Analysis
-
max time kernel
92s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe
Resource
win10v2004-20241007-en
General
-
Target
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe
-
Size
364KB
-
MD5
c888455fdf0cefda3eb8249318ff75ee
-
SHA1
95656a8ffcf4e16e3a721ab360c2ea6e75eee94b
-
SHA256
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec
-
SHA512
e4f0684daa3df279a37bdc5a782025b1f9a8cd38c1a32cc4e1b5ea36e33f78a781b80e275276060579b0e8442b6d385f6975e47188fec8f1e28133be4c202439
-
SSDEEP
6144:iW7mooWmLnPpV+tbFOLM77OLnFe3HCqxNRmJ4PavntPRRI:sG6nytsNePmjvtPRRI
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dailkl32.exeKlapqf32.exeKppigdlg.exePjbkjb32.exeAfghqa32.exeAakfcp32.exeChhdlhfe.exeGoqkhk32.exeNghflj32.exeMgageace.exeNnpimkfl.exeOcmjlpfa.exeFoiegl32.exeHojnnj32.exeLfcdjm32.exeDdjemgal.exeDejafj32.exeGochmk32.exeJpdikffd.exeNehjagbo.exePfbfod32.exeMimpagqp.exePemlcdpf.exeMpjlngje.exePfqpcj32.exeAmhdab32.exeEgpgiakg.exeEmlllk32.exeKicddk32.exeCqhljhob.exeMccooc32.exeNnbebk32.exeAqdqbaee.exeBncqgd32.exeBfoelf32.exeBjjjbolj.exeCdcolh32.exeEgbdoaie.exeMfocelal.exeMhbmbc32.exeQcmlig32.exeAhlafnag.exeAompdgbl.exeCfedbomi.exePmjhpdil.exePgplnmib.exeIfpefbja.exeJgmajifb.exeKfiaco32.exeKihnpj32.exeAcgfil32.exeFhpmjbch.exeHddiqaml.exeIfdoaa32.exeJkfaehpn.exeBjokgd32.exeBcgopjba.exeEgdqdagb.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dailkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klapqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppigdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjbkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afghqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chhdlhfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nghflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgageace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnpimkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocmjlpfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hojnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfcdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddjemgal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dejafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gochmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdikffd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehjagbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimpagqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pemlcdpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjlngje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfqpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amhdab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egpgiakg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emlllk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfcdjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kicddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqhljhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mccooc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqdqbaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bncqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfoelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejafj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjjbolj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcolh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egbdoaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfocelal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcmlig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlafnag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aompdgbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfedbomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmjhpdil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplnmib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifpefbja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmajifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfiaco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfedbomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acgfil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpmjbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddiqaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdoaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbkjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfaehpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kicddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcgopjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egdqdagb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhpmjbch.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lfckdcoe.exeLibgpooi.exeLmppfm32.exeLdjhcgll.exeLekekp32.exeLpqihhbp.exeMemapppg.exeMpcenhpn.exeMgmnjb32.exeMmgfgl32.exeMccooc32.exeMebkko32.exeMgageace.exeMpjlngje.exeMgddka32.exeMplhdghc.exeNgfqqa32.exeNnpimkfl.exeNcmaeb32.exeNnbebk32.exeNgkjlpkj.exeNjifhljn.exeNgmgap32.exeNjlcmk32.exeNpekjeph.exeNjnpck32.exeOcfdlqmi.exeOfeqhl32.exeOfgmml32.exeOjbinjbc.exeOdhmkcbi.exeOnqbdihj.exeOcmjlpfa.exeOjgbij32.exeOqakfdek.exeOgkcbn32.exeOnekoh32.exePqcgkc32.exePcbdgo32.exePfqpcj32.exePmjhpdil.exePdapabjo.exePgplnmib.exePjnijihf.exePmmefd32.exePddmga32.exePgbicm32.exePnlapgnl.exePqknlbmp.exePfgfdikg.exePjcbeh32.exePqmjab32.exePjeojhbn.exeQmdkfcaa.exeQgiodlqh.exeQflpoi32.exeQqadmagh.exeAmhdab32.exeAqdqbaee.exeAqfmhacc.exeAceidl32.exeAjoaqfjc.exeAcgfil32.exeAakfcp32.exepid process 1648 Lfckdcoe.exe 632 Libgpooi.exe 2540 Lmppfm32.exe 4352 Ldjhcgll.exe 4872 Lekekp32.exe 4164 Lpqihhbp.exe 1368 Memapppg.exe 940 Mpcenhpn.exe 3492 Mgmnjb32.exe 2760 Mmgfgl32.exe 224 Mccooc32.exe 3152 Mebkko32.exe 5104 Mgageace.exe 1684 Mpjlngje.exe 4240 Mgddka32.exe 1504 Mplhdghc.exe 1620 Ngfqqa32.exe 3104 Nnpimkfl.exe 1292 Ncmaeb32.exe 1964 Nnbebk32.exe 4904 Ngkjlpkj.exe 456 Njifhljn.exe 2812 Ngmgap32.exe 4752 Njlcmk32.exe 3272 Npekjeph.exe 472 Njnpck32.exe 4548 Ocfdlqmi.exe 2960 Ofeqhl32.exe 5040 Ofgmml32.exe 1040 Ojbinjbc.exe 2252 Odhmkcbi.exe 1164 Onqbdihj.exe 3364 Ocmjlpfa.exe 4748 Ojgbij32.exe 4760 Oqakfdek.exe 2972 Ogkcbn32.exe 1968 Onekoh32.exe 1780 Pqcgkc32.exe 1652 Pcbdgo32.exe 4952 Pfqpcj32.exe 4972 Pmjhpdil.exe 116 Pdapabjo.exe 4128 Pgplnmib.exe 4120 Pjnijihf.exe 4852 Pmmefd32.exe 4700 Pddmga32.exe 2016 Pgbicm32.exe 3964 Pnlapgnl.exe 3960 Pqknlbmp.exe 4692 Pfgfdikg.exe 4124 Pjcbeh32.exe 3500 Pqmjab32.exe 3048 Pjeojhbn.exe 4816 Qmdkfcaa.exe 2492 Qgiodlqh.exe 1332 Qflpoi32.exe 3928 Qqadmagh.exe 4316 Amhdab32.exe 1036 Aqdqbaee.exe 2148 Aqfmhacc.exe 4716 Aceidl32.exe 3824 Ajoaqfjc.exe 764 Acgfil32.exe 3264 Aakfcp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kiagokip.exePdapabjo.exeIkjaiijk.exeJlmgegjf.exeLpkibcbj.exeOlehko32.exeQqopml32.exeOcfdlqmi.exeOjbinjbc.exeBnfmmc32.exeEgpgiakg.exeJgmajifb.exeLngcmqol.exeEehnhhmo.exeFoiegl32.exeHkqockbf.exeKlfjlebk.exeOibbcdnh.exeLbghiocp.exeMhmcgdim.exeAjcklf32.exeDmnpjmla.exeJbkpfb32.exeOnekoh32.exeKfiaco32.exeKbpbhp32.exeOpljpn32.exeMpjlngje.exeAcfoof32.exeBggdkd32.exeJinkikkb.exeOdhmkcbi.exePgbicm32.exeHfompd32.exeHkehnj32.exeBcdkpdph.exeBfoelf32.exeEdcgcfja.exeMecqfh32.exeAmmgblek.exeNhiccb32.exeNgmgap32.exeQmdkfcaa.exeDdekah32.exeHfdfkddo.exeKppigdlg.exeLeakjk32.exeLlhfaepi.exeAofjch32.exeAgpoje32.exeGehfofol.exeHgqigmnb.exeInhneeio.exeKbilhq32.exeLhogff32.exeOipend32.exeMpcenhpn.exeMfcmqknf.exeDmbiem32.exeCqhljhob.exeBgnafinp.exeFnjhmida.exedescription ioc process File created C:\Windows\SysWOW64\Kpkple32.exe Kiagokip.exe File created C:\Windows\SysWOW64\Pgplnmib.exe Pdapabjo.exe File opened for modification C:\Windows\SysWOW64\Inhneeio.exe Ikjaiijk.exe File created C:\Windows\SysWOW64\Alhegi32.dll Jlmgegjf.exe File created C:\Windows\SysWOW64\Loninpid.exe Lpkibcbj.exe File created C:\Windows\SysWOW64\Hlkcoo32.dll Olehko32.exe File created C:\Windows\SysWOW64\Failkdgj.dll Qqopml32.exe File opened for modification C:\Windows\SysWOW64\Ofeqhl32.exe Ocfdlqmi.exe File created C:\Windows\SysWOW64\Lkbkkm32.dll Ojbinjbc.exe File created C:\Windows\SysWOW64\Kmohdknn.dll Bnfmmc32.exe File created C:\Windows\SysWOW64\Oeppod32.dll Egpgiakg.exe File created C:\Windows\SysWOW64\Jpdikffd.exe Jgmajifb.exe File created C:\Windows\SysWOW64\Pjgmig32.dll Lngcmqol.exe File created C:\Windows\SysWOW64\Hnakeg32.dll Eehnhhmo.exe File opened for modification C:\Windows\SysWOW64\Gecmcf32.exe Foiegl32.exe File opened for modification C:\Windows\SysWOW64\Hbkgpe32.exe Hkqockbf.exe File created C:\Windows\SysWOW64\Kbpbhp32.exe Klfjlebk.exe File opened for modification C:\Windows\SysWOW64\Opljpn32.exe Oibbcdnh.exe File created C:\Windows\SysWOW64\Najdei32.dll Lbghiocp.exe File created C:\Windows\SysWOW64\Mpdkiajo.exe Mhmcgdim.exe File created C:\Windows\SysWOW64\Ambgha32.exe Ajcklf32.exe File created C:\Windows\SysWOW64\Dailkl32.exe Dmnpjmla.exe File created C:\Windows\SysWOW64\Ofjgla32.dll Jbkpfb32.exe File created C:\Windows\SysWOW64\Bhfgganp.dll Onekoh32.exe File created C:\Windows\SysWOW64\Hondnl32.dll Kfiaco32.exe File opened for modification C:\Windows\SysWOW64\Keondk32.exe Kbpbhp32.exe File created C:\Windows\SysWOW64\Ogfcmhma.exe Opljpn32.exe File opened for modification C:\Windows\SysWOW64\Mgddka32.exe Mpjlngje.exe File created C:\Windows\SysWOW64\Afekka32.exe Acfoof32.exe File opened for modification C:\Windows\SysWOW64\Bjeago32.exe Bggdkd32.exe File opened for modification C:\Windows\SysWOW64\Jlmgegjf.exe Jinkikkb.exe File created C:\Windows\SysWOW64\Jpoijjol.dll Odhmkcbi.exe File created C:\Windows\SysWOW64\Fiaeni32.dll Pgbicm32.exe File created C:\Windows\SysWOW64\Hgqigmnb.exe Hfompd32.exe File created C:\Windows\SysWOW64\Mffohjpj.dll Hkehnj32.exe File created C:\Windows\SysWOW64\Kbgoba32.exe Jlmgegjf.exe File created C:\Windows\SysWOW64\Oppcholp.dll Bcdkpdph.exe File opened for modification C:\Windows\SysWOW64\Bnfmmc32.exe Bfoelf32.exe File created C:\Windows\SysWOW64\Lehhen32.dll Edcgcfja.exe File opened for modification C:\Windows\SysWOW64\Mhbmbc32.exe Mecqfh32.exe File created C:\Windows\SysWOW64\Bogbae32.dll Ammgblek.exe File created C:\Windows\SysWOW64\Nppkdp32.exe Nhiccb32.exe File created C:\Windows\SysWOW64\Njlcmk32.exe Ngmgap32.exe File opened for modification C:\Windows\SysWOW64\Qgiodlqh.exe Qmdkfcaa.exe File opened for modification C:\Windows\SysWOW64\Dfdgnc32.exe Ddekah32.exe File created C:\Windows\SysWOW64\Fhgmfjcf.dll Hfdfkddo.exe File created C:\Windows\SysWOW64\Kfiaco32.exe Kppigdlg.exe File created C:\Windows\SysWOW64\Bodhhffm.dll Leakjk32.exe File created C:\Windows\SysWOW64\Lngcmqol.exe Llhfaepi.exe File created C:\Windows\SysWOW64\Gmhpfdjn.dll Aofjch32.exe File created C:\Windows\SysWOW64\Mdnkbgfn.dll Agpoje32.exe File created C:\Windows\SysWOW64\Hjheclij.dll Gehfofol.exe File created C:\Windows\SysWOW64\Ejpkjc32.dll Hgqigmnb.exe File created C:\Windows\SysWOW64\Ifpefbja.exe Inhneeio.exe File created C:\Windows\SysWOW64\Kicddk32.exe Kbilhq32.exe File created C:\Windows\SysWOW64\Jbbkhbja.dll Lhogff32.exe File opened for modification C:\Windows\SysWOW64\Opjnko32.exe Oipend32.exe File created C:\Windows\SysWOW64\Kajaijjb.dll Mpcenhpn.exe File opened for modification C:\Windows\SysWOW64\Nhdjhcce.exe Mfcmqknf.exe File created C:\Windows\SysWOW64\Dejafj32.exe Dmbiem32.exe File opened for modification C:\Windows\SysWOW64\Cpklee32.exe Cqhljhob.exe File opened for modification C:\Windows\SysWOW64\Bjmnbd32.exe Bgnafinp.exe File created C:\Windows\SysWOW64\Flbedadb.dll Fnjhmida.exe File opened for modification C:\Windows\SysWOW64\Kihnpj32.exe Kfiaco32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8520 7384 WerFault.exe Cakiohmo.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cqhljhob.exeNplaiqdg.exePohnbjdd.exeDdonhf32.exeJelihn32.exeMlfcbc32.exePddmga32.exeBgnafinp.exeEgpgiakg.exeGdijecgi.exeQgiodlqh.exeEodbeo32.exeHddiqaml.exeNehjagbo.exeAokcngdo.exeOgkcbn32.exeCdcolh32.exeHacqofpk.exeKbilhq32.exeOpljpn32.exeOidoidle.exeAiakammb.exeNjnpck32.exeEmlllk32.exeIfbblb32.exeKiagokip.exeAfnejb32.exeAcfoof32.exeOfeqhl32.exeDdekah32.exeAcgfil32.exeEgbdoaie.exeFaednh32.exeNgfqqa32.exeOjgbij32.exeAefbcogf.exeBnadadld.exeCabfjmkc.exeDkbpda32.exeGdmcpb32.exeInfapela.exePcbdgo32.exePgplnmib.exeQqopml32.exeJoamef32.exeLeedejbd.exeBaicdncn.exeHkqockbf.exeAmjjml32.exeMpcenhpn.exeAmbgha32.exeFeochgff.exeFgpppo32.exeMhmcgdim.exeMfocelal.exePplcglgb.exeNgmgap32.exeFkgbfo32.exeJlmgegjf.exeLbghiocp.exePlgdpo32.exePjeojhbn.exeCnopcb32.exeEokhfn32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqhljhob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplaiqdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnbjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfcbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddmga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnafinp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpgiakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdijecgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgiodlqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eodbeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddiqaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehjagbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokcngdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcolh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacqofpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbilhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opljpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidoidle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiakammb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnpck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlllk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiagokip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofeqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddekah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acgfil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbdoaie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faednh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngfqqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgbij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefbcogf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnadadld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabfjmkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbpda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmcpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infapela.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgplnmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqopml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joamef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leedejbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicdncn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkqockbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcenhpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feochgff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpppo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhmcgdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfocelal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplcglgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmgap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkgbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmgegjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbghiocp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plgdpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjeojhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokhfn32.exe -
Modifies registry class 64 IoCs
Processes:
Hbkgpe32.exeIfbblb32.exeGoqkhk32.exeHfompd32.exeHfdfkddo.exeOlehko32.exePfbfod32.exeQgfldf32.exeDdjemgal.exeNlbbna32.exeBjeago32.exeBgnafinp.exeFaonmibc.exeKlapqf32.exePnlapgnl.exeEeokaiei.exeKieajj32.exePlgdpo32.exeAqmlnjio.exeGamjngfc.exeHddiqaml.exeNjnpck32.exePqknlbmp.exeEhdmodne.exeCjaqbn32.exeAmhdab32.exeNehjagbo.exeAmbgha32.exePhcopoib.exeCcjlfi32.exeGkpelm32.exeInfapela.exeEmlllk32.exeKfbkbpjl.exeNhiccb32.exeCpklee32.exeKpkple32.exeKbpbhp32.exeOcmjlpfa.exePfgfdikg.exeChhdlhfe.exeEecdmi32.exeEgdqdagb.exeIfdoaa32.exeOcopgiac.exeLpfogcfo.exeAcdbifok.exePgplnmib.exeAceidl32.exeAjoaqfjc.exeFdmjidaf.exeJelihn32.exeJlmgegjf.exea318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exeAakfcp32.exeCfedbomi.exeEaekgjjn.exeJpffqfdb.exeKbilhq32.exeQhghkn32.exeMpjlngje.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbkgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifbblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goqkhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmfjcf.dll" Hfdfkddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olehko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdigcf32.dll" Pfbfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddjemgal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlbbna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olehko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmbheh32.dll" Bjeago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgnafinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndmkiod.dll" Faonmibc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klapqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnlapgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjeno32.dll" Eeokaiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kieajj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plgdpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqmlnjio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gamjngfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hddiqaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njnpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcmgf32.dll" Pqknlbmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehdmodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjaqbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amhdab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nehjagbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhdmdld.dll" Amhdab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ambgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhobfed.dll" Phcopoib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqfeclf.dll" Ccjlfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkpelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Infapela.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emlllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfbkbpjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejlmniq.dll" Nhiccb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpklee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpkple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mopnaq32.dll" Kbpbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocmjlpfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfgfdikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkafloa.dll" Chhdlhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfociegn.dll" Eecdmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egdqdagb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifdoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocopgiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpfogcfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acdbifok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgplnmib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aceidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpjpg32.dll" Ajoaqfjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehfbi32.dll" Fdmjidaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jelihn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlmgegjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aakfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcopp32.dll" Cfedbomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaekgjjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhfqh32.dll" Jpffqfdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbilhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhghkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpjlngje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelidm32.dll" Gamjngfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exeLfckdcoe.exeLibgpooi.exeLmppfm32.exeLdjhcgll.exeLekekp32.exeLpqihhbp.exeMemapppg.exeMpcenhpn.exeMgmnjb32.exeMmgfgl32.exeMccooc32.exeMebkko32.exeMgageace.exeMpjlngje.exeMgddka32.exeMplhdghc.exeNgfqqa32.exeNnpimkfl.exeNcmaeb32.exeNnbebk32.exeNgkjlpkj.exedescription pid process target process PID 1132 wrote to memory of 1648 1132 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Lfckdcoe.exe PID 1132 wrote to memory of 1648 1132 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Lfckdcoe.exe PID 1132 wrote to memory of 1648 1132 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe Lfckdcoe.exe PID 1648 wrote to memory of 632 1648 Lfckdcoe.exe Libgpooi.exe PID 1648 wrote to memory of 632 1648 Lfckdcoe.exe Libgpooi.exe PID 1648 wrote to memory of 632 1648 Lfckdcoe.exe Libgpooi.exe PID 632 wrote to memory of 2540 632 Libgpooi.exe Lmppfm32.exe PID 632 wrote to memory of 2540 632 Libgpooi.exe Lmppfm32.exe PID 632 wrote to memory of 2540 632 Libgpooi.exe Lmppfm32.exe PID 2540 wrote to memory of 4352 2540 Lmppfm32.exe Ldjhcgll.exe PID 2540 wrote to memory of 4352 2540 Lmppfm32.exe Ldjhcgll.exe PID 2540 wrote to memory of 4352 2540 Lmppfm32.exe Ldjhcgll.exe PID 4352 wrote to memory of 4872 4352 Ldjhcgll.exe Lekekp32.exe PID 4352 wrote to memory of 4872 4352 Ldjhcgll.exe Lekekp32.exe PID 4352 wrote to memory of 4872 4352 Ldjhcgll.exe Lekekp32.exe PID 4872 wrote to memory of 4164 4872 Lekekp32.exe Lpqihhbp.exe PID 4872 wrote to memory of 4164 4872 Lekekp32.exe Lpqihhbp.exe PID 4872 wrote to memory of 4164 4872 Lekekp32.exe Lpqihhbp.exe PID 4164 wrote to memory of 1368 4164 Lpqihhbp.exe Memapppg.exe PID 4164 wrote to memory of 1368 4164 Lpqihhbp.exe Memapppg.exe PID 4164 wrote to memory of 1368 4164 Lpqihhbp.exe Memapppg.exe PID 1368 wrote to memory of 940 1368 Memapppg.exe Mpcenhpn.exe PID 1368 wrote to memory of 940 1368 Memapppg.exe Mpcenhpn.exe PID 1368 wrote to memory of 940 1368 Memapppg.exe Mpcenhpn.exe PID 940 wrote to memory of 3492 940 Mpcenhpn.exe Mgmnjb32.exe PID 940 wrote to memory of 3492 940 Mpcenhpn.exe Mgmnjb32.exe PID 940 wrote to memory of 3492 940 Mpcenhpn.exe Mgmnjb32.exe PID 3492 wrote to memory of 2760 3492 Mgmnjb32.exe Mmgfgl32.exe PID 3492 wrote to memory of 2760 3492 Mgmnjb32.exe Mmgfgl32.exe PID 3492 wrote to memory of 2760 3492 Mgmnjb32.exe Mmgfgl32.exe PID 2760 wrote to memory of 224 2760 Mmgfgl32.exe Mccooc32.exe PID 2760 wrote to memory of 224 2760 Mmgfgl32.exe Mccooc32.exe PID 2760 wrote to memory of 224 2760 Mmgfgl32.exe Mccooc32.exe PID 224 wrote to memory of 3152 224 Mccooc32.exe Mebkko32.exe PID 224 wrote to memory of 3152 224 Mccooc32.exe Mebkko32.exe PID 224 wrote to memory of 3152 224 Mccooc32.exe Mebkko32.exe PID 3152 wrote to memory of 5104 3152 Mebkko32.exe Mgageace.exe PID 3152 wrote to memory of 5104 3152 Mebkko32.exe Mgageace.exe PID 3152 wrote to memory of 5104 3152 Mebkko32.exe Mgageace.exe PID 5104 wrote to memory of 1684 5104 Mgageace.exe Mpjlngje.exe PID 5104 wrote to memory of 1684 5104 Mgageace.exe Mpjlngje.exe PID 5104 wrote to memory of 1684 5104 Mgageace.exe Mpjlngje.exe PID 1684 wrote to memory of 4240 1684 Mpjlngje.exe Mgddka32.exe PID 1684 wrote to memory of 4240 1684 Mpjlngje.exe Mgddka32.exe PID 1684 wrote to memory of 4240 1684 Mpjlngje.exe Mgddka32.exe PID 4240 wrote to memory of 1504 4240 Mgddka32.exe Mplhdghc.exe PID 4240 wrote to memory of 1504 4240 Mgddka32.exe Mplhdghc.exe PID 4240 wrote to memory of 1504 4240 Mgddka32.exe Mplhdghc.exe PID 1504 wrote to memory of 1620 1504 Mplhdghc.exe Ngfqqa32.exe PID 1504 wrote to memory of 1620 1504 Mplhdghc.exe Ngfqqa32.exe PID 1504 wrote to memory of 1620 1504 Mplhdghc.exe Ngfqqa32.exe PID 1620 wrote to memory of 3104 1620 Ngfqqa32.exe Nnpimkfl.exe PID 1620 wrote to memory of 3104 1620 Ngfqqa32.exe Nnpimkfl.exe PID 1620 wrote to memory of 3104 1620 Ngfqqa32.exe Nnpimkfl.exe PID 3104 wrote to memory of 1292 3104 Nnpimkfl.exe Ncmaeb32.exe PID 3104 wrote to memory of 1292 3104 Nnpimkfl.exe Ncmaeb32.exe PID 3104 wrote to memory of 1292 3104 Nnpimkfl.exe Ncmaeb32.exe PID 1292 wrote to memory of 1964 1292 Ncmaeb32.exe Nnbebk32.exe PID 1292 wrote to memory of 1964 1292 Ncmaeb32.exe Nnbebk32.exe PID 1292 wrote to memory of 1964 1292 Ncmaeb32.exe Nnbebk32.exe PID 1964 wrote to memory of 4904 1964 Nnbebk32.exe Ngkjlpkj.exe PID 1964 wrote to memory of 4904 1964 Nnbebk32.exe Ngkjlpkj.exe PID 1964 wrote to memory of 4904 1964 Nnbebk32.exe Ngkjlpkj.exe PID 4904 wrote to memory of 456 4904 Ngkjlpkj.exe Njifhljn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe"C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Lfckdcoe.exeC:\Windows\system32\Lfckdcoe.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Libgpooi.exeC:\Windows\system32\Libgpooi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Lmppfm32.exeC:\Windows\system32\Lmppfm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Ldjhcgll.exeC:\Windows\system32\Ldjhcgll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Lekekp32.exeC:\Windows\system32\Lekekp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Lpqihhbp.exeC:\Windows\system32\Lpqihhbp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Memapppg.exeC:\Windows\system32\Memapppg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Mpcenhpn.exeC:\Windows\system32\Mpcenhpn.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Mgmnjb32.exeC:\Windows\system32\Mgmnjb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Mmgfgl32.exeC:\Windows\system32\Mmgfgl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Mccooc32.exeC:\Windows\system32\Mccooc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Mebkko32.exeC:\Windows\system32\Mebkko32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Mgageace.exeC:\Windows\system32\Mgageace.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Mpjlngje.exeC:\Windows\system32\Mpjlngje.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Mgddka32.exeC:\Windows\system32\Mgddka32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Mplhdghc.exeC:\Windows\system32\Mplhdghc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Ngfqqa32.exeC:\Windows\system32\Ngfqqa32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Nnpimkfl.exeC:\Windows\system32\Nnpimkfl.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Ncmaeb32.exeC:\Windows\system32\Ncmaeb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Nnbebk32.exeC:\Windows\system32\Nnbebk32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Ngkjlpkj.exeC:\Windows\system32\Ngkjlpkj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Njifhljn.exeC:\Windows\system32\Njifhljn.exe23⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Ngmgap32.exeC:\Windows\system32\Ngmgap32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Njlcmk32.exeC:\Windows\system32\Njlcmk32.exe25⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Npekjeph.exeC:\Windows\system32\Npekjeph.exe26⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Njnpck32.exeC:\Windows\system32\Njnpck32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Ocfdlqmi.exeC:\Windows\system32\Ocfdlqmi.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4548 -
C:\Windows\SysWOW64\Ofeqhl32.exeC:\Windows\system32\Ofeqhl32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Ofgmml32.exeC:\Windows\system32\Ofgmml32.exe30⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Ojbinjbc.exeC:\Windows\system32\Ojbinjbc.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Odhmkcbi.exeC:\Windows\system32\Odhmkcbi.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Onqbdihj.exeC:\Windows\system32\Onqbdihj.exe33⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Ocmjlpfa.exeC:\Windows\system32\Ocmjlpfa.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Ojgbij32.exeC:\Windows\system32\Ojgbij32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Windows\SysWOW64\Oqakfdek.exeC:\Windows\system32\Oqakfdek.exe36⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Ogkcbn32.exeC:\Windows\system32\Ogkcbn32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Onekoh32.exeC:\Windows\system32\Onekoh32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Pqcgkc32.exeC:\Windows\system32\Pqcgkc32.exe39⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Pcbdgo32.exeC:\Windows\system32\Pcbdgo32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Pfqpcj32.exeC:\Windows\system32\Pfqpcj32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Pmjhpdil.exeC:\Windows\system32\Pmjhpdil.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Pdapabjo.exeC:\Windows\system32\Pdapabjo.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:116 -
C:\Windows\SysWOW64\Pgplnmib.exeC:\Windows\system32\Pgplnmib.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4128 -
C:\Windows\SysWOW64\Pjnijihf.exeC:\Windows\system32\Pjnijihf.exe45⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Pmmefd32.exeC:\Windows\system32\Pmmefd32.exe46⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Pddmga32.exeC:\Windows\system32\Pddmga32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Windows\SysWOW64\Pgbicm32.exeC:\Windows\system32\Pgbicm32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Pnlapgnl.exeC:\Windows\system32\Pnlapgnl.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Pqknlbmp.exeC:\Windows\system32\Pqknlbmp.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Pfgfdikg.exeC:\Windows\system32\Pfgfdikg.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\Pjcbeh32.exeC:\Windows\system32\Pjcbeh32.exe52⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Pqmjab32.exeC:\Windows\system32\Pqmjab32.exe53⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Pjeojhbn.exeC:\Windows\system32\Pjeojhbn.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Qmdkfcaa.exeC:\Windows\system32\Qmdkfcaa.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4816 -
C:\Windows\SysWOW64\Qgiodlqh.exeC:\Windows\system32\Qgiodlqh.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Qflpoi32.exeC:\Windows\system32\Qflpoi32.exe57⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Qqadmagh.exeC:\Windows\system32\Qqadmagh.exe58⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Amhdab32.exeC:\Windows\system32\Amhdab32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Aqdqbaee.exeC:\Windows\system32\Aqdqbaee.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Aqfmhacc.exeC:\Windows\system32\Aqfmhacc.exe61⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Aceidl32.exeC:\Windows\system32\Aceidl32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Ajoaqfjc.exeC:\Windows\system32\Ajoaqfjc.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3824 -
C:\Windows\SysWOW64\Acgfil32.exeC:\Windows\system32\Acgfil32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\Aakfcp32.exeC:\Windows\system32\Aakfcp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Aefbcogf.exeC:\Windows\system32\Aefbcogf.exe66⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Ajcklf32.exeC:\Windows\system32\Ajcklf32.exe67⤵
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Ambgha32.exeC:\Windows\system32\Ambgha32.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Bnadadld.exeC:\Windows\system32\Bnadadld.exe69⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Bncqgd32.exeC:\Windows\system32\Bncqgd32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4552 -
C:\Windows\SysWOW64\Bglepipb.exeC:\Windows\system32\Bglepipb.exe71⤵PID:4620
-
C:\Windows\SysWOW64\Bfoelf32.exeC:\Windows\system32\Bfoelf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4440 -
C:\Windows\SysWOW64\Bnfmmc32.exeC:\Windows\system32\Bnfmmc32.exe73⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Bepeinol.exeC:\Windows\system32\Bepeinol.exe74⤵PID:4436
-
C:\Windows\SysWOW64\Bgnafinp.exeC:\Windows\system32\Bgnafinp.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Bjmnbd32.exeC:\Windows\system32\Bjmnbd32.exe76⤵PID:4564
-
C:\Windows\SysWOW64\Bagfooep.exeC:\Windows\system32\Bagfooep.exe77⤵PID:700
-
C:\Windows\SysWOW64\Bcebkjdd.exeC:\Windows\system32\Bcebkjdd.exe78⤵PID:2192
-
C:\Windows\SysWOW64\Bhqnki32.exeC:\Windows\system32\Bhqnki32.exe79⤵PID:2716
-
C:\Windows\SysWOW64\Bjokgd32.exeC:\Windows\system32\Bjokgd32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5016 -
C:\Windows\SysWOW64\Baicdncn.exeC:\Windows\system32\Baicdncn.exe81⤵
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Windows\SysWOW64\Bcgopjba.exeC:\Windows\system32\Bcgopjba.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3800 -
C:\Windows\SysWOW64\Cjagmd32.exeC:\Windows\system32\Cjagmd32.exe83⤵PID:1920
-
C:\Windows\SysWOW64\Ccjlfi32.exeC:\Windows\system32\Ccjlfi32.exe84⤵
- Modifies registry class
PID:4576 -
C:\Windows\SysWOW64\Cnopcb32.exeC:\Windows\system32\Cnopcb32.exe85⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\Chhdlhfe.exeC:\Windows\system32\Chhdlhfe.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4948 -
C:\Windows\SysWOW64\Cdoeaili.exeC:\Windows\system32\Cdoeaili.exe87⤵PID:4908
-
C:\Windows\SysWOW64\Cjhmnc32.exeC:\Windows\system32\Cjhmnc32.exe88⤵PID:1524
-
C:\Windows\SysWOW64\Cabfjmkc.exeC:\Windows\system32\Cabfjmkc.exe89⤵
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Caebpm32.exeC:\Windows\system32\Caebpm32.exe90⤵PID:4112
-
C:\Windows\SysWOW64\Cdcolh32.exeC:\Windows\system32\Cdcolh32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Dfakhc32.exeC:\Windows\system32\Dfakhc32.exe92⤵PID:3396
-
C:\Windows\SysWOW64\Dmlcennd.exeC:\Windows\system32\Dmlcennd.exe93⤵PID:5156
-
C:\Windows\SysWOW64\Ddekah32.exeC:\Windows\system32\Ddekah32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\Dfdgnc32.exeC:\Windows\system32\Dfdgnc32.exe95⤵PID:5244
-
C:\Windows\SysWOW64\Dmnpjmla.exeC:\Windows\system32\Dmnpjmla.exe96⤵
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Dailkl32.exeC:\Windows\system32\Dailkl32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5336 -
C:\Windows\SysWOW64\Ddhhggdo.exeC:\Windows\system32\Ddhhggdo.exe98⤵PID:5380
-
C:\Windows\SysWOW64\Dkbpda32.exeC:\Windows\system32\Dkbpda32.exe99⤵
- System Location Discovery: System Language Discovery
PID:5424 -
C:\Windows\SysWOW64\Dmpmpm32.exeC:\Windows\system32\Dmpmpm32.exe100⤵PID:5468
-
C:\Windows\SysWOW64\Ddjemgal.exeC:\Windows\system32\Ddjemgal.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5512 -
C:\Windows\SysWOW64\Dfiaibap.exeC:\Windows\system32\Dfiaibap.exe102⤵PID:5556
-
C:\Windows\SysWOW64\Dmbiem32.exeC:\Windows\system32\Dmbiem32.exe103⤵
- Drops file in System32 directory
PID:5600 -
C:\Windows\SysWOW64\Dejafj32.exeC:\Windows\system32\Dejafj32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Dhhncehb.exeC:\Windows\system32\Dhhncehb.exe105⤵PID:5680
-
C:\Windows\SysWOW64\Dkfjoagf.exeC:\Windows\system32\Dkfjoagf.exe106⤵PID:5732
-
C:\Windows\SysWOW64\Dmefklfj.exeC:\Windows\system32\Dmefklfj.exe107⤵PID:5776
-
C:\Windows\SysWOW64\Ddonhf32.exeC:\Windows\system32\Ddonhf32.exe108⤵
- System Location Discovery: System Language Discovery
PID:5820 -
C:\Windows\SysWOW64\Egmjdb32.exeC:\Windows\system32\Egmjdb32.exe109⤵PID:5856
-
C:\Windows\SysWOW64\Eodbeo32.exeC:\Windows\system32\Eodbeo32.exe110⤵
- System Location Discovery: System Language Discovery
PID:5908 -
C:\Windows\SysWOW64\Eeokaiei.exeC:\Windows\system32\Eeokaiei.exe111⤵
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Egpgiakg.exeC:\Windows\system32\Egpgiakg.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5996 -
C:\Windows\SysWOW64\Eogokokj.exeC:\Windows\system32\Eogokokj.exe113⤵PID:6040
-
C:\Windows\SysWOW64\Eaekgjjn.exeC:\Windows\system32\Eaekgjjn.exe114⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Edcgcfja.exeC:\Windows\system32\Edcgcfja.exe115⤵
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Egbdoaie.exeC:\Windows\system32\Egbdoaie.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Windows\SysWOW64\Emlllk32.exeC:\Windows\system32\Emlllk32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Eecdmi32.exeC:\Windows\system32\Eecdmi32.exe118⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Egdqdagb.exeC:\Windows\system32\Egdqdagb.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Eokhfn32.exeC:\Windows\system32\Eokhfn32.exe120⤵
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Windows\SysWOW64\Eeeqbhoa.exeC:\Windows\system32\Eeeqbhoa.exe121⤵PID:5520
-
C:\Windows\SysWOW64\Ehdmodne.exeC:\Windows\system32\Ehdmodne.exe122⤵
- Modifies registry class
PID:5588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-