows\SysWOW64\Gggpgo32.dll Agjobffl.exe File created C:\Windows\SysWOW64\Ijppackl.dll Cmjdaqgi.exe File opened for modification C:\Windows\SysWOW64\Aomnhd32.exe Alnalh32.exe File created C:\Windows\SysWOW64\Gafalh32.dll Dkqnoh32.exe File opened for modification C:\Windows\SysWOW64\Jmdepg32.exe Ijehdl32.exe File created C:\Windows\SysWOW64\Dljdnm32.dll Kncaojfb.exe File created C:\Windows\SysWOW64\Dddnjc32.dll Kgnbnpkp.exe File created C:\Windows\SysWOW64\Lhiakf32.exe Lfkeokjp.exe File created C:\Windows\SysWOW64\Hldlga32.exe Hmalldcn.exe File created C:\Windows\SysWOW64\Goiebopf.dll Ijehdl32.exe File created C:\Windows\SysWOW64\Cjakccop.exe Cgcnghpl.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4208 4112 WerFault.exe 412 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cfeepelg.exeFhomkcoa.exeJbefcm32.exeMpgobc32.exeCegoqlof.exeHcldhnkk.exeFfodjh32.exeHfhcoj32.exePaiaplin.exeCfnoogbo.exeDejbqb32.exeHjofdi32.exePcljmdmj.exeAqbdkk32.exeFqalaa32.exeFcbecl32.exeGdkgkcpq.exeHpnkbpdd.exeNjjcip32.exeBnldjekl.exeDmjqpdje.exeFnflke32.exeIedfqeka.exeKjahej32.exeLnjcomcf.exeCepipm32.exeJedcpi32.exeMgedmb32.exeNncbdomg.exePdgmlhha.exeCgcnghpl.exeCpdgbm32.exeEdibhmml.exeFjhcegll.exeKkgahoel.exeLohccp32.exeOffmipej.exeAfdiondb.exeImokehhl.exeOmnipjni.exePofkha32.exePhnpagdp.exeCmpgpond.exeIahkpg32.exeJpgjgboe.exeMmbmeifk.exeMqpflg32.exeNfahomfd.exeOpqoge32.exeBjmeiq32.exeDldkmlhl.exeEcnoijbd.exeFogibnha.exeEldglp32.exeIeomef32.exeKnhjjj32.exeMikjpiim.exePmkhjncg.exeCileqlmg.exeDafmqb32.exeNenkqi32.exeEpbpbnan.exeGonocmbi.exeHcigco32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfeepelg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhomkcoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbefcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcldhnkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffodjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiaplin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejbqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjofdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkgkcpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnkbpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjcip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnldjekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjqpdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnflke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjahej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgedmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncbdomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgmlhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edibhmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offmipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokehhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnipjni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnpagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahkpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgjgboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbmeifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmeiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldkmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnoijbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhjjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbpbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcigco32.exe -
Modifies registry class 64 IoCs
Processes:
Hpkompgg.exeIoohokoo.exeMgjnhaco.exeOplelf32.exeAakjdo32.exeFqalaa32.exeAhebaiac.exeDdblgn32.exeHcdnhoac.exeLnhgim32.exePpnnai32.exeQdncmgbj.exeCnfqccna.exeCiaefa32.exeCmmagpef.exeMggabaea.exeBejfao32.exeFajbke32.exeFdmhbplb.exeGmmfaa32.exeQpbglhjq.exeAqbdkk32.exeBmlael32.exeHjcppidk.exeJimbkh32.exeAficjnpm.exeGonocmbi.exeFpmbfbgo.exeGjojef32.exeLlgjaeoj.exeEggndi32.exeFnflke32.exeJioopgef.exeNabopjmj.exeAllefimb.exeHldlga32.exeNgealejo.exeOjomdoof.exePaknelgk.exeAgolnbok.exeHfjpdjjo.exeLddlkg32.exePhnpagdp.exeAccqnc32.exeAomnhd32.exeAoojnc32.exeCblfdg32.exeDejbqb32.exeEdibhmml.exeFnofjfhk.exeNipdkieg.exePnbojmmp.exeAfdiondb.exeBccmmf32.exeBmnnkl32.exeFggkcl32.exeKlngkfge.exeLfoojj32.exeBnknoogp.exeNefdpjkl.exece721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exeInjndk32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpkompgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfpeb32.dll" Fqalaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahebaiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnhgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll" Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciaefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmmagpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdokkbh.dll" Mggabaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bejfao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjcppidk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchfle32.dll" Jimbkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gonocmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpeiada.dll" Llgjaeoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnflke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Allefimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkid32.dll" Ngealejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojomdoof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paknelgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll" Aficjnpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lddlkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll" Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" Aomnhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqbdkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjmll32.dll" Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiioe32.dll" Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnofjfhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjfk32.dll" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afdiondb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdehk32.dll" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klngkfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfoojj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnknoogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nefdpjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Injndk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exeBoidnh32.exeBnldjekl.exeBiaign32.exeBammlq32.exeBehilopf.exeBnqned32.exeBejfao32.exeCmfkfa32.exeCpdgbm32.exeCfnoogbo.exeCillkbac.exeCcbphk32.exeCjlheehe.exeCmjdaqgi.exeCpiqmlfm.exedescription pid Process procid_target PID 2424 wrote to memory of 2480 2424 ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe 30 PID 2424 wrote to memory of 2480 2424 ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe 30 PID 2424 wrote to memory of 2480 2424 ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe 30 PID 2424 wrote to memory of 2480 2424 ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe 30 PID 2480 wrote to memory of 2368 2480 Boidnh32.exe 31 PID 2480 wrote to memory of 2368 2480 Boidnh32.exe 31 PID 2480 wrote to memory of 2368 2480 Boidnh32.exe 31 PID 2480 wrote to memory of 2368 2480 Boidnh32.exe 31 PID 2368 wrote to memory of 2848 2368 Bnldjekl.exe 32 PID 2368 wrote to memory of 2848 2368 Bnldjekl.exe 32 PID 2368 wrote to memory of 2848 2368 Bnldjekl.exe 32 PID 2368 wrote to memory of 2848 2368 Bnldjekl.exe 32 PID 2848 wrote to memory of 2796 2848 Biaign32.exe 33 PID 2848 wrote to memory of 2796 2848 Biaign32.exe 33 PID 2848 wrote to memory of 2796 2848 Biaign32.exe 33 PID 2848 wrote to memory of 2796 2848 Biaign32.exe 33 PID 2796 wrote to memory of 2748 2796 Bammlq32.exe 34 PID 2796 wrote to memory of 2748 2796 Bammlq32.exe 34 PID 2796 wrote to memory of 2748 2796 Bammlq32.exe 34 PID 2796 wrote to memory of 2748 2796 Bammlq32.exe 34 PID 2748 wrote to memory of 2816 2748 Behilopf.exe 35 PID 2748 wrote to memory of 2816 2748 Behilopf.exe 35 PID 2748 wrote to memory of 2816 2748 Behilopf.exe 35 PID 2748 wrote to memory of 2816 2748 Behilopf.exe 35 PID 2816 wrote to memory of 280 2816 Bnqned32.exe 36 PID 2816 wrote to memory of 280 2816 Bnqned32.exe 36 PID 2816 wrote to memory of 280 2816 Bnqned32.exe 36 PID 2816 wrote to memory of 280 2816 Bnqned32.exe 36 PID 280 wrote to memory of 2772 280 Bejfao32.exe 37 PID 280 wrote to memory of 2772 280 Bejfao32.exe 37 PID 280 wrote to memory of 2772 280 Bejfao32.exe 37 PID 280 wrote to memory of 2772 280 Bejfao32.exe 37 PID 2772 wrote to memory of 672 2772 Cmfkfa32.exe 38 PID 2772 wrote to memory of 672 2772 Cmfkfa32.exe 38 PID 2772 wrote to memory of 672 2772 Cmfkfa32.exe 38 PID 2772 wrote to memory of 672 2772 Cmfkfa32.exe 38 PID 672 wrote to memory of 1944 672 Cpdgbm32.exe 39 PID 672 wrote to memory of 1944 672 Cpdgbm32.exe 39 PID 672 wrote to memory of 1944 672 Cpdgbm32.exe 39 PID 672 wrote to memory of 1944 672 Cpdgbm32.exe 39 PID 1944 wrote to memory of 1372 1944 Cfnoogbo.exe 40 PID 1944 wrote to memory of 1372 1944 Cfnoogbo.exe 40 PID 1944 wrote to memory of 1372 1944 Cfnoogbo.exe 40 PID 1944 wrote to memory of 1372 1944 Cfnoogbo.exe 40 PID 1372 wrote to memory of 2168 1372 Cillkbac.exe 41 PID 1372 wrote to memory of 2168 1372 Cillkbac.exe 41 PID 1372 wrote to memory of 2168 1372 Cillkbac.exe 41 PID 1372 wrote to memory of 2168 1372 Cillkbac.exe 41 PID 2168 wrote to memory of 1272 2168 Ccbphk32.exe 42 PID 2168 wrote to memory of 1272 2168 Ccbphk32.exe 42 PID 2168 wrote to memory of 1272 2168 Ccbphk32.exe 42 PID 2168 wrote to memory of 1272 2168 Ccbphk32.exe 42 PID 1272 wrote to memory of 1080 1272 Cjlheehe.exe 43 PID 1272 wrote to memory of 1080 1272 Cjlheehe.exe 43 PID 1272 wrote to memory of 1080 1272 Cjlheehe.exe 43 PID 1272 wrote to memory of 1080 1272 Cjlheehe.exe 43 PID 1080 wrote to memory of 2968 1080 Cmjdaqgi.exe 44 PID 1080 wrote to memory of 2968 1080 Cmjdaqgi.exe 44 PID 1080 wrote to memory of 2968 1080 Cmjdaqgi.exe 44 PID 1080 wrote to memory of 2968 1080 Cmjdaqgi.exe 44 PID 2968 wrote to memory of 2240 2968 Cpiqmlfm.exe 45 PID 2968 wrote to memory of 2240 2968 Cpiqmlfm.exe 45 PID 2968 wrote to memory of 2240 2968 Cpiqmlfm.exe 45 PID 2968 wrote to memory of 2240 2968 Cpiqmlfm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe"C:\Users\Admin\AppData\Local\Temp\ce721d5d163fd83c5f803c240744166a4696db95263e265117d6770a3dbc8ebfN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe33⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe36⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe43⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe44⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe45⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe46⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe47⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe48⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe51⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe55⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe57⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe58⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe59⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe62⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe67⤵PID:2388
-
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe68⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe71⤵PID:2764
-
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe72⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe74⤵PID:1392
-
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe77⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe78⤵PID:2940
-
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe79⤵PID:2220
-
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe80⤵PID:768
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe81⤵PID:632
-
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe82⤵PID:1696
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe84⤵PID:300
-
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:792 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe86⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe87⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe88⤵PID:2760
-
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe89⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe90⤵PID:2164
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe91⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe93⤵PID:2904
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe95⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe96⤵PID:1592
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe97⤵PID:2248
-
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe98⤵PID:804
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe100⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe101⤵PID:2160
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe105⤵PID:580
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe106⤵PID:3052
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe107⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe111⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe112⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe113⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe114⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe115⤵
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe116⤵PID:1836
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe117⤵PID:2584
-
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe118⤵PID:1640
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe121⤵PID:2448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-