Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:48
Static task
static1
Behavioral task
behavioral1
Sample
97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe
Resource
win10v2004-20241007-en
General
-
Target
97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe
-
Size
128KB
-
MD5
2633d39ecff0d346ea6c638f606f4f8f
-
SHA1
a4e62a55b509251f0fa05f2053f4d622d351e9cd
-
SHA256
97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa
-
SHA512
baac8f7f71f9e7a5f43b97df4b22325164b5e89eb407dfb6a7b13e7aacf91c8ae90fc239f06198c476c51f63b24dcdff5a5ee93dbe96bdec18a3def3a9a3eb00
-
SSDEEP
3072:QWZMwCq5ymH3U2z+7l0X8mW2wS7IrHrYj:pf4y3M7l0smHwMOHm
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Anljck32.exeJcgapdeb.exeMfdopp32.exeMcqombic.exeGdkgkcpq.exeLnhgim32.exePcghof32.exeKcdlhj32.exeDinklffl.exeFmjgcipg.exeOococb32.exePaocnkph.exeHlffdh32.exeNoogpfjh.exeDdaemh32.exeHaqnea32.exeLpcoeb32.exeBmkomchi.exeElfcbo32.exeCmhjdiap.exeGcbabpcf.exeAahfdihn.exeKdmgclfk.exeBgibnj32.exeCmmcpi32.exeFqalaa32.exeNplfdj32.exeAgdmdg32.exeMkndhabp.exeImleli32.exeKdnild32.exeMedeaaej.exeEdqocbkp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anljck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgapdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnhgim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcghof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinklffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjgcipg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paocnkph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlffdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noogpfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddaemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmkomchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elfcbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhjdiap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbabpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahfdihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdmgclfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqalaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplfdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imleli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Medeaaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edqocbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Elfaifaq.exeEbcjamoh.exeEbefgm32.exeEoigpa32.exeEgdlec32.exeFdhlnhhc.exeFkbdkb32.exeFqomci32.exeFjgalndh.exeFemeig32.exeFjjnan32.exeFqcfnhjb.exeFmjgcipg.exeGjngmmnp.exeGlpdde32.exeGpnmjd32.exeGifaciae.exeGihniioc.exeGhkndf32.exeGlgjednf.exeGdboig32.exeHhpgpebh.exeHnjplo32.exeHpkldg32.exeHicqmmfc.exeHpmiig32.exeHifmbmda.exeHelngnie.exeHlffdh32.exeHbqoqbho.exeIlicig32.exeIbehla32.exeIecdhm32.exeIajemnia.exeIhdmihpn.exeIdknoi32.exeIkefkcmo.exeIncbgnmc.exeJdpgjhbm.exeJeadap32.exeJpfhoi32.exeJgqpkc32.exeJhamckel.exeJlmicj32.exeJcgapdeb.exeJfemlpdf.exeJhdihkcj.exeJlpeij32.exeJonbee32.exeJcjnfdbp.exeJdkjnl32.exeKopokehd.exeKbokgpgg.exeKdmgclfk.exeKglcogeo.exeKnekla32.exeKdpcikdi.exeKgnpeg32.exeKjllab32.exeKqfdnljm.exeKceqjhiq.exeKjoifb32.exeKcgmoggn.exeKfeikcfa.exepid process 920 Elfaifaq.exe 2916 Ebcjamoh.exe 2752 Ebefgm32.exe 2468 Eoigpa32.exe 2648 Egdlec32.exe 2532 Fdhlnhhc.exe 796 Fkbdkb32.exe 2240 Fqomci32.exe 1520 Fjgalndh.exe 2320 Femeig32.exe 2116 Fjjnan32.exe 1468 Fqcfnhjb.exe 1292 Fmjgcipg.exe 580 Gjngmmnp.exe 2132 Glpdde32.exe 840 Gpnmjd32.exe 2156 Gifaciae.exe 972 Gihniioc.exe 792 Ghkndf32.exe 1584 Glgjednf.exe 1724 Gdboig32.exe 2720 Hhpgpebh.exe 2400 Hnjplo32.exe 1984 Hpkldg32.exe 1728 Hicqmmfc.exe 2188 Hpmiig32.exe 2776 Hifmbmda.exe 2788 Helngnie.exe 2996 Hlffdh32.exe 2860 Hbqoqbho.exe 1776 Ilicig32.exe 572 Ibehla32.exe 2200 Iecdhm32.exe 2112 Iajemnia.exe 2564 Ihdmihpn.exe 2964 Idknoi32.exe 2384 Ikefkcmo.exe 1784 Incbgnmc.exe 2992 Jdpgjhbm.exe 2412 Jeadap32.exe 1476 Jpfhoi32.exe 448 Jgqpkc32.exe 2168 Jhamckel.exe 1256 Jlmicj32.exe 1764 Jcgapdeb.exe 620 Jfemlpdf.exe 2484 Jhdihkcj.exe 1812 Jlpeij32.exe 1500 Jonbee32.exe 2332 Jcjnfdbp.exe 2784 Jdkjnl32.exe 2872 Kopokehd.exe 2664 Kbokgpgg.exe 2632 Kdmgclfk.exe 2316 Kglcogeo.exe 1264 Knekla32.exe 1860 Kdpcikdi.exe 2884 Kgnpeg32.exe 1712 Kjllab32.exe 1960 Kqfdnljm.exe 708 Kceqjhiq.exe 1656 Kjoifb32.exe 1612 Kcgmoggn.exe 1792 Kfeikcfa.exe -
Loads dropped DLL 64 IoCs
Processes:
97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exeElfaifaq.exeEbcjamoh.exeEbefgm32.exeEoigpa32.exeEgdlec32.exeFdhlnhhc.exeFkbdkb32.exeFqomci32.exeFjgalndh.exeFemeig32.exeFjjnan32.exeFqcfnhjb.exeFmjgcipg.exeGjngmmnp.exeGlpdde32.exeGpnmjd32.exeGifaciae.exeGihniioc.exeGhkndf32.exeGlgjednf.exeGdboig32.exeHhpgpebh.exeHnjplo32.exeHpkldg32.exeHicqmmfc.exeHpmiig32.exeHifmbmda.exeHelngnie.exeHlffdh32.exeHbqoqbho.exeIlicig32.exepid process 2504 97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe 2504 97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe 920 Elfaifaq.exe 920 Elfaifaq.exe 2916 Ebcjamoh.exe 2916 Ebcjamoh.exe 2752 Ebefgm32.exe 2752 Ebefgm32.exe 2468 Eoigpa32.exe 2468 Eoigpa32.exe 2648 Egdlec32.exe 2648 Egdlec32.exe 2532 Fdhlnhhc.exe 2532 Fdhlnhhc.exe 796 Fkbdkb32.exe 796 Fkbdkb32.exe 2240 Fqomci32.exe 2240 Fqomci32.exe 1520 Fjgalndh.exe 1520 Fjgalndh.exe 2320 Femeig32.exe 2320 Femeig32.exe 2116 Fjjnan32.exe 2116 Fjjnan32.exe 1468 Fqcfnhjb.exe 1468 Fqcfnhjb.exe 1292 Fmjgcipg.exe 1292 Fmjgcipg.exe 580 Gjngmmnp.exe 580 Gjngmmnp.exe 2132 Glpdde32.exe 2132 Glpdde32.exe 840 Gpnmjd32.exe 840 Gpnmjd32.exe 2156 Gifaciae.exe 2156 Gifaciae.exe 972 Gihniioc.exe 972 Gihniioc.exe 792 Ghkndf32.exe 792 Ghkndf32.exe 1584 Glgjednf.exe 1584 Glgjednf.exe 1724 Gdboig32.exe 1724 Gdboig32.exe 2720 Hhpgpebh.exe 2720 Hhpgpebh.exe 2400 Hnjplo32.exe 2400 Hnjplo32.exe 1984 Hpkldg32.exe 1984 Hpkldg32.exe 1728 Hicqmmfc.exe 1728 Hicqmmfc.exe 2188 Hpmiig32.exe 2188 Hpmiig32.exe 2776 Hifmbmda.exe 2776 Hifmbmda.exe 2788 Helngnie.exe 2788 Helngnie.exe 2996 Hlffdh32.exe 2996 Hlffdh32.exe 2860 Hbqoqbho.exe 2860 Hbqoqbho.exe 1776 Ilicig32.exe 1776 Ilicig32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hhpgpebh.exeJmfafgbd.exePdonhj32.exeDkadjn32.exeKjahej32.exeLfjcfb32.exeLkihdioa.exeHifmbmda.exeKdjccf32.exeAjeeeblb.exeFjlmpfhg.exeGjbpne32.exeHdecea32.exeElfaifaq.exeNqmnjd32.exeJpigma32.exeGqdefddb.exeDljmlj32.exeHegnahjo.exeLedibnco.exeHqnapb32.exeKnmamp32.exeAmkbnp32.exePiicpk32.exeJgqpkc32.exeCmmcpi32.exeGgagmjbq.exeDemofaol.exePopgboae.exeNidmfh32.exeHbggif32.exeKajiigba.exeLhcafa32.exeNlilqbgp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Aeghng32.exe File opened for modification C:\Windows\SysWOW64\Jgjmoace.exe File created C:\Windows\SysWOW64\Heedqe32.exe File created C:\Windows\SysWOW64\Hnjplo32.exe Hhpgpebh.exe File opened for modification C:\Windows\SysWOW64\Jbcjnnpl.exe Jmfafgbd.exe File opened for modification C:\Windows\SysWOW64\Ecgjdong.exe File opened for modification C:\Windows\SysWOW64\Pkifdd32.exe Pdonhj32.exe File created C:\Windows\SysWOW64\Dchmkkkj.exe Dkadjn32.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Kjahej32.exe File created C:\Windows\SysWOW64\Dgiaefgg.exe File created C:\Windows\SysWOW64\Gmlablaa.exe File created C:\Windows\SysWOW64\Ljfogake.exe Lfjcfb32.exe File created C:\Windows\SysWOW64\Jliflphb.dll Lkihdioa.exe File created C:\Windows\SysWOW64\Nfbjhf32.exe File created C:\Windows\SysWOW64\Fppmcmah.exe File created C:\Windows\SysWOW64\Fnlqmbam.dll Hifmbmda.exe File opened for modification C:\Windows\SysWOW64\Kfkpknkq.exe Kdjccf32.exe File opened for modification C:\Windows\SysWOW64\Amcbankf.exe Ajeeeblb.exe File created C:\Windows\SysWOW64\Idejihgk.dll Fjlmpfhg.exe File created C:\Windows\SysWOW64\Chnlno32.dll Gjbpne32.exe File created C:\Windows\SysWOW64\Hiqoeplo.exe Hdecea32.exe File opened for modification C:\Windows\SysWOW64\Ffbmfo32.exe File opened for modification C:\Windows\SysWOW64\Fcilnl32.exe File created C:\Windows\SysWOW64\Cbgpig32.dll Elfaifaq.exe File created C:\Windows\SysWOW64\Liefaj32.dll Nqmnjd32.exe File created C:\Windows\SysWOW64\Mdkiio32.dll File created C:\Windows\SysWOW64\Peeabm32.exe File created C:\Windows\SysWOW64\Kiefad32.dll File opened for modification C:\Windows\SysWOW64\Jolghndm.exe Jpigma32.exe File opened for modification C:\Windows\SysWOW64\Gcbabpcf.exe Gqdefddb.exe File created C:\Windows\SysWOW64\Ddaemh32.exe Dljmlj32.exe File created C:\Windows\SysWOW64\Nbqjqehd.exe File opened for modification C:\Windows\SysWOW64\Hlafnbal.exe Hegnahjo.exe File opened for modification C:\Windows\SysWOW64\Llnaoh32.exe Ledibnco.exe File opened for modification C:\Windows\SysWOW64\Hejmpqop.exe Hqnapb32.exe File created C:\Windows\SysWOW64\Omphocck.exe File opened for modification C:\Windows\SysWOW64\Kqknil32.exe Knmamp32.exe File opened for modification C:\Windows\SysWOW64\Aojojl32.exe Amkbnp32.exe File created C:\Windows\SysWOW64\Bhapci32.dll Piicpk32.exe File opened for modification C:\Windows\SysWOW64\Enpban32.exe File created C:\Windows\SysWOW64\Hffndn32.dll File created C:\Windows\SysWOW64\Jojndakj.dll Jgqpkc32.exe File opened for modification C:\Windows\SysWOW64\Ccgklc32.exe Cmmcpi32.exe File opened for modification C:\Windows\SysWOW64\Qboikm32.exe File created C:\Windows\SysWOW64\Ohmkac32.dll File created C:\Windows\SysWOW64\Knblkc32.dll File created C:\Windows\SysWOW64\Chnjdl32.dll File created C:\Windows\SysWOW64\Goiongbc.exe Ggagmjbq.exe File created C:\Windows\SysWOW64\Ffgpgl32.dll File created C:\Windows\SysWOW64\Eeomnifk.dll File created C:\Windows\SysWOW64\Eocmkdfd.dll File opened for modification C:\Windows\SysWOW64\Golgon32.exe File created C:\Windows\SysWOW64\Hlmdnf32.dll Demofaol.exe File created C:\Windows\SysWOW64\Ecgjdong.exe File created C:\Windows\SysWOW64\Ihnjmf32.exe File created C:\Windows\SysWOW64\Gaocdi32.dll File opened for modification C:\Windows\SysWOW64\Gmlckehe.exe File opened for modification C:\Windows\SysWOW64\Ngqeha32.exe File created C:\Windows\SysWOW64\Paocnkph.exe Popgboae.exe File opened for modification C:\Windows\SysWOW64\Nlcibc32.exe Nidmfh32.exe File opened for modification C:\Windows\SysWOW64\Hdecea32.exe Hbggif32.exe File opened for modification C:\Windows\SysWOW64\Lhcafa32.exe Kajiigba.exe File created C:\Windows\SysWOW64\Lonibk32.exe Lhcafa32.exe File opened for modification C:\Windows\SysWOW64\Ncpdbohb.exe Nlilqbgp.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 3848 3372 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hneeilgj.exeCemjae32.exeLqcmmjko.exeOionacqo.exeMmadbjkk.exeNfghdcfj.exeBkklhjnk.exePgegok32.exeMfdopp32.exeAgbpnh32.exeHfpdkl32.exeMedeaaej.exeNhjjgd32.exeQndkpmkm.exeCiihklpj.exeEdaalk32.exeIfgpnmom.exeJokqnhpa.exeOdedge32.exeFiepea32.exeBoogmgkl.exeEbcjamoh.exePdonhj32.exeJdflqo32.exeKfnmpn32.exeIamdkfnc.exePaocnkph.exePpkhhjei.exeFolfoj32.exeFnflke32.exeKjokokha.exeBbmcibjp.exeBpbmqe32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hneeilgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcmmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oionacqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfghdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkklhjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgegok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpdkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medeaaej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edaalk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpnmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokqnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiepea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boogmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcjamoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdonhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdflqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnmpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paocnkph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkhhjei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnflke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjokokha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbmqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Njpgpbpf.exeJelfdc32.exeDedlag32.exeEknmhk32.exePbagipfi.exeEakooqih.exeAjckilei.exeCglalbbi.exeHcajhi32.exeLmbonmll.exeNaalga32.exeCjmopkla.exeJbpdeogo.exeOpaebkmc.exeDfphcj32.exeGoiongbc.exeHnjbeh32.exeKhoebi32.exeBgblmk32.exeQndkpmkm.exeOklnff32.exeAjnpecbj.exeJjkkbjln.exeMgedmb32.exePkjmoj32.exeAmkbnp32.exeNbbbdcgi.exeIefcfe32.exeMcjhmcok.exeIladfn32.exeFqomci32.exeMmogmjmn.exeJeqopcld.exePpinkcnp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnfackh.dll" Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmihbe32.dll" Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keeolpie.dll" Eakooqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqgaapqd.dll" Ajckilei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljmfe32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcajhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmbonmll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naalga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjmopkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbpdeogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opaebkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmiofbn.dll" Dfphcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goiongbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacmfp32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elebllmi.dll" Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oklnff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajnpecbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjkkbjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfikokgf.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkjmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinafidh.dll" Nbbbdcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmchaflb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dedlag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll" Mcjhmcok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iladfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llnigibf.dll" Fqomci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampjoj32.dll" Mmogmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqcpo32.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exeElfaifaq.exeEbcjamoh.exeEbefgm32.exeEoigpa32.exeEgdlec32.exeFdhlnhhc.exeFkbdkb32.exeFqomci32.exeFjgalndh.exeFemeig32.exeFjjnan32.exeFqcfnhjb.exeFmjgcipg.exeGjngmmnp.exeGlpdde32.exedescription pid process target process PID 2504 wrote to memory of 920 2504 97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe Elfaifaq.exe PID 2504 wrote to memory of 920 2504 97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe Elfaifaq.exe PID 2504 wrote to memory of 920 2504 97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe Elfaifaq.exe PID 2504 wrote to memory of 920 2504 97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe Elfaifaq.exe PID 920 wrote to memory of 2916 920 Elfaifaq.exe Ebcjamoh.exe PID 920 wrote to memory of 2916 920 Elfaifaq.exe Ebcjamoh.exe PID 920 wrote to memory of 2916 920 Elfaifaq.exe Ebcjamoh.exe PID 920 wrote to memory of 2916 920 Elfaifaq.exe Ebcjamoh.exe PID 2916 wrote to memory of 2752 2916 Ebcjamoh.exe Ebefgm32.exe PID 2916 wrote to memory of 2752 2916 Ebcjamoh.exe Ebefgm32.exe PID 2916 wrote to memory of 2752 2916 Ebcjamoh.exe Ebefgm32.exe PID 2916 wrote to memory of 2752 2916 Ebcjamoh.exe Ebefgm32.exe PID 2752 wrote to memory of 2468 2752 Ebefgm32.exe Eoigpa32.exe PID 2752 wrote to memory of 2468 2752 Ebefgm32.exe Eoigpa32.exe PID 2752 wrote to memory of 2468 2752 Ebefgm32.exe Eoigpa32.exe PID 2752 wrote to memory of 2468 2752 Ebefgm32.exe Eoigpa32.exe PID 2468 wrote to memory of 2648 2468 Eoigpa32.exe Egdlec32.exe PID 2468 wrote to memory of 2648 2468 Eoigpa32.exe Egdlec32.exe PID 2468 wrote to memory of 2648 2468 Eoigpa32.exe Egdlec32.exe PID 2468 wrote to memory of 2648 2468 Eoigpa32.exe Egdlec32.exe PID 2648 wrote to memory of 2532 2648 Egdlec32.exe Fdhlnhhc.exe PID 2648 wrote to memory of 2532 2648 Egdlec32.exe Fdhlnhhc.exe PID 2648 wrote to memory of 2532 2648 Egdlec32.exe Fdhlnhhc.exe PID 2648 wrote to memory of 2532 2648 Egdlec32.exe Fdhlnhhc.exe PID 2532 wrote to memory of 796 2532 Fdhlnhhc.exe Fkbdkb32.exe PID 2532 wrote to memory of 796 2532 Fdhlnhhc.exe Fkbdkb32.exe PID 2532 wrote to memory of 796 2532 Fdhlnhhc.exe Fkbdkb32.exe PID 2532 wrote to memory of 796 2532 Fdhlnhhc.exe Fkbdkb32.exe PID 796 wrote to memory of 2240 796 Fkbdkb32.exe Fqomci32.exe PID 796 wrote to memory of 2240 796 Fkbdkb32.exe Fqomci32.exe PID 796 wrote to memory of 2240 796 Fkbdkb32.exe Fqomci32.exe PID 796 wrote to memory of 2240 796 Fkbdkb32.exe Fqomci32.exe PID 2240 wrote to memory of 1520 2240 Fqomci32.exe Fjgalndh.exe PID 2240 wrote to memory of 1520 2240 Fqomci32.exe Fjgalndh.exe PID 2240 wrote to memory of 1520 2240 Fqomci32.exe Fjgalndh.exe PID 2240 wrote to memory of 1520 2240 Fqomci32.exe Fjgalndh.exe PID 1520 wrote to memory of 2320 1520 Fjgalndh.exe Femeig32.exe PID 1520 wrote to memory of 2320 1520 Fjgalndh.exe Femeig32.exe PID 1520 wrote to memory of 2320 1520 Fjgalndh.exe Femeig32.exe PID 1520 wrote to memory of 2320 1520 Fjgalndh.exe Femeig32.exe PID 2320 wrote to memory of 2116 2320 Femeig32.exe Fjjnan32.exe PID 2320 wrote to memory of 2116 2320 Femeig32.exe Fjjnan32.exe PID 2320 wrote to memory of 2116 2320 Femeig32.exe Fjjnan32.exe PID 2320 wrote to memory of 2116 2320 Femeig32.exe Fjjnan32.exe PID 2116 wrote to memory of 1468 2116 Fjjnan32.exe Fqcfnhjb.exe PID 2116 wrote to memory of 1468 2116 Fjjnan32.exe Fqcfnhjb.exe PID 2116 wrote to memory of 1468 2116 Fjjnan32.exe Fqcfnhjb.exe PID 2116 wrote to memory of 1468 2116 Fjjnan32.exe Fqcfnhjb.exe PID 1468 wrote to memory of 1292 1468 Fqcfnhjb.exe Fmjgcipg.exe PID 1468 wrote to memory of 1292 1468 Fqcfnhjb.exe Fmjgcipg.exe PID 1468 wrote to memory of 1292 1468 Fqcfnhjb.exe Fmjgcipg.exe PID 1468 wrote to memory of 1292 1468 Fqcfnhjb.exe Fmjgcipg.exe PID 1292 wrote to memory of 580 1292 Fmjgcipg.exe Gjngmmnp.exe PID 1292 wrote to memory of 580 1292 Fmjgcipg.exe Gjngmmnp.exe PID 1292 wrote to memory of 580 1292 Fmjgcipg.exe Gjngmmnp.exe PID 1292 wrote to memory of 580 1292 Fmjgcipg.exe Gjngmmnp.exe PID 580 wrote to memory of 2132 580 Gjngmmnp.exe Glpdde32.exe PID 580 wrote to memory of 2132 580 Gjngmmnp.exe Glpdde32.exe PID 580 wrote to memory of 2132 580 Gjngmmnp.exe Glpdde32.exe PID 580 wrote to memory of 2132 580 Gjngmmnp.exe Glpdde32.exe PID 2132 wrote to memory of 840 2132 Glpdde32.exe Gpnmjd32.exe PID 2132 wrote to memory of 840 2132 Glpdde32.exe Gpnmjd32.exe PID 2132 wrote to memory of 840 2132 Glpdde32.exe Gpnmjd32.exe PID 2132 wrote to memory of 840 2132 Glpdde32.exe Gpnmjd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe"C:\Users\Admin\AppData\Local\Temp\97ceac254df846d4f4c37b097f86c48ea57ffd650fe7a8b723b6e49ba2e203fa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe33⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe34⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe35⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe36⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe37⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe38⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe39⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe40⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe41⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe42⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe44⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe45⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe47⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe48⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe49⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe50⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe51⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe52⤵PID:2764
-
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe53⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe54⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe55⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe57⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe58⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe59⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe60⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe61⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe62⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe63⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe64⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe65⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe66⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe67⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe68⤵PID:2360
-
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe69⤵PID:996
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe70⤵PID:2348
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe71⤵PID:2744
-
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe72⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe73⤵PID:2228
-
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe74⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe75⤵PID:1840
-
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe76⤵PID:1648
-
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe77⤵PID:1908
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe78⤵PID:2100
-
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe79⤵PID:2896
-
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe80⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe81⤵PID:1640
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe82⤵PID:2136
-
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe83⤵PID:288
-
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe84⤵PID:1352
-
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe85⤵PID:1740
-
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe86⤵PID:2080
-
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe87⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe88⤵PID:896
-
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe89⤵PID:2496
-
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe90⤵PID:2668
-
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe91⤵PID:1796
-
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe92⤵PID:1492
-
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe93⤵PID:1872
-
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe94⤵PID:1808
-
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe95⤵PID:1388
-
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe96⤵PID:1524
-
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe97⤵PID:1000
-
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe98⤵PID:1696
-
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe99⤵PID:548
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe100⤵PID:2540
-
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe102⤵PID:2848
-
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe103⤵PID:1004
-
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe104⤵PID:2548
-
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe105⤵PID:2676
-
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe108⤵PID:872
-
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe109⤵PID:2148
-
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe110⤵PID:1772
-
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe111⤵PID:1252
-
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe112⤵PID:568
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe113⤵PID:1620
-
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe114⤵PID:1336
-
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe115⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe116⤵PID:1968
-
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe117⤵PID:2248
-
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe118⤵PID:2476
-
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe119⤵PID:1880
-
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe120⤵
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe121⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe122⤵PID:1916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-