Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe
Resource
win10v2004-20241007-en
General
-
Target
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe
-
Size
1024KB
-
MD5
f33a5095a7683eac9f5bb024471249e0
-
SHA1
2a040fb74efae0c6bf591159448a4e987b30206c
-
SHA256
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060d
-
SHA512
bf9c3aae0b78bded8dcffc0a7bf2cf55cc10875bb061155c2fc5a89c1b03d87c996fa8465bbf9f864ba8030d03663ba1f15e4d10b1c236650b05a8476677fc44
-
SSDEEP
12288:XybEWxkY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6IfKTLR+6CwUkEoH:XybgsaDZgQjGkwlks/6HnEO
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eppqqn32.exeLknojl32.exeFinnef32.exeKplmliko.exeGbofcghl.exeGgahedjn.exeDigehphc.exeJohnamkm.exeLepleocn.exeJcgnbaeo.exeOogpjbbb.exeHbihjifh.exeKhgbqkhj.exeKjepjkhf.exeFneggdhg.exePdjgha32.exeJbagbebm.exeLddgmbpb.exeBohbhmfm.exeDdnfmqng.exeHmbphg32.exeDbqqkkbo.exePhodcg32.exeJokkgl32.exeMokfja32.exePidlqb32.exeKjmfjj32.exeOeehkn32.exeDbnmke32.exeIeccbbkn.exeEpikpo32.exeOalipoiq.exeMcgiefen.exeGimqajgh.exeIpdndloi.exeGmdjapgb.exeHginecde.exeMalpia32.exeBochmn32.exeMnnkgl32.exeBddcenpi.exeOikjkc32.exePdkoch32.exeIajdgcab.exeKofdhd32.exeFeoodn32.exeJcmdaljn.exeIbjqaf32.exeFfobhg32.exeKggcnoic.exeNghekkmn.exeNjkkbehl.exeAojlaeei.exeKjjiej32.exeNnbnhedj.exeLomqcjie.exeCklhcfle.exeJhifomdj.exeQmhlgmmm.exeMgnlkfal.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eppqqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kplmliko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbofcghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggahedjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Digehphc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepleocn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgnbaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogpjbbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khgbqkhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepjkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digehphc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fneggdhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddnfmqng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbqqkkbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phodcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pidlqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmfjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbnmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieccbbkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epikpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalipoiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcgiefen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bochmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oikjkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iajdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofdhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcmdaljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibjqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffobhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kggcnoic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghekkmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkkbehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojlaeei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomqcjie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklhcfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhifomdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmhlgmmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnlkfal.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mlmbfqoj.exeMajjng32.exeMhdckaeo.exeMnnkgl32.exeMalgcg32.exeNhmeapmd.exeNafjjf32.exeNbefdijg.exeNolgijpk.exeNefped32.exeNhdlao32.exeOhghgodi.exeOoqqdi32.exeOaompd32.exeOboijgbl.exePojcjh32.exePchlpfjb.exePoomegpf.exePcmeke32.exePkhjph32.exePabblb32.exeQhngolpo.exeQcclld32.exeAojlaeei.exeAkamff32.exeAanbhp32.exeAlcfei32.exeBfngdn32.exeBjlpjm32.exeBfbaonae.exeBfendmoc.exeBfgjjm32.exeCihclh32.exeCbphdn32.exeCjgpfk32.exeCkilmcgb.exeCbbdjm32.exeCimmggfl.exeCbeapmll.exeCjliajmo.exeCkmehb32.exeCbgnemjj.exeCkpbnb32.exeDmoohe32.exeDfgcakon.exeDkdliame.exeDmdhcddh.exeDbqqkkbo.exeDpgnjo32.exeEbejfk32.exeEpikpo32.exeEiaoid32.exeEcgcfm32.exeEidlnd32.exeEpndknin.exeEifhdd32.exeEppqqn32.exeEjfeng32.exeFpbmfn32.exeFjhacf32.exeFdqfll32.exeFfobhg32.exeFpggamqc.exeFjmkoeqi.exepid process 4428 Mlmbfqoj.exe 1244 Majjng32.exe 4768 Mhdckaeo.exe 2252 Mnnkgl32.exe 4200 Malgcg32.exe 1756 Nhmeapmd.exe 3904 Nafjjf32.exe 4164 Nbefdijg.exe 3712 Nolgijpk.exe 2640 Nefped32.exe 1328 Nhdlao32.exe 2220 Ohghgodi.exe 2416 Ooqqdi32.exe 4020 Oaompd32.exe 5036 Oboijgbl.exe 1784 Pojcjh32.exe 2800 Pchlpfjb.exe 184 Poomegpf.exe 3944 Pcmeke32.exe 1504 Pkhjph32.exe 4716 Pabblb32.exe 372 Qhngolpo.exe 4884 Qcclld32.exe 4580 Aojlaeei.exe 4748 Akamff32.exe 60 Aanbhp32.exe 2492 Alcfei32.exe 4512 Bfngdn32.exe 4372 Bjlpjm32.exe 3420 Bfbaonae.exe 3880 Bfendmoc.exe 1608 Bfgjjm32.exe 1292 Cihclh32.exe 3888 Cbphdn32.exe 4092 Cjgpfk32.exe 4788 Ckilmcgb.exe 2868 Cbbdjm32.exe 1560 Cimmggfl.exe 1636 Cbeapmll.exe 1668 Cjliajmo.exe 2428 Ckmehb32.exe 3076 Cbgnemjj.exe 4340 Ckpbnb32.exe 520 Dmoohe32.exe 4392 Dfgcakon.exe 2616 Dkdliame.exe 960 Dmdhcddh.exe 1564 Dbqqkkbo.exe 1516 Dpgnjo32.exe 2916 Ebejfk32.exe 4376 Epikpo32.exe 3276 Eiaoid32.exe 4808 Ecgcfm32.exe 456 Eidlnd32.exe 3120 Epndknin.exe 4756 Eifhdd32.exe 2864 Eppqqn32.exe 4576 Ejfeng32.exe 2360 Fpbmfn32.exe 3544 Fjhacf32.exe 4964 Fdqfll32.exe 4720 Ffobhg32.exe 3000 Fpggamqc.exe 2184 Fjmkoeqi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ahbjoe32.exeFinnef32.exeHpmhdmea.exeKjepjkhf.exeAoalgn32.exeNofefp32.exeLcjcnoej.exeDdgplado.exeIeagmcmq.exeKlekfinp.exeNckkfp32.exeAhgcjddh.exeAhaceo32.exeCdbpgl32.exeEdeeci32.exeMogcihaj.exeOalipoiq.exeIgfclkdj.exeLlmhaold.exeLnadagbm.exeOmgcpokp.exeHmbphg32.exeKpcjgnhb.exeIlphdlqh.exeOlfghg32.exeCdlqqcnl.exeCleegp32.exeIbqnkh32.exeJokkgl32.exeAagkhd32.exeCkebcg32.exeFofilp32.exeLedepn32.exePojcjh32.exePcmeke32.exeJgkdbacp.exePjpfjl32.exeCkilmcgb.exeKcndbp32.exeOmbcji32.exeDigehphc.exeDdnfmqng.exeNqbpojnp.exeHbihjifh.exeFiggdg32.exeJqhafffk.exeKjeiodek.exeMmhgmmbf.exeBklomh32.exeGpcfmkff.exeEhlhih32.exeJidinqpb.exeMofmobmo.exeBaadiiif.exeLggldm32.exeOhfami32.exePmnbfhal.exeNolgijpk.exeDmdhcddh.exeHpnoncim.exeLgpoihnl.exeNcabfkqo.exeEbdlangb.exeKekbjo32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Anobgl32.exe Ahbjoe32.exe File opened for modification C:\Windows\SysWOW64\Fohfbpgi.exe Finnef32.exe File created C:\Windows\SysWOW64\Mldjbclh.dll Hpmhdmea.exe File created C:\Windows\SysWOW64\Kmdlffhj.exe Kjepjkhf.exe File opened for modification C:\Windows\SysWOW64\Aaohcj32.exe Aoalgn32.exe File opened for modification C:\Windows\SysWOW64\Nbebbk32.exe Nofefp32.exe File opened for modification C:\Windows\SysWOW64\Lkalplel.exe Lcjcnoej.exe File created C:\Windows\SysWOW64\Dkahilkl.exe Ddgplado.exe File created C:\Windows\SysWOW64\Ilkoim32.exe Ieagmcmq.exe File opened for modification C:\Windows\SysWOW64\Kocgbend.exe Klekfinp.exe File created C:\Windows\SysWOW64\Kofljo32.dll Nckkfp32.exe File opened for modification C:\Windows\SysWOW64\Aoalgn32.exe Ahgcjddh.exe File created C:\Windows\SysWOW64\Amnlme32.exe Ahaceo32.exe File created C:\Windows\SysWOW64\Biafno32.dll Cdbpgl32.exe File opened for modification C:\Windows\SysWOW64\Enmjlojd.exe Edeeci32.exe File opened for modification C:\Windows\SysWOW64\Mgnlkfal.exe Mogcihaj.exe File created C:\Windows\SysWOW64\Ohfami32.exe Oalipoiq.exe File opened for modification C:\Windows\SysWOW64\Ipoheakj.exe Igfclkdj.exe File opened for modification C:\Windows\SysWOW64\Lokdnjkg.exe Llmhaold.exe File created C:\Windows\SysWOW64\Mfhpakim.dll Lnadagbm.exe File created C:\Windows\SysWOW64\Plopnh32.dll Omgcpokp.exe File created C:\Windows\SysWOW64\Bgaclkia.dll Hmbphg32.exe File opened for modification C:\Windows\SysWOW64\Kgnbdh32.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Ibjqaf32.exe Ilphdlqh.exe File opened for modification C:\Windows\SysWOW64\Omgcpokp.exe Olfghg32.exe File created C:\Windows\SysWOW64\Edhjghdk.dll Cdlqqcnl.exe File opened for modification C:\Windows\SysWOW64\Cbbnpg32.exe Cleegp32.exe File opened for modification C:\Windows\SysWOW64\Iijfhbhl.exe Ibqnkh32.exe File created C:\Windows\SysWOW64\Hhaljido.dll Jokkgl32.exe File created C:\Windows\SysWOW64\Dnkdmlfj.dll Aagkhd32.exe File created C:\Windows\SysWOW64\Qfoaecol.dll Ckebcg32.exe File created C:\Windows\SysWOW64\Plgdqf32.dll Fofilp32.exe File created C:\Windows\SysWOW64\Diadam32.dll Ledepn32.exe File opened for modification C:\Windows\SysWOW64\Pchlpfjb.exe Pojcjh32.exe File created C:\Windows\SysWOW64\Pkhjph32.exe Pcmeke32.exe File created C:\Windows\SysWOW64\Neogjl32.dll Jgkdbacp.exe File created C:\Windows\SysWOW64\Pmnbfhal.exe Pjpfjl32.exe File created C:\Windows\SysWOW64\Cbbdjm32.exe Ckilmcgb.exe File created C:\Windows\SysWOW64\Glmoga32.dll Kcndbp32.exe File created C:\Windows\SysWOW64\Ocgeag32.dll Ombcji32.exe File opened for modification C:\Windows\SysWOW64\Dmcain32.exe Digehphc.exe File created C:\Windows\SysWOW64\Dodjjimm.exe Ddnfmqng.exe File opened for modification C:\Windows\SysWOW64\Nglhld32.exe Nqbpojnp.exe File created C:\Windows\SysWOW64\Kmmcjnkq.dll Hbihjifh.exe File opened for modification C:\Windows\SysWOW64\Fkfcqb32.exe Figgdg32.exe File created C:\Windows\SysWOW64\Comjoclk.dll Jqhafffk.exe File created C:\Windows\SysWOW64\Cajdjn32.dll Kjeiodek.exe File created C:\Windows\SysWOW64\Dckajh32.dll Mmhgmmbf.exe File opened for modification C:\Windows\SysWOW64\Baegibae.exe Bklomh32.exe File created C:\Windows\SysWOW64\Iankcfdg.dll Gpcfmkff.exe File opened for modification C:\Windows\SysWOW64\Ebdlangb.exe Ehlhih32.exe File created C:\Windows\SysWOW64\Joqafgni.exe Jidinqpb.exe File opened for modification C:\Windows\SysWOW64\Mbdiknlb.exe Mofmobmo.exe File created C:\Windows\SysWOW64\Bdpaeehj.exe Baadiiif.exe File created C:\Windows\SysWOW64\Illddp32.dll Lggldm32.exe File opened for modification C:\Windows\SysWOW64\Olanmgig.exe Ohfami32.exe File created C:\Windows\SysWOW64\Jcgmgn32.dll Pmnbfhal.exe File created C:\Windows\SysWOW64\Pkhnpc32.dll Nolgijpk.exe File opened for modification C:\Windows\SysWOW64\Dbqqkkbo.exe Dmdhcddh.exe File opened for modification C:\Windows\SysWOW64\Hekgfj32.exe Hpnoncim.exe File created C:\Windows\SysWOW64\Llmhaold.exe Lgpoihnl.exe File created C:\Windows\SysWOW64\Gehcdm32.dll Ncabfkqo.exe File opened for modification C:\Windows\SysWOW64\Eklajcmc.exe Ebdlangb.exe File created C:\Windows\SysWOW64\Onogcg32.dll Kekbjo32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 12684 13084 WerFault.exe Pififb32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mhjhmhhd.exeMcgiefen.exeOmpfej32.exeKjeiodek.exeGjdaodja.exeJdaaaeqg.exeOeehkn32.exeNjfkmphe.exeAkdilipp.exeIlnlom32.exeKbhmbdle.exeAlcfei32.exeJgpfbjlo.exeNmkmjjaa.exeJhifomdj.exeNfihbk32.exeIgdgglfl.exeAogbfi32.exeEdeeci32.exeGaloohke.exeNjkkbehl.exeQmhlgmmm.exeBepmoh32.exeKomhll32.exeNjinmf32.exeNgjbaj32.exeLgpoihnl.exeCbgnemjj.exeFbjena32.exePoimpapp.exeCnahdi32.exeJniood32.exeLomqcjie.exePhonha32.exeIeagmcmq.exeNccokk32.exeHfaajnfb.exeKfnfjehl.exeBdmmeo32.exeJahqiaeb.exeOblhcj32.exeIkkpgafg.exePabblb32.exeQhngolpo.exeCjliajmo.exeGpecbk32.exeKcndbp32.exeLmpkadnm.exeFpimlfke.exeNafjjf32.exeKncaec32.exeBkibgh32.exeCklhcfle.exeKemooo32.exeGmojkj32.exeAhbjoe32.exeBaegibae.exeFinnef32.exeHaodle32.exeLedepn32.exePmkofa32.exeOoqqdi32.exeFdqfll32.exeAhgcjddh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjhmhhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcgiefen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompfej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdaodja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaaaeqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeehkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfkmphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdilipp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnlom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhmbdle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkmjjaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhifomdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfihbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdgglfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogbfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edeeci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galoohke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhlgmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpoihnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgnemjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poimpapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnahdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomqcjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phonha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieagmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaajnfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnfjehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmmeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahqiaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkpgafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhngolpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjliajmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpecbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpkadnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpimlfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkibgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmojkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baegibae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finnef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledepn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooqqdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqfll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgcjddh.exe -
Modifies registry class 64 IoCs
Processes:
Nglhld32.exeHnibokbd.exeGlhimp32.exeNiojoeel.exeOckdmmoj.exeLkeekk32.exeNmdgikhi.exeDnonkq32.exeNmbjcljl.exeGhojbq32.exeLhnhajba.exeHcblpdgg.exeFbelcblk.exeLmdnbn32.exeBjlpjm32.exeCaageq32.exeGaloohke.exeMlmbfqoj.exeDddllkbf.exeEbaplnie.exeFiggdg32.exeJokkgl32.exeMogcihaj.exeCdkifmjq.exeHbihjifh.exeFmhdkknd.exeIbfnqmpf.exeAaoaic32.exeNfihbk32.exeNfldgk32.exePidlqb32.exeMkmkkjko.exeQlgpod32.exeJleijb32.exeHaodle32.exeOalipoiq.exeQklmpalf.exeCofnik32.exeNbefdijg.exeIkkpgafg.exePhaahggp.exeDdgibkpc.exeKmdlffhj.exeEppjfgcp.exeBdmmeo32.exeAanbhp32.exeJdodkebj.exeLggldm32.exeBomkcm32.exeEfpomccg.exeKlahfp32.exeCjgpfk32.exeGbbajjlp.exeCbeapmll.exeBdojjo32.exeJoqafgni.exeLhgkgijg.exePfiddm32.exePmmlla32.exeJcphab32.exeOeehkn32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccegac32.dll" Hnibokbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnjancb.dll" Glhimp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niojoeel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ockdmmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkeekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmdgikhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folnlh32.dll" Nmbjcljl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhnhajba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcblpdgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbelcblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgbgamd.dll" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll" Galoohke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlmbfqoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dddllkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebaplnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Figgdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnbiq32.dll" Mogcihaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdkifmjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbihjifh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll" Aaoaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll" Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll" Nfldgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pidlqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkmkkjko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlgpod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifffn32.dll" Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oalipoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danihi32.dll" Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cofnik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbefdijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabphdjm.dll" Ddgibkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll" Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igegpo32.dll" Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdodkebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lggldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphblj32.dll" Bomkcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmhce32.dll" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appfnncn.dll" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjgpfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdief32.dll" Lkeekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbbajjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbeapmll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Galoohke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdojjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joqafgni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmmlla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeehkn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exeMlmbfqoj.exeMajjng32.exeMhdckaeo.exeMnnkgl32.exeMalgcg32.exeNhmeapmd.exeNafjjf32.exeNbefdijg.exeNolgijpk.exeNefped32.exeNhdlao32.exeOhghgodi.exeOoqqdi32.exeOaompd32.exeOboijgbl.exePojcjh32.exePchlpfjb.exePoomegpf.exePcmeke32.exePkhjph32.exePabblb32.exedescription pid process target process PID 1428 wrote to memory of 4428 1428 1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe Mlmbfqoj.exe PID 1428 wrote to memory of 4428 1428 1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe Mlmbfqoj.exe PID 1428 wrote to memory of 4428 1428 1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe Mlmbfqoj.exe PID 4428 wrote to memory of 1244 4428 Mlmbfqoj.exe Majjng32.exe PID 4428 wrote to memory of 1244 4428 Mlmbfqoj.exe Majjng32.exe PID 4428 wrote to memory of 1244 4428 Mlmbfqoj.exe Majjng32.exe PID 1244 wrote to memory of 4768 1244 Majjng32.exe Mhdckaeo.exe PID 1244 wrote to memory of 4768 1244 Majjng32.exe Mhdckaeo.exe PID 1244 wrote to memory of 4768 1244 Majjng32.exe Mhdckaeo.exe PID 4768 wrote to memory of 2252 4768 Mhdckaeo.exe Mnnkgl32.exe PID 4768 wrote to memory of 2252 4768 Mhdckaeo.exe Mnnkgl32.exe PID 4768 wrote to memory of 2252 4768 Mhdckaeo.exe Mnnkgl32.exe PID 2252 wrote to memory of 4200 2252 Mnnkgl32.exe Malgcg32.exe PID 2252 wrote to memory of 4200 2252 Mnnkgl32.exe Malgcg32.exe PID 2252 wrote to memory of 4200 2252 Mnnkgl32.exe Malgcg32.exe PID 4200 wrote to memory of 1756 4200 Malgcg32.exe Nhmeapmd.exe PID 4200 wrote to memory of 1756 4200 Malgcg32.exe Nhmeapmd.exe PID 4200 wrote to memory of 1756 4200 Malgcg32.exe Nhmeapmd.exe PID 1756 wrote to memory of 3904 1756 Nhmeapmd.exe Nafjjf32.exe PID 1756 wrote to memory of 3904 1756 Nhmeapmd.exe Nafjjf32.exe PID 1756 wrote to memory of 3904 1756 Nhmeapmd.exe Nafjjf32.exe PID 3904 wrote to memory of 4164 3904 Nafjjf32.exe Nbefdijg.exe PID 3904 wrote to memory of 4164 3904 Nafjjf32.exe Nbefdijg.exe PID 3904 wrote to memory of 4164 3904 Nafjjf32.exe Nbefdijg.exe PID 4164 wrote to memory of 3712 4164 Nbefdijg.exe Nolgijpk.exe PID 4164 wrote to memory of 3712 4164 Nbefdijg.exe Nolgijpk.exe PID 4164 wrote to memory of 3712 4164 Nbefdijg.exe Nolgijpk.exe PID 3712 wrote to memory of 2640 3712 Nolgijpk.exe Nefped32.exe PID 3712 wrote to memory of 2640 3712 Nolgijpk.exe Nefped32.exe PID 3712 wrote to memory of 2640 3712 Nolgijpk.exe Nefped32.exe PID 2640 wrote to memory of 1328 2640 Nefped32.exe Nhdlao32.exe PID 2640 wrote to memory of 1328 2640 Nefped32.exe Nhdlao32.exe PID 2640 wrote to memory of 1328 2640 Nefped32.exe Nhdlao32.exe PID 1328 wrote to memory of 2220 1328 Nhdlao32.exe Ohghgodi.exe PID 1328 wrote to memory of 2220 1328 Nhdlao32.exe Ohghgodi.exe PID 1328 wrote to memory of 2220 1328 Nhdlao32.exe Ohghgodi.exe PID 2220 wrote to memory of 2416 2220 Ohghgodi.exe Ooqqdi32.exe PID 2220 wrote to memory of 2416 2220 Ohghgodi.exe Ooqqdi32.exe PID 2220 wrote to memory of 2416 2220 Ohghgodi.exe Ooqqdi32.exe PID 2416 wrote to memory of 4020 2416 Ooqqdi32.exe Oaompd32.exe PID 2416 wrote to memory of 4020 2416 Ooqqdi32.exe Oaompd32.exe PID 2416 wrote to memory of 4020 2416 Ooqqdi32.exe Oaompd32.exe PID 4020 wrote to memory of 5036 4020 Oaompd32.exe Oboijgbl.exe PID 4020 wrote to memory of 5036 4020 Oaompd32.exe Oboijgbl.exe PID 4020 wrote to memory of 5036 4020 Oaompd32.exe Oboijgbl.exe PID 5036 wrote to memory of 1784 5036 Oboijgbl.exe Pojcjh32.exe PID 5036 wrote to memory of 1784 5036 Oboijgbl.exe Pojcjh32.exe PID 5036 wrote to memory of 1784 5036 Oboijgbl.exe Pojcjh32.exe PID 1784 wrote to memory of 2800 1784 Pojcjh32.exe Pchlpfjb.exe PID 1784 wrote to memory of 2800 1784 Pojcjh32.exe Pchlpfjb.exe PID 1784 wrote to memory of 2800 1784 Pojcjh32.exe Pchlpfjb.exe PID 2800 wrote to memory of 184 2800 Pchlpfjb.exe Poomegpf.exe PID 2800 wrote to memory of 184 2800 Pchlpfjb.exe Poomegpf.exe PID 2800 wrote to memory of 184 2800 Pchlpfjb.exe Poomegpf.exe PID 184 wrote to memory of 3944 184 Poomegpf.exe Pcmeke32.exe PID 184 wrote to memory of 3944 184 Poomegpf.exe Pcmeke32.exe PID 184 wrote to memory of 3944 184 Poomegpf.exe Pcmeke32.exe PID 3944 wrote to memory of 1504 3944 Pcmeke32.exe Pkhjph32.exe PID 3944 wrote to memory of 1504 3944 Pcmeke32.exe Pkhjph32.exe PID 3944 wrote to memory of 1504 3944 Pcmeke32.exe Pkhjph32.exe PID 1504 wrote to memory of 4716 1504 Pkhjph32.exe Pabblb32.exe PID 1504 wrote to memory of 4716 1504 Pkhjph32.exe Pabblb32.exe PID 1504 wrote to memory of 4716 1504 Pkhjph32.exe Pabblb32.exe PID 4716 wrote to memory of 372 4716 Pabblb32.exe Qhngolpo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe"C:\Users\Admin\AppData\Local\Temp\1240a0da4f4b06e74e044f63f041363e8d0cebe76a48d4b1d9c0a03c744b060dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe24⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe26⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:60 -
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe29⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe31⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe32⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe33⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe34⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe35⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4788 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe38⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe39⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe42⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3076 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe44⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe45⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe46⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe47⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe50⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe51⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe53⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe54⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Eidlnd32.exeC:\Windows\system32\Eidlnd32.exe55⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe56⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe57⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe59⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe60⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe61⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe64⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe65⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe66⤵PID:676
-
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe67⤵PID:4152
-
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe68⤵PID:116
-
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe69⤵PID:4776
-
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe70⤵
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe71⤵PID:3196
-
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3500 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe74⤵
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe75⤵PID:4896
-
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe76⤵
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe77⤵PID:2032
-
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe78⤵PID:3496
-
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe79⤵PID:4984
-
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4640 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe81⤵PID:5060
-
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe82⤵PID:4248
-
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe83⤵PID:3252
-
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe84⤵PID:344
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe85⤵PID:4516
-
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe87⤵PID:5184
-
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe88⤵PID:5232
-
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe89⤵PID:5276
-
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe90⤵
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Hkicaahi.exeC:\Windows\system32\Hkicaahi.exe91⤵PID:5364
-
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe92⤵PID:5408
-
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe94⤵PID:5492
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe95⤵PID:5536
-
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe96⤵PID:5580
-
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe97⤵PID:5624
-
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe98⤵PID:5668
-
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe99⤵PID:5712
-
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe100⤵PID:5756
-
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe101⤵PID:5800
-
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe102⤵PID:5844
-
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe103⤵PID:5888
-
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe104⤵PID:5932
-
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe105⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe106⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe107⤵PID:6064
-
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe108⤵
- Modifies registry class
PID:6108 -
C:\Windows\SysWOW64\Jkimho32.exeC:\Windows\system32\Jkimho32.exe109⤵PID:5128
-
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe110⤵PID:1676
-
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe111⤵
- System Location Discovery: System Language Discovery
PID:5196 -
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe112⤵PID:5304
-
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe113⤵
- Drops file in System32 directory
PID:5348 -
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe115⤵PID:5512
-
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe116⤵PID:5576
-
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe117⤵PID:5652
-
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe118⤵PID:5720
-
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5788 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5856 -
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe121⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe122⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-