Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 17:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe
-
Size
74KB
-
MD5
5c909dc3217aa9ca9d6f025b72b1dce0
-
SHA1
2c54d51d753eef03f214c11007262b7777f8fc20
-
SHA256
149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0
-
SHA512
63984d6c68cc6683a1e6305a979808f3a92f6207ca1dfb74759efd57776d2ab5565d78143310180a9c132b7b49872b2a4fdbdb856214ad79acaa86cbe77766c5
-
SSDEEP
1536:s7tA7TBwVagvjQtscdj1Bel/40GnXYvYcTuqKssy1Ey:s7tA7dxk2LBelg9rVWEy
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Epbfmd32.exeHnmeen32.exeMfglep32.exePegqpacp.exeEaeipfei.exeHahnac32.exeKkgahoel.exeLocjhqpa.exeLnjcomcf.exeAjmijmnn.exeBkhhhd32.exeMjcaimgg.exePohhna32.exeQpbglhjq.exeAciqcifh.exePojecajj.exeGhdgfbkl.exeJkhejkcq.exeDinklffl.exeNmejllia.exeAqjdgmgd.exeEpmfgo32.exeFdkklp32.exeFlhmfbim.exeLfoojj32.exeNidmfh32.exeAdlcfjgh.exePepcelel.exeBmbgfkje.exeCifelgmd.exeIapgkl32.exeNhdhif32.exeCmmagpef.exeDmojkc32.exeInlkik32.exePincfpoo.exeDhiomn32.exeCbppnbhm.exeCiihklpj.exeAkkoig32.exeIdkpganf.exeMcqombic.exeNbmaon32.exeKdhcli32.exeGfhgpg32.exeBcjcme32.exeHjofdi32.exeJbcjnnpl.exeJdhgnf32.exeLjghjpfe.exePilfpqaa.exeKdklfe32.exeLcjlnpmo.exeDojddmec.exeGcmoda32.exeKcecbq32.exeKnkgpi32.exeOiffkkbk.exePgfjhcge.exeDanpemej.exeImnbbi32.exeJjbbpmgo.exeEcnoijbd.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbfmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfglep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegqpacp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Locjhqpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmijmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pohhna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aciqcifh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghdgfbkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinklffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmejllia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqjdgmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epmfgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhmfbim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidmfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pepcelel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifelgmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhdhif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmagpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmojkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pincfpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akkoig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkpganf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqombic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcjcme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjofdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljghjpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilfpqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dojddmec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmoda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knkgpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiffkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbbpmgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnoijbd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cepfgdnj.exeCjmopkla.exeCafgle32.exeCllkin32.exeCaidaeak.exeComdkipe.exeCakqgeoi.exeCifelgmd.exeDdliip32.exeDiibag32.exeDlgnmb32.exeDikogf32.exeDpegcq32.exeDinklffl.exeDllhhaep.exeDojddmec.exeDiphbfdi.exeDchmkkkj.exeDegiggjm.exeEoompl32.exeEdlfhc32.exeEgjbdo32.exeEoajel32.exeEpbfmd32.exeEjkkfjkj.exeEniclh32.exeElldgehk.exeEqjmncna.exeFffefjmi.exeFlqmbd32.exeFqlicclo.exeFjdnlhco.exeFmcjhdbc.exeFmegncpp.exeFoccjood.exeFfmkfifa.exeFgohna32.exeFgadda32.exeGnkmqkbi.exeGmpjagfa.exeGcjbna32.exeGgfnopfg.exeGmbfggdo.exeGcmoda32.exeGghkdp32.exeGfmgelil.exeGildahhp.exeGmgpbf32.exeGpelnb32.exeGbdhjm32.exeHebdfind.exeHinqgg32.exeHphidanj.exeHeealhla.exeHipmmg32.exeHloiib32.exeHpjeialg.exeHnmeen32.exeHegnahjo.exeHhejnc32.exeHjdfjo32.exeHbknkl32.exeHeikgh32.exeHhhgcc32.exepid Process 1224 Cepfgdnj.exe 2184 Cjmopkla.exe 2784 Cafgle32.exe 2736 Cllkin32.exe 2868 Caidaeak.exe 2752 Comdkipe.exe 2756 Cakqgeoi.exe 2668 Cifelgmd.exe 1172 Ddliip32.exe 1588 Diibag32.exe 1984 Dlgnmb32.exe 2652 Dikogf32.exe 2844 Dpegcq32.exe 2936 Dinklffl.exe 2116 Dllhhaep.exe 1076 Dojddmec.exe 852 Diphbfdi.exe 1492 Dchmkkkj.exe 2004 Degiggjm.exe 948 Eoompl32.exe 2324 Edlfhc32.exe 1672 Egjbdo32.exe 604 Eoajel32.exe 3040 Epbfmd32.exe 1528 Ejkkfjkj.exe 2552 Eniclh32.exe 2440 Elldgehk.exe 2404 Eqjmncna.exe 2796 Fffefjmi.exe 2860 Flqmbd32.exe 2616 Fqlicclo.exe 2656 Fjdnlhco.exe 3068 Fmcjhdbc.exe 668 Fmegncpp.exe 1772 Foccjood.exe 1016 Ffmkfifa.exe 1768 Fgohna32.exe 1380 Fgadda32.exe 2924 Gnkmqkbi.exe 1636 Gmpjagfa.exe 2068 Gcjbna32.exe 3004 Ggfnopfg.exe 332 Gmbfggdo.exe 1296 Gcmoda32.exe 2176 Gghkdp32.exe 1472 Gfmgelil.exe 1664 Gildahhp.exe 2528 Gmgpbf32.exe 2488 Gpelnb32.exe 2108 Gbdhjm32.exe 2684 Hebdfind.exe 2452 Hinqgg32.exe 2596 Hphidanj.exe 2708 Heealhla.exe 2624 Hipmmg32.exe 2840 Hloiib32.exe 1556 Hpjeialg.exe 2012 Hnmeen32.exe 1804 Hegnahjo.exe 1412 Hhejnc32.exe 2208 Hjdfjo32.exe 1164 Hbknkl32.exe 1968 Heikgh32.exe 1788 Hhhgcc32.exe -
Loads dropped DLL 64 IoCs
Processes:
149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exeCepfgdnj.exeCjmopkla.exeCafgle32.exeCllkin32.exeCaidaeak.exeComdkipe.exeCakqgeoi.exeCifelgmd.exeDdliip32.exeDiibag32.exeDlgnmb32.exeDikogf32.exeDpegcq32.exeDinklffl.exeDllhhaep.exeDojddmec.exeDiphbfdi.exeDchmkkkj.exeDegiggjm.exeEoompl32.exeEdlfhc32.exeEgjbdo32.exeEoajel32.exeEpbfmd32.exeEjkkfjkj.exeEniclh32.exeElldgehk.exeEqjmncna.exeFffefjmi.exeFlqmbd32.exeFqlicclo.exepid Process 2920 149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe 2920 149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe 1224 Cepfgdnj.exe 1224 Cepfgdnj.exe 2184 Cjmopkla.exe 2184 Cjmopkla.exe 2784 Cafgle32.exe 2784 Cafgle32.exe 2736 Cllkin32.exe 2736 Cllkin32.exe 2868 Caidaeak.exe 2868 Caidaeak.exe 2752 Comdkipe.exe 2752 Comdkipe.exe 2756 Cakqgeoi.exe 2756 Cakqgeoi.exe 2668 Cifelgmd.exe 2668 Cifelgmd.exe 1172 Ddliip32.exe 1172 Ddliip32.exe 1588 Diibag32.exe 1588 Diibag32.exe 1984 Dlgnmb32.exe 1984 Dlgnmb32.exe 2652 Dikogf32.exe 2652 Dikogf32.exe 2844 Dpegcq32.exe 2844 Dpegcq32.exe 2936 Dinklffl.exe 2936 Dinklffl.exe 2116 Dllhhaep.exe 2116 Dllhhaep.exe 1076 Dojddmec.exe 1076 Dojddmec.exe 852 Diphbfdi.exe 852 Diphbfdi.exe 1492 Dchmkkkj.exe 1492 Dchmkkkj.exe 2004 Degiggjm.exe 2004 Degiggjm.exe 948 Eoompl32.exe 948 Eoompl32.exe 2324 Edlfhc32.exe 2324 Edlfhc32.exe 1672 Egjbdo32.exe 1672 Egjbdo32.exe 604 Eoajel32.exe 604 Eoajel32.exe 3040 Epbfmd32.exe 3040 Epbfmd32.exe 1528 Ejkkfjkj.exe 1528 Ejkkfjkj.exe 2552 Eniclh32.exe 2552 Eniclh32.exe 2440 Elldgehk.exe 2440 Elldgehk.exe 2404 Eqjmncna.exe 2404 Eqjmncna.exe 2796 Fffefjmi.exe 2796 Fffefjmi.exe 2860 Flqmbd32.exe 2860 Flqmbd32.exe 2616 Fqlicclo.exe 2616 Fqlicclo.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jpgjgboe.exeOmklkkpl.exeDllhhaep.exeElipgofb.exeEknmhk32.exeEaeipfei.exeNlcibc32.exeQgmpibam.exeBmbgfkje.exeDegiggjm.exeHhejnc32.exeHeikgh32.exeGbohehoj.exeKkgahoel.exeKkjnnn32.exeMdghaf32.exePepcelel.exeFgadda32.exeLqqpgj32.exeMejlalji.exeQpbglhjq.exeOjmpooah.exeAomnhd32.exeNjbdea32.exeGceailog.exeGhdgfbkl.exeQfljkp32.exeHcgjmo32.exeMimgeigj.exeNnoiio32.exeBgoime32.exeFgohna32.exeNpaich32.exeFfodjh32.exeGdhkfd32.exeKadfkhkf.exeFncpef32.exeLcjlnpmo.exeOiffkkbk.exeMcjhmcok.exeBfdenafn.exeHebdfind.exeJkhejkcq.exeKglehp32.exeFkecij32.exeNpjlhcmd.exeCmpgpond.exeDjdgic32.exeKofaicon.exeNdhlhg32.exeDhpemm32.exeQgmfchei.exeBfncpcoc.exeBmhkmm32.exeGgkqmoma.exeGnkmqkbi.exeGfmgelil.exeMfglep32.exeIflmjihl.exePohhna32.exeBkbaii32.exeIliebpfc.exedescription ioc Process File created C:\Windows\SysWOW64\Jgabdlfb.exe Jpgjgboe.exe File created C:\Windows\SysWOW64\Opihgfop.exe Omklkkpl.exe File created C:\Windows\SysWOW64\Mpmhhb32.dll Dllhhaep.exe File opened for modification C:\Windows\SysWOW64\Eogmcjef.exe Elipgofb.exe File opened for modification C:\Windows\SysWOW64\Eaheeecg.exe Eknmhk32.exe File created C:\Windows\SysWOW64\Eddeladm.exe Eaeipfei.exe File created C:\Windows\SysWOW64\Nbmaon32.exe Nlcibc32.exe File created C:\Windows\SysWOW64\Ljamki32.dll Qgmpibam.exe File opened for modification C:\Windows\SysWOW64\Coacbfii.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Gfgbgqka.dll Degiggjm.exe File opened for modification C:\Windows\SysWOW64\Hjdfjo32.exe Hhejnc32.exe File created C:\Windows\SysWOW64\Hhhgcc32.exe Heikgh32.exe File created C:\Windows\SysWOW64\Dgdfdnfj.dll Gbohehoj.exe File created C:\Windows\SysWOW64\Behjbjcf.dll Kkgahoel.exe File created C:\Windows\SysWOW64\Kadfkhkf.exe Kkjnnn32.exe File created C:\Windows\SysWOW64\Fffgkhmc.dll Mdghaf32.exe File created C:\Windows\SysWOW64\Iidobe32.dll Pepcelel.exe File created C:\Windows\SysWOW64\Gnkmqkbi.exe Fgadda32.exe File created C:\Windows\SysWOW64\Fhjboh32.dll Lqqpgj32.exe File opened for modification C:\Windows\SysWOW64\Mkddnf32.exe Mejlalji.exe File created C:\Windows\SysWOW64\Jpefpo32.dll Qpbglhjq.exe File created C:\Windows\SysWOW64\Giddhc32.dll Ojmpooah.exe File opened for modification C:\Windows\SysWOW64\Afffenbp.exe Aomnhd32.exe File opened for modification C:\Windows\SysWOW64\Nallalep.exe Njbdea32.exe File created C:\Windows\SysWOW64\Doohmk32.dll Gceailog.exe File opened for modification C:\Windows\SysWOW64\Gkbcbn32.exe Ghdgfbkl.exe File created C:\Windows\SysWOW64\Lmkcam32.dll Qfljkp32.exe File created C:\Windows\SysWOW64\Hfegij32.exe Hcgjmo32.exe File created C:\Windows\SysWOW64\Fljiqocb.dll Mimgeigj.exe File created C:\Windows\SysWOW64\Eifppipg.dll Nnoiio32.exe File opened for modification C:\Windows\SysWOW64\Bkjdndjo.exe Bgoime32.exe File created C:\Windows\SysWOW64\Fclelk32.dll Fgohna32.exe File created C:\Windows\SysWOW64\Lpkadj32.dll Mejlalji.exe File opened for modification C:\Windows\SysWOW64\Nbpeoc32.exe Npaich32.exe File created C:\Windows\SysWOW64\Egjfigdn.dll Ffodjh32.exe File created C:\Windows\SysWOW64\Ghdgfbkl.exe Gdhkfd32.exe File created C:\Windows\SysWOW64\Oqfqioai.dll Kadfkhkf.exe File created C:\Windows\SysWOW64\Fqalaa32.exe Fncpef32.exe File created C:\Windows\SysWOW64\Ihnijmcj.dll Lcjlnpmo.exe File opened for modification C:\Windows\SysWOW64\Olebgfao.exe Oiffkkbk.exe File created C:\Windows\SysWOW64\Mjcaimgg.exe Mcjhmcok.exe File opened for modification C:\Windows\SysWOW64\Bmnnkl32.exe Bfdenafn.exe File opened for modification C:\Windows\SysWOW64\Hinqgg32.exe Hebdfind.exe File created C:\Windows\SysWOW64\Nbdmji32.dll Jkhejkcq.exe File created C:\Windows\SysWOW64\Kkgahoel.exe Kglehp32.exe File opened for modification C:\Windows\SysWOW64\Fncpef32.exe Fkecij32.exe File opened for modification C:\Windows\SysWOW64\Nnmlcp32.exe Npjlhcmd.exe File opened for modification C:\Windows\SysWOW64\Calcpm32.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Cbehjc32.dll Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Kfpifm32.exe Kofaicon.exe File created C:\Windows\SysWOW64\Kjkbonmp.dll Ndhlhg32.exe File opened for modification C:\Windows\SysWOW64\Dknajh32.exe Dhpemm32.exe File opened for modification C:\Windows\SysWOW64\Qododfek.exe Qgmfchei.exe File opened for modification C:\Windows\SysWOW64\Bmhkmm32.exe Bfncpcoc.exe File created C:\Windows\SysWOW64\Bknlaikf.dll Bmhkmm32.exe File created C:\Windows\SysWOW64\Pbgiha32.dll Ghdgfbkl.exe File opened for modification C:\Windows\SysWOW64\Gjjmijme.exe Ggkqmoma.exe File created C:\Windows\SysWOW64\Ngfpmcbo.dll Gnkmqkbi.exe File created C:\Windows\SysWOW64\Gildahhp.exe Gfmgelil.exe File created C:\Windows\SysWOW64\Mejlalji.exe Mfglep32.exe File created C:\Windows\SysWOW64\Dejdjfjb.dll Iflmjihl.exe File opened for modification C:\Windows\SysWOW64\Pafdjmkq.exe Pohhna32.exe File created C:\Windows\SysWOW64\Baojapfj.exe Bkbaii32.exe File created C:\Windows\SysWOW64\Inhanl32.exe Iliebpfc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5700 5504 WerFault.exe 576 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Locjhqpa.exeDojddmec.exeHhejnc32.exeLmgalkcf.exeQackpado.exeEdfbaabj.exeIeomef32.exeJpigma32.exeBgblmk32.exeBaojapfj.exeOadkej32.exePpnnai32.exeAfffenbp.exeCifelgmd.exeElldgehk.exeDdfebnoo.exeHakkgc32.exeJbqmhnbo.exeLoqmba32.exeNfoghakb.exeKcecbq32.exeAbpcooea.exeDanpemej.exeHdoghdmd.exeAgolnbok.exeCiihklpj.exeFfmkfifa.exeAkkoig32.exeAfgmodel.exeBoidnh32.exeEoepnk32.exeIoohokoo.exeNjbdea32.exeFjegog32.exePohhna32.exeJkpbdq32.exeBbbpenco.exeHeikgh32.exeHfjpdjjo.exeKdnild32.exeAjpepm32.exeAhebaiac.exeCinafkkd.exePalepb32.exeOlebgfao.exeQgjccb32.exeDdliip32.exeIplnnd32.exeHjacjifm.exeBgaebe32.exeCaidaeak.exeIdkpganf.exeCnfqccna.exeHphidanj.exeOanefo32.exePlolgk32.exeEaeipfei.exeJkhejkcq.exeDpkibo32.exeJeafjiop.exeKdklfe32.exePaknelgk.exeNeqnqofm.exeCmpgpond.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locjhqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojddmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhejnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgalkcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qackpado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfbaabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpigma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgblmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baojapfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cifelgmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elldgehk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfebnoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbqmhnbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loqmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcecbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpcooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdoghdmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmkfifa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmodel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boidnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioohokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbdea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpbdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heikgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjpdjjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnild32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahebaiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palepb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olebgfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddliip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplnnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjacjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caidaeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphidanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanefo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plolgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaeipfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhejkcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeafjiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paknelgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqnqofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe -
Modifies registry class 64 IoCs
Processes:
Fcbecl32.exeLjddjj32.exeLboiol32.exeIbhndp32.exeEdibhmml.exeHfhcoj32.exeKgqocoin.exeDinklffl.exeLcomce32.exeOanefo32.exeHfegij32.exeLqqpgj32.exeOioggmmc.exeQackpado.exeDmojkc32.exeJbcjnnpl.exeJampjian.exeObjaha32.exePgfjhcge.exeJepmgj32.exeAdlcfjgh.exeJhdlad32.exeBffbdadk.exeNdhlhg32.exeFolfoj32.exeHhjcic32.exeKbgjkn32.exeNeqnqofm.exeOjmpooah.exeComdkipe.exeFmegncpp.exeDeollamj.exeFhdjgoha.exeLgqkbb32.exeAlihaioe.exeAbpcooea.exeHeikgh32.exeBiaign32.exeKcopdb32.exeFffefjmi.exeGmpjagfa.exeDknajh32.exeEpmfgo32.exeGceailog.exeGoplilpf.exeMnaiol32.exeNedhjj32.exeEjkkfjkj.exeGcmoda32.exeNidmfh32.exeJpgjgboe.exeMcjhmcok.exeEdlfhc32.exeMeoell32.exeObgkpb32.exeLbfook32.exeMcnbhb32.exeOmklkkpl.exePlgolf32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlkhpje.dll" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llechb32.dll" Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibhndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foibdham.dll" Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jndape32.dll" Hfhcoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dinklffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidgma32.dll" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqqpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oioggmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Manghajd.dll" Qackpado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbcjnnpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjkclbf.dll" Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll" Adlcfjgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhdlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndhlhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhjcic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqmla32.dll" Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neqnqofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojmpooah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Comdkipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deollamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhdjgoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alihaioe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heikgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikpibof.dll" Biaign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibhndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqbbglbj.dll" Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmpjagfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dknajh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doohmk32.dll" Gceailog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnaiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nedhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejkkfjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nidmfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deollamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpgjgboe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edlfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obgkpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcelfiph.dll" Mcnbhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omklkkpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plgolf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exeCepfgdnj.exeCjmopkla.exeCafgle32.exeCllkin32.exeCaidaeak.exeComdkipe.exeCakqgeoi.exeCifelgmd.exeDdliip32.exeDiibag32.exeDlgnmb32.exeDikogf32.exeDpegcq32.exeDinklffl.exeDllhhaep.exedescription pid Process procid_target PID 2920 wrote to memory of 1224 2920 149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe 30 PID 2920 wrote to memory of 1224 2920 149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe 30 PID 2920 wrote to memory of 1224 2920 149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe 30 PID 2920 wrote to memory of 1224 2920 149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe 30 PID 1224 wrote to memory of 2184 1224 Cepfgdnj.exe 31 PID 1224 wrote to memory of 2184 1224 Cepfgdnj.exe 31 PID 1224 wrote to memory of 2184 1224 Cepfgdnj.exe 31 PID 1224 wrote to memory of 2184 1224 Cepfgdnj.exe 31 PID 2184 wrote to memory of 2784 2184 Cjmopkla.exe 32 PID 2184 wrote to memory of 2784 2184 Cjmopkla.exe 32 PID 2184 wrote to memory of 2784 2184 Cjmopkla.exe 32 PID 2184 wrote to memory of 2784 2184 Cjmopkla.exe 32 PID 2784 wrote to memory of 2736 2784 Cafgle32.exe 33 PID 2784 wrote to memory of 2736 2784 Cafgle32.exe 33 PID 2784 wrote to memory of 2736 2784 Cafgle32.exe 33 PID 2784 wrote to memory of 2736 2784 Cafgle32.exe 33 PID 2736 wrote to memory of 2868 2736 Cllkin32.exe 34 PID 2736 wrote to memory of 2868 2736 Cllkin32.exe 34 PID 2736 wrote to memory of 2868 2736 Cllkin32.exe 34 PID 2736 wrote to memory of 2868 2736 Cllkin32.exe 34 PID 2868 wrote to memory of 2752 2868 Caidaeak.exe 35 PID 2868 wrote to memory of 2752 2868 Caidaeak.exe 35 PID 2868 wrote to memory of 2752 2868 Caidaeak.exe 35 PID 2868 wrote to memory of 2752 2868 Caidaeak.exe 35 PID 2752 wrote to memory of 2756 2752 Comdkipe.exe 36 PID 2752 wrote to memory of 2756 2752 Comdkipe.exe 36 PID 2752 wrote to memory of 2756 2752 Comdkipe.exe 36 PID 2752 wrote to memory of 2756 2752 Comdkipe.exe 36 PID 2756 wrote to memory of 2668 2756 Cakqgeoi.exe 37 PID 2756 wrote to memory of 2668 2756 Cakqgeoi.exe 37 PID 2756 wrote to memory of 2668 2756 Cakqgeoi.exe 37 PID 2756 wrote to memory of 2668 2756 Cakqgeoi.exe 37 PID 2668 wrote to memory of 1172 2668 Cifelgmd.exe 38 PID 2668 wrote to memory of 1172 2668 Cifelgmd.exe 38 PID 2668 wrote to memory of 1172 2668 Cifelgmd.exe 38 PID 2668 wrote to memory of 1172 2668 Cifelgmd.exe 38 PID 1172 wrote to memory of 1588 1172 Ddliip32.exe 39 PID 1172 wrote to memory of 1588 1172 Ddliip32.exe 39 PID 1172 wrote to memory of 1588 1172 Ddliip32.exe 39 PID 1172 wrote to memory of 1588 1172 Ddliip32.exe 39 PID 1588 wrote to memory of 1984 1588 Diibag32.exe 40 PID 1588 wrote to memory of 1984 1588 Diibag32.exe 40 PID 1588 wrote to memory of 1984 1588 Diibag32.exe 40 PID 1588 wrote to memory of 1984 1588 Diibag32.exe 40 PID 1984 wrote to memory of 2652 1984 Dlgnmb32.exe 41 PID 1984 wrote to memory of 2652 1984 Dlgnmb32.exe 41 PID 1984 wrote to memory of 2652 1984 Dlgnmb32.exe 41 PID 1984 wrote to memory of 2652 1984 Dlgnmb32.exe 41 PID 2652 wrote to memory of 2844 2652 Dikogf32.exe 42 PID 2652 wrote to memory of 2844 2652 Dikogf32.exe 42 PID 2652 wrote to memory of 2844 2652 Dikogf32.exe 42 PID 2652 wrote to memory of 2844 2652 Dikogf32.exe 42 PID 2844 wrote to memory of 2936 2844 Dpegcq32.exe 43 PID 2844 wrote to memory of 2936 2844 Dpegcq32.exe 43 PID 2844 wrote to memory of 2936 2844 Dpegcq32.exe 43 PID 2844 wrote to memory of 2936 2844 Dpegcq32.exe 43 PID 2936 wrote to memory of 2116 2936 Dinklffl.exe 44 PID 2936 wrote to memory of 2116 2936 Dinklffl.exe 44 PID 2936 wrote to memory of 2116 2936 Dinklffl.exe 44 PID 2936 wrote to memory of 2116 2936 Dinklffl.exe 44 PID 2116 wrote to memory of 1076 2116 Dllhhaep.exe 45 PID 2116 wrote to memory of 1076 2116 Dllhhaep.exe 45 PID 2116 wrote to memory of 1076 2116 Dllhhaep.exe 45 PID 2116 wrote to memory of 1076 2116 Dllhhaep.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe"C:\Users\Admin\AppData\Local\Temp\149345f5cb8971f80b4f522991e349b8c6a2b7dc7740078a366374f7e0f906a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe33⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe34⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe36⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe42⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe43⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe44⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe46⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe48⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe49⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe50⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe51⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe53⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe55⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe56⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe57⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe58⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe60⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe62⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe63⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe65⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe66⤵PID:1536
-
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe67⤵PID:2432
-
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe68⤵PID:1592
-
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe69⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe70⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe71⤵PID:2680
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe72⤵PID:1920
-
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe73⤵PID:2896
-
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe74⤵PID:1268
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe75⤵PID:1760
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe76⤵PID:2688
-
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe77⤵PID:1936
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe78⤵PID:2188
-
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe79⤵PID:768
-
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe80⤵
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe81⤵PID:1780
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe82⤵PID:904
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2228 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe85⤵PID:2880
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe86⤵PID:2812
-
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe87⤵PID:2900
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe88⤵PID:1648
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe89⤵PID:1956
-
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe90⤵PID:1328
-
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe92⤵PID:1476
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe93⤵PID:1468
-
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe94⤵PID:1484
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe95⤵PID:2448
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe96⤵PID:1532
-
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe97⤵PID:2792
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe98⤵PID:2728
-
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe99⤵PID:2744
-
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe100⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe101⤵PID:1564
-
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe102⤵PID:1212
-
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe103⤵PID:2280
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe104⤵PID:1948
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe105⤵PID:448
-
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:236 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe108⤵PID:1996
-
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe110⤵PID:2508
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe111⤵PID:2160
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe112⤵PID:1836
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe113⤵PID:352
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe114⤵PID:1940
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe115⤵PID:1032
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe116⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe117⤵PID:564
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe118⤵PID:2124
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe119⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe120⤵PID:2396
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe121⤵PID:1264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-