Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
98410019ca8df0d69a63fa86273bc1fd00447e2bccc08cdd61b3c783af0e851dN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
98410019ca8df0d69a63fa86273bc1fd00447e2bccc08cdd61b3c783af0e851dN.exe
Resource
win10v2004-20241007-en
General
-
Target
98410019ca8df0d69a63fa86273bc1fd00447e2bccc08cdd61b3c783af0e851dN.exe
-
Size
76KB
-
MD5
d4638757020925202a60060995cc8340
-
SHA1
baf7062a04d74f64a8a4463555b2f08cdaa42dbd
-
SHA256
98410019ca8df0d69a63fa86273bc1fd00447e2bccc08cdd61b3c783af0e851d
-
SHA512
10d17d9bc951ce8761baf383accd278e24c581722d905249467c74681ac642532355e769446b2c8cb98e17035a79be0c2228b70c76dfd7237f735627f3256724
-
SSDEEP
1536:+HBAHPmMVOmueABr/Ue1n1EpyPranoLmYhz8u4vXiMR1gg6pdIsiR6HZ:yBAOMVOmAR1nCyPrano6Az8dXiMR1aIq
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicjfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghommmob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfdhkkcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfobahc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljmmkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoonlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkkmfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglqlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkpmhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnmecod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmelhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igkkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmkbllhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljblpkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfmmlpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajegccf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnmbpld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geched32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagjlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphnaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbaed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obbjdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhooje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akgckhfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefnaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjjgni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjgggfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpealj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghoecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phdlgfma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcknlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpojln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmccmno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbnoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oihopa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhopok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palife32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nonbhifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpjaplgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iboici32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmkai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfedejhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhimmdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klapcaak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igahkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Penkgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkgdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpggiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oelfkebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiaakbhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafhnanl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emendd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1612 Fkpmhk32.exe 4616 Fajeeeac.exe 1532 Fdhaapqf.exe 2716 Fgfmmlpj.exe 3488 Foneni32.exe 2724 Falajd32.exe 3944 Fdjnfp32.exe 712 Fopbdi32.exe 4752 Fejjqcff.exe 1496 Fgkfhk32.exe 2348 Foboih32.exe 4624 Fneoeeca.exe 2420 Gdogaojo.exe 3016 Ggncnkjb.exe 2004 Goekohjd.exe 1316 Gacgkcih.exe 4348 Gdadgohl.exe 3848 Gkkldi32.exe 748 Gaedqc32.exe 1500 Ghommmob.exe 3860 Gnleedmj.exe 3580 Gdfmbn32.exe 2712 Golapg32.exe 4476 Gdhjhnbd.exe 2872 Galjabam.exe 3052 Hoqkkfpg.exe 4852 Hboggbok.exe 4480 Hdmccmno.exe 432 Hglpoi32.exe 4324 Hfmpmpea.exe 4384 Hgnldh32.exe 752 Hoedff32.exe 2680 Hdbmnm32.exe 3236 Hgpijhim.exe 2492 Hnjagb32.exe 4912 Hbfmgaic.exe 1104 Hddiclhf.exe 1492 Hgbfphgj.exe 3880 Hknapf32.exe 4252 Hnmnlb32.exe 2104 Ifdfno32.exe 4156 Ihbbjk32.exe 388 Ikqnffnq.exe 4028 Ibjgbp32.exe 3060 Iffbcomf.exe 412 Idicol32.exe 4860 Ikckkfln.exe 3976 Ioogld32.exe 3696 Ibmchp32.exe 1512 Idkpdk32.exe 1472 Iiglejjg.exe 4956 Ioadadbd.exe 792 Ibopnpah.exe 2996 Idnljkpl.exe 1132 Iiihjj32.exe 1892 Iocqgdpb.exe 3380 Infabq32.exe 1504 Iepiokni.exe 1188 Ikjale32.exe 4808 Jfpeinel.exe 4368 Jbffno32.exe 1108 Jgcofe32.exe 5100 Jbhcdnim.exe 1664 Jibkqh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ijkeojpl.dll Fipica32.exe File created C:\Windows\SysWOW64\Bihpmleb.dll Lapogbjd.exe File created C:\Windows\SysWOW64\Jmmibaqe.dll Jhbdfbmo.exe File created C:\Windows\SysWOW64\Jolole32.exe Jlnboi32.exe File opened for modification C:\Windows\SysWOW64\Gacgkcih.exe Goekohjd.exe File created C:\Windows\SysWOW64\Ngqpng32.exe Noihmi32.exe File created C:\Windows\SysWOW64\Jnjccjok.exe Jjogbk32.exe File opened for modification C:\Windows\SysWOW64\Jeanmp32.exe Jogeqepe.exe File created C:\Windows\SysWOW64\Dlgkhfag.dll 98410019ca8df0d69a63fa86273bc1fd00447e2bccc08cdd61b3c783af0e851dN.exe File opened for modification C:\Windows\SysWOW64\Gphnaj32.exe Gmiaen32.exe File created C:\Windows\SysWOW64\Kqhalm32.exe Kmmekndg.exe File created C:\Windows\SysWOW64\Eppojm32.exe Eamnophd.exe File created C:\Windows\SysWOW64\Diecii32.dll Fkflncpb.exe File created C:\Windows\SysWOW64\Ndgpec32.exe Naicih32.exe File created C:\Windows\SysWOW64\Fopbdi32.exe Fdjnfp32.exe File created C:\Windows\SysWOW64\Mgbcod32.exe Medfci32.exe File created C:\Windows\SysWOW64\Ecebinga.dll Emendd32.exe File created C:\Windows\SysWOW64\Ljglea32.exe Lgipie32.exe File created C:\Windows\SysWOW64\Nofbapok.dll Mpbofm32.exe File created C:\Windows\SysWOW64\Jkkleb32.dll Kakelb32.exe File opened for modification C:\Windows\SysWOW64\Hmpqlgam.exe Hgehom32.exe File created C:\Windows\SysWOW64\Cbfoil32.dll Pacfaj32.exe File created C:\Windows\SysWOW64\Eblgfblj.exe Emoonlnb.exe File created C:\Windows\SysWOW64\Aolpenhn.exe Alndibij.exe File opened for modification C:\Windows\SysWOW64\Ijgjgf32.exe Icmbklaa.exe File created C:\Windows\SysWOW64\Fcbhjlif.dll Mcnmodgj.exe File opened for modification C:\Windows\SysWOW64\Oeiief32.exe Onoqhlmb.exe File opened for modification C:\Windows\SysWOW64\Diiimhjh.exe Dncepokb.exe File created C:\Windows\SysWOW64\Eqflpkle.dll Obkccq32.exe File opened for modification C:\Windows\SysWOW64\Pclmjn32.exe Pkedia32.exe File created C:\Windows\SysWOW64\Qlpopdnc.dll Pcnipn32.exe File opened for modification C:\Windows\SysWOW64\Blnmpp32.exe Bjpqde32.exe File created C:\Windows\SysWOW64\Abmpikmc.dll Jnilic32.exe File created C:\Windows\SysWOW64\Fjbejg32.dll Qoimeh32.exe File opened for modification C:\Windows\SysWOW64\Ohnlam32.exe Ocadif32.exe File created C:\Windows\SysWOW64\Doligfgf.dll Dafhnanl.exe File opened for modification C:\Windows\SysWOW64\Epnbdmaa.exe Empehban.exe File opened for modification C:\Windows\SysWOW64\Opbckm32.exe Process not Found File created C:\Windows\SysWOW64\Qllnnini.exe Qfbfao32.exe File created C:\Windows\SysWOW64\Aoelaflg.exe Alfpek32.exe File opened for modification C:\Windows\SysWOW64\Gbelii32.exe Gmhcqb32.exe File created C:\Windows\SysWOW64\Ngmchi32.dll Jelhki32.exe File created C:\Windows\SysWOW64\Nqgjgo32.dll Ipnfopbn.exe File created C:\Windows\SysWOW64\Kkgphfbo.exe Kcphgi32.exe File opened for modification C:\Windows\SysWOW64\Mnadgn32.exe Mkchkb32.exe File created C:\Windows\SysWOW64\Almmoleo.exe Adfeno32.exe File opened for modification C:\Windows\SysWOW64\Bhbjekoc.exe Becnippo.exe File created C:\Windows\SysWOW64\Kndejk32.exe Kjiiimem.exe File created C:\Windows\SysWOW64\Ajgdhm32.exe Aghhla32.exe File created C:\Windows\SysWOW64\Ohknnh32.dll Jgnnapja.exe File opened for modification C:\Windows\SysWOW64\Pijnbh32.exe Pacfaj32.exe File opened for modification C:\Windows\SysWOW64\Npipeoem.exe Process not Found File created C:\Windows\SysWOW64\Lkcfoklm.exe Lggjnl32.exe File opened for modification C:\Windows\SysWOW64\Nnkgml32.exe Nllkaa32.exe File created C:\Windows\SysWOW64\Aeajhhcc.dll Adfeno32.exe File created C:\Windows\SysWOW64\Hfndke32.exe Hogljhng.exe File opened for modification C:\Windows\SysWOW64\Canaojmb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mifjdcbb.exe Mfgnhhbo.exe File opened for modification C:\Windows\SysWOW64\Ecfjefgb.exe Emlbhl32.exe File created C:\Windows\SysWOW64\Lmhmbb32.dll Lcpqng32.exe File created C:\Windows\SysWOW64\Jngcfmeo.dll Bkefgl32.exe File created C:\Windows\SysWOW64\Ofjobhfa.exe Process not Found File created C:\Windows\SysWOW64\Ccdgcchg.dll Ppemihid.exe File created C:\Windows\SysWOW64\Dhlgpljo.exe Daaocb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6608 7852 Process not Found 1303 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnohan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgdhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmiaen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glinae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogaied32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnlam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapgnpla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcbhjam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioclef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmicbfib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeppa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diiimhjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dminhfol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohaobfod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hicnqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkilnfpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiqgbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dieflobi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbmga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppqfdmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjbnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihamhpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfnicob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlohgqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmdcloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgkafie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbbjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfgnhhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicqaehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgcnckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkbllhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhkhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdfno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppemihid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdhdheq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijjhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgipie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegpbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finkoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnmecod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpfeihcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boqlmebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhnko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmokgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doaddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fneoeeca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpodbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdlgfma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfhamlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpbpb32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 860 Jbkpingk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdemajom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npnnblmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggfoic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkboddha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mibfdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lemqbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiqgbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Necqicao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpdhdheq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bajnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdcinc32.dll" Cjlgjieb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmjcfedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miecim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dknfggil.dll" Almmoleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhjag32.dll" Klloqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpekp32.dll" Bbpocfej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahekijbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjkhdme.dll" Keddgahe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmaofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noilem32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nianch32.dll" Aejkcahj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Foboih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmecgom.dll" Nlooagcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acleallb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plamcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahfjim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olnbmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijpkamcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajadcghd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdnimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loddga32.dll" Naicih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jghhaeeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikgnlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehbmpkcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mibfdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqoppgqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifdfno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqjcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koifemhi.dll" Qlkgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcbhjlif.dll" Mcnmodgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjojflhj.dll" Kleiphfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcceamlo.dll" Kncfihgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpandk32.dll" Oahgelgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbhpm32.dll" Neqminpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnfnbmem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mboeek32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eablclef.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpajpj32.dll" Fgkfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meibcipd.dll" Pohnee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inolgkjl.dll" Dihjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hneaam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekeaja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nejgjbkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pghpecfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kklpnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbigdcoj.dll" Foneni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcleh32.dll" Qojcpnjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbghljok.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1484 wrote to memory of 1612 1484 98410019ca8df0d69a63fa86273bc1fd00447e2bccc08cdd61b3c783af0e851dN.exe 85 PID 1484 wrote to memory of 1612 1484 98410019ca8df0d69a63fa86273bc1fd00447e2bccc08cdd61b3c783af0e851dN.exe 85 PID 1484 wrote to memory of 1612 1484 98410019ca8df0d69a63fa86273bc1fd00447e2bccc08cdd61b3c783af0e851dN.exe 85 PID 1612 wrote to memory of 4616 1612 Fkpmhk32.exe 86 PID 1612 wrote to memory of 4616 1612 Fkpmhk32.exe 86 PID 1612 wrote to memory of 4616 1612 Fkpmhk32.exe 86 PID 4616 wrote to memory of 1532 4616 Fajeeeac.exe 87 PID 4616 wrote to memory of 1532 4616 Fajeeeac.exe 87 PID 4616 wrote to memory of 1532 4616 Fajeeeac.exe 87 PID 1532 wrote to memory of 2716 1532 Fdhaapqf.exe 89 PID 1532 wrote to memory of 2716 1532 Fdhaapqf.exe 89 PID 1532 wrote to memory of 2716 1532 Fdhaapqf.exe 89 PID 2716 wrote to memory of 3488 2716 Fgfmmlpj.exe 90 PID 2716 wrote to memory of 3488 2716 Fgfmmlpj.exe 90 PID 2716 wrote to memory of 3488 2716 Fgfmmlpj.exe 90 PID 3488 wrote to memory of 2724 3488 Foneni32.exe 91 PID 3488 wrote to memory of 2724 3488 Foneni32.exe 91 PID 3488 wrote to memory of 2724 3488 Foneni32.exe 91 PID 2724 wrote to memory of 3944 2724 Falajd32.exe 92 PID 2724 wrote to memory of 3944 2724 Falajd32.exe 92 PID 2724 wrote to memory of 3944 2724 Falajd32.exe 92 PID 3944 wrote to memory of 712 3944 Fdjnfp32.exe 93 PID 3944 wrote to memory of 712 3944 Fdjnfp32.exe 93 PID 3944 wrote to memory of 712 3944 Fdjnfp32.exe 93 PID 712 wrote to memory of 4752 712 Fopbdi32.exe 94 PID 712 wrote to memory of 4752 712 Fopbdi32.exe 94 PID 712 wrote to memory of 4752 712 Fopbdi32.exe 94 PID 4752 wrote to memory of 1496 4752 Fejjqcff.exe 95 PID 4752 wrote to memory of 1496 4752 Fejjqcff.exe 95 PID 4752 wrote to memory of 1496 4752 Fejjqcff.exe 95 PID 1496 wrote to memory of 2348 1496 Fgkfhk32.exe 96 PID 1496 wrote to memory of 2348 1496 Fgkfhk32.exe 96 PID 1496 wrote to memory of 2348 1496 Fgkfhk32.exe 96 PID 2348 wrote to memory of 4624 2348 Foboih32.exe 97 PID 2348 wrote to memory of 4624 2348 Foboih32.exe 97 PID 2348 wrote to memory of 4624 2348 Foboih32.exe 97 PID 4624 wrote to memory of 2420 4624 Fneoeeca.exe 98 PID 4624 wrote to memory of 2420 4624 Fneoeeca.exe 98 PID 4624 wrote to memory of 2420 4624 Fneoeeca.exe 98 PID 2420 wrote to memory of 3016 2420 Gdogaojo.exe 99 PID 2420 wrote to memory of 3016 2420 Gdogaojo.exe 99 PID 2420 wrote to memory of 3016 2420 Gdogaojo.exe 99 PID 3016 wrote to memory of 2004 3016 Ggncnkjb.exe 100 PID 3016 wrote to memory of 2004 3016 Ggncnkjb.exe 100 PID 3016 wrote to memory of 2004 3016 Ggncnkjb.exe 100 PID 2004 wrote to memory of 1316 2004 Goekohjd.exe 101 PID 2004 wrote to memory of 1316 2004 Goekohjd.exe 101 PID 2004 wrote to memory of 1316 2004 Goekohjd.exe 101 PID 1316 wrote to memory of 4348 1316 Gacgkcih.exe 102 PID 1316 wrote to memory of 4348 1316 Gacgkcih.exe 102 PID 1316 wrote to memory of 4348 1316 Gacgkcih.exe 102 PID 4348 wrote to memory of 3848 4348 Gdadgohl.exe 103 PID 4348 wrote to memory of 3848 4348 Gdadgohl.exe 103 PID 4348 wrote to memory of 3848 4348 Gdadgohl.exe 103 PID 3848 wrote to memory of 748 3848 Gkkldi32.exe 104 PID 3848 wrote to memory of 748 3848 Gkkldi32.exe 104 PID 3848 wrote to memory of 748 3848 Gkkldi32.exe 104 PID 748 wrote to memory of 1500 748 Gaedqc32.exe 105 PID 748 wrote to memory of 1500 748 Gaedqc32.exe 105 PID 748 wrote to memory of 1500 748 Gaedqc32.exe 105 PID 1500 wrote to memory of 3860 1500 Ghommmob.exe 106 PID 1500 wrote to memory of 3860 1500 Ghommmob.exe 106 PID 1500 wrote to memory of 3860 1500 Ghommmob.exe 106 PID 3860 wrote to memory of 3580 3860 Gnleedmj.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\98410019ca8df0d69a63fa86273bc1fd00447e2bccc08cdd61b3c783af0e851dN.exe"C:\Users\Admin\AppData\Local\Temp\98410019ca8df0d69a63fa86273bc1fd00447e2bccc08cdd61b3c783af0e851dN.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Fkpmhk32.exeC:\Windows\system32\Fkpmhk32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Fajeeeac.exeC:\Windows\system32\Fajeeeac.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Fdhaapqf.exeC:\Windows\system32\Fdhaapqf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Fgfmmlpj.exeC:\Windows\system32\Fgfmmlpj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Foneni32.exeC:\Windows\system32\Foneni32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Falajd32.exeC:\Windows\system32\Falajd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fdjnfp32.exeC:\Windows\system32\Fdjnfp32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Fopbdi32.exeC:\Windows\system32\Fopbdi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Fejjqcff.exeC:\Windows\system32\Fejjqcff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Fgkfhk32.exeC:\Windows\system32\Fgkfhk32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Foboih32.exeC:\Windows\system32\Foboih32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Fneoeeca.exeC:\Windows\system32\Fneoeeca.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Gdogaojo.exeC:\Windows\system32\Gdogaojo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Gacgkcih.exeC:\Windows\system32\Gacgkcih.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Gdadgohl.exeC:\Windows\system32\Gdadgohl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Gkkldi32.exeC:\Windows\system32\Gkkldi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Gaedqc32.exeC:\Windows\system32\Gaedqc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Ghommmob.exeC:\Windows\system32\Ghommmob.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Gdfmbn32.exeC:\Windows\system32\Gdfmbn32.exe23⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe24⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe25⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe26⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe27⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe28⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Hglpoi32.exeC:\Windows\system32\Hglpoi32.exe30⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Hfmpmpea.exeC:\Windows\system32\Hfmpmpea.exe31⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Hgnldh32.exeC:\Windows\system32\Hgnldh32.exe32⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Hoedff32.exeC:\Windows\system32\Hoedff32.exe33⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Hdbmnm32.exeC:\Windows\system32\Hdbmnm32.exe34⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Hgpijhim.exeC:\Windows\system32\Hgpijhim.exe35⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe36⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Hbfmgaic.exeC:\Windows\system32\Hbfmgaic.exe37⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe38⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Hgbfphgj.exeC:\Windows\system32\Hgbfphgj.exe39⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Hknapf32.exeC:\Windows\system32\Hknapf32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe41⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Ihbbjk32.exeC:\Windows\system32\Ihbbjk32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4156 -
C:\Windows\SysWOW64\Ikqnffnq.exeC:\Windows\system32\Ikqnffnq.exe44⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Ibjgbp32.exeC:\Windows\system32\Ibjgbp32.exe45⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Iffbcomf.exeC:\Windows\system32\Iffbcomf.exe46⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Idicol32.exeC:\Windows\system32\Idicol32.exe47⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Ikckkfln.exeC:\Windows\system32\Ikckkfln.exe48⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe49⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe50⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Idkpdk32.exeC:\Windows\system32\Idkpdk32.exe51⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe52⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe53⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Ibopnpah.exeC:\Windows\system32\Ibopnpah.exe54⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe55⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Iiihjj32.exeC:\Windows\system32\Iiihjj32.exe56⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe57⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Infabq32.exeC:\Windows\system32\Infabq32.exe58⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe59⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ikjale32.exeC:\Windows\system32\Ikjale32.exe60⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Jfpeinel.exeC:\Windows\system32\Jfpeinel.exe61⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe62⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Jgcofe32.exeC:\Windows\system32\Jgcofe32.exe63⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Jbhcdnim.exeC:\Windows\system32\Jbhcdnim.exe64⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe65⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe66⤵PID:3660
-
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe67⤵PID:3432
-
C:\Windows\SysWOW64\Jbkpingk.exeC:\Windows\system32\Jbkpingk.exe68⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:860 -
C:\Windows\SysWOW64\Jghhaeeb.exeC:\Windows\system32\Jghhaeeb.exe69⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe70⤵PID:892
-
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe71⤵PID:3144
-
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe72⤵
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Jgjegd32.exeC:\Windows\system32\Jgjegd32.exe73⤵PID:1588
-
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe74⤵PID:2496
-
C:\Windows\SysWOW64\Kfkeelko.exeC:\Windows\system32\Kfkeelko.exe75⤵PID:3180
-
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe76⤵PID:1832
-
C:\Windows\SysWOW64\Kglamd32.exeC:\Windows\system32\Kglamd32.exe77⤵PID:4164
-
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe78⤵PID:3712
-
C:\Windows\SysWOW64\Kfnaklil.exeC:\Windows\system32\Kfnaklil.exe79⤵PID:4588
-
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe80⤵PID:3024
-
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe81⤵PID:4512
-
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe82⤵PID:184
-
C:\Windows\SysWOW64\Kinklg32.exeC:\Windows\system32\Kinklg32.exe83⤵PID:2584
-
C:\Windows\SysWOW64\Kbgoelmm.exeC:\Windows\system32\Kbgoelmm.exe84⤵PID:4604
-
C:\Windows\SysWOW64\Kiqgbf32.exeC:\Windows\system32\Kiqgbf32.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Kpkpoq32.exeC:\Windows\system32\Kpkpoq32.exe86⤵PID:3560
-
C:\Windows\SysWOW64\Kfdhkkcd.exeC:\Windows\system32\Kfdhkkcd.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4072 -
C:\Windows\SysWOW64\Kicdgfbg.exeC:\Windows\system32\Kicdgfbg.exe88⤵PID:3640
-
C:\Windows\SysWOW64\Klapcaak.exeC:\Windows\system32\Klapcaak.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1428 -
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe90⤵PID:3540
-
C:\Windows\SysWOW64\Lejelg32.exeC:\Windows\system32\Lejelg32.exe91⤵PID:4828
-
C:\Windows\SysWOW64\Lhhahb32.exeC:\Windows\system32\Lhhahb32.exe92⤵PID:3844
-
C:\Windows\SysWOW64\Lnbiem32.exeC:\Windows\system32\Lnbiem32.exe93⤵PID:1040
-
C:\Windows\SysWOW64\Llfjoa32.exeC:\Windows\system32\Llfjoa32.exe94⤵PID:2184
-
C:\Windows\SysWOW64\Lndfkl32.exeC:\Windows\system32\Lndfkl32.exe95⤵PID:4728
-
C:\Windows\SysWOW64\Lflnlj32.exeC:\Windows\system32\Lflnlj32.exe96⤵PID:1844
-
C:\Windows\SysWOW64\Lijjhe32.exeC:\Windows\system32\Lijjhe32.exe97⤵
- System Location Discovery: System Language Discovery
PID:3784 -
C:\Windows\SysWOW64\Llhfdq32.exeC:\Windows\system32\Llhfdq32.exe98⤵PID:2488
-
C:\Windows\SysWOW64\Lbboak32.exeC:\Windows\system32\Lbboak32.exe99⤵PID:4004
-
C:\Windows\SysWOW64\Lfnkaiki.exeC:\Windows\system32\Lfnkaiki.exe100⤵PID:1388
-
C:\Windows\SysWOW64\Lhogia32.exeC:\Windows\system32\Lhogia32.exe101⤵PID:3968
-
C:\Windows\SysWOW64\Lpfojo32.exeC:\Windows\system32\Lpfojo32.exe102⤵PID:456
-
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe104⤵PID:2028
-
C:\Windows\SysWOW64\Lhadoa32.exeC:\Windows\system32\Lhadoa32.exe105⤵PID:5164
-
C:\Windows\SysWOW64\Mlmpopgn.exeC:\Windows\system32\Mlmpopgn.exe106⤵PID:5200
-
C:\Windows\SysWOW64\Moklkkfa.exeC:\Windows\system32\Moklkkfa.exe107⤵PID:5252
-
C:\Windows\SysWOW64\Mbghljok.exeC:\Windows\system32\Mbghljok.exe108⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Meedheno.exeC:\Windows\system32\Meedheno.exe109⤵PID:5340
-
C:\Windows\SysWOW64\Mhdqdamb.exeC:\Windows\system32\Mhdqdamb.exe110⤵PID:5384
-
C:\Windows\SysWOW64\Mpkhenmd.exeC:\Windows\system32\Mpkhenmd.exe111⤵PID:5428
-
C:\Windows\SysWOW64\Moniak32.exeC:\Windows\system32\Moniak32.exe112⤵PID:5472
-
C:\Windows\SysWOW64\Mfeabh32.exeC:\Windows\system32\Mfeabh32.exe113⤵PID:5516
-
C:\Windows\SysWOW64\Mhfmjqkp.exeC:\Windows\system32\Mhfmjqkp.exe114⤵PID:5560
-
C:\Windows\SysWOW64\Mpmeknkb.exeC:\Windows\system32\Mpmeknkb.exe115⤵PID:5604
-
C:\Windows\SysWOW64\Mfgnhhbo.exeC:\Windows\system32\Mfgnhhbo.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5648 -
C:\Windows\SysWOW64\Mifjdcbb.exeC:\Windows\system32\Mifjdcbb.exe117⤵PID:5692
-
C:\Windows\SysWOW64\Mldfpoaf.exeC:\Windows\system32\Mldfpoaf.exe118⤵PID:5736
-
C:\Windows\SysWOW64\Mobbljpj.exeC:\Windows\system32\Mobbljpj.exe119⤵PID:5780
-
C:\Windows\SysWOW64\Mbnnmi32.exeC:\Windows\system32\Mbnnmi32.exe120⤵PID:5824
-
C:\Windows\SysWOW64\Mhkgep32.exeC:\Windows\system32\Mhkgep32.exe121⤵PID:5868
-
C:\Windows\SysWOW64\Mpbofm32.exeC:\Windows\system32\Mpbofm32.exe122⤵
- Drops file in System32 directory
PID:5912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-