Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 16:41
Static task
static1
Behavioral task
behavioral1
Sample
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe
Resource
win10v2004-20241007-en
General
-
Target
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe
-
Size
669KB
-
MD5
d424400d808b8a2789ff2ad5803c4080
-
SHA1
fa8ea06415a662a5d5e3877a44e61bb03bdd48d5
-
SHA256
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73d
-
SHA512
ef6d8fcde148843bb832d49942b216311fdc70cd78bf156425560c484667052f786b42e9f7ddd17aabe1078b71f06dcbdf861780ca03cd8ccdadda6b05287c45
-
SSDEEP
12288:Y5Q8GeVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:0xchMpQnqrdX72LbY6x46uR/qYglMi
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ijhjcchb.exeJbiejoaj.exeLajagj32.exeLejgch32.exeLgkpdcmi.exeDpgnjo32.exeCnahdi32.exeBnoddcef.exeJnhpoamf.exeKeqdmihc.exeMicoed32.exeMblcnj32.exeFmfnpa32.exeIljpij32.exeAajohjon.exeIbfnqmpf.exePchlpfjb.exeIkpjbq32.exeNmigoagp.exeMecjif32.exeDlghoa32.exeFpejlmcf.exeIloidijb.exeJnlbojee.exeBnmoijje.exeKpmdfonj.exeAodogdmn.exeCmflbf32.exeCimmggfl.exeAogiap32.exeBheplb32.exeKbddfmgl.exeLelchgne.exeIdhnkf32.exePdkoch32.exeBgelgi32.exeDafppp32.exeIgjngh32.exeLjkifn32.exeLknojl32.exeNajceeoo.exeHkfglb32.exeNjmhhefi.exeAhpmjejp.exeFpgpgfmh.exeCogddd32.exeMilidebi.exeOhnohn32.exePhincl32.exeEjchhgid.exeGdlfhj32.exeJqhafffk.exeKclgmq32.exeKdmqmc32.exeOloahhki.exeGmafajfi.exeJoahqn32.exeLeenhhdn.exeFllkqn32.exeDomdjj32.exeFbgihaji.exeKkcfid32.exeQadoba32.exeBcinna32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijhjcchb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lajagj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejgch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgkpdcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpgnjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keqdmihc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micoed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmfnpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pchlpfjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mecjif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlghoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpejlmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iloidijb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodogdmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmflbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cimmggfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbddfmgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelchgne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgelgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafppp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjngh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkifn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Najceeoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmhhefi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpmjejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogddd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Milidebi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phincl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejchhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdlfhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhafffk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmqmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oloahhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmafajfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leenhhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fllkqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbgihaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkcfid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qadoba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcinna32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Iqpfjnba.exeIgjngh32.exeIjhjcchb.exeIndfca32.exeIqbbpm32.exeJdnoplhh.exeJglklggl.exeJkhgmf32.exeJnfcia32.exeJqdoem32.exeJdpkflfe.exeJgogbgei.exeJkjcbe32.exeJnhpoamf.exeJqglkmlj.exeJdbhkk32.exeJhndljll.exeJklphekp.exeJnkldqkc.exeJbfheo32.exeJdedak32.exeJhpqaiji.exeJkomneim.exeJjamia32.exeJbiejoaj.exeJqlefl32.exeJkaicd32.exeJnpfop32.exeKdinljnk.exeKiejmi32.exeKkcfid32.exeKnbbep32.exeKbmoen32.exeKelkaj32.exeKiggbhda.exeKkfcndce.exeKjhcjq32.exeKbpkkn32.exeKenggi32.exeKijchhbo.exeKkhpdcab.exeKnflpoqf.exeKbbhqn32.exeKeqdmihc.exeKgopidgf.exeKjmmepfj.exeKbddfmgl.exeKecabifp.exeKinmcg32.exeKkmioc32.exeKnkekn32.exeLajagj32.exeLeenhhdn.exeLgcjdd32.exeLjbfpo32.exeLnnbqnjn.exeLalnmiia.exeLicfngjd.exeLgffic32.exeLjdceo32.exeLbkkgl32.exeLejgch32.exeLieccf32.exeLldopb32.exepid Process 3488 Iqpfjnba.exe 1664 Igjngh32.exe 3312 Ijhjcchb.exe 3876 Indfca32.exe 1084 Iqbbpm32.exe 3616 Jdnoplhh.exe 4000 Jglklggl.exe 3144 Jkhgmf32.exe 2760 Jnfcia32.exe 1696 Jqdoem32.exe 3688 Jdpkflfe.exe 2736 Jgogbgei.exe 4812 Jkjcbe32.exe 1564 Jnhpoamf.exe 2280 Jqglkmlj.exe 4064 Jdbhkk32.exe 1132 Jhndljll.exe 2384 Jklphekp.exe 1280 Jnkldqkc.exe 4564 Jbfheo32.exe 1740 Jdedak32.exe 1964 Jhpqaiji.exe 2768 Jkomneim.exe 4168 Jjamia32.exe 1892 Jbiejoaj.exe 2348 Jqlefl32.exe 1872 Jkaicd32.exe 5028 Jnpfop32.exe 1640 Kdinljnk.exe 1160 Kiejmi32.exe 4600 Kkcfid32.exe 4084 Knbbep32.exe 4936 Kbmoen32.exe 3164 Kelkaj32.exe 1780 Kiggbhda.exe 4380 Kkfcndce.exe 3048 Kjhcjq32.exe 4020 Kbpkkn32.exe 4492 Kenggi32.exe 5096 Kijchhbo.exe 1288 Kkhpdcab.exe 3772 Knflpoqf.exe 1200 Kbbhqn32.exe 1912 Keqdmihc.exe 384 Kgopidgf.exe 348 Kjmmepfj.exe 1300 Kbddfmgl.exe 1028 Kecabifp.exe 1636 Kinmcg32.exe 392 Kkmioc32.exe 4692 Knkekn32.exe 4888 Lajagj32.exe 3516 Leenhhdn.exe 400 Lgcjdd32.exe 3896 Ljbfpo32.exe 2696 Lnnbqnjn.exe 1168 Lalnmiia.exe 2808 Licfngjd.exe 4804 Lgffic32.exe 4400 Ljdceo32.exe 4552 Lbkkgl32.exe 3768 Lejgch32.exe 5068 Lieccf32.exe 4776 Lldopb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Njpdnedf.exeOmegjomb.exeJnfcia32.exeLldopb32.exeCmcolgbj.exeFjadje32.exeGpcfmkff.exeBafndi32.exeKpmdfonj.exeKngkqbgl.exeDfjpfj32.exeChqogq32.exeLijlof32.exeCjecpkcg.exeClchbqoo.exeCdnmfclj.exeHfcnpn32.exeLejgch32.exeMbenmk32.exeCamddhoi.exeOblmdhdo.exeKjjbjd32.exePhganm32.exeKkpbin32.exePmlmkn32.exePnkbkk32.exeBheffh32.exeCcbadp32.exeLcgpni32.exeJcanll32.exeCgnomg32.exeIqpfjnba.exeKnkekn32.exeKdpmbc32.exeMccfdmmo.exeFngcmcfe.exeFmhdkknd.exeBkkple32.exeAopemh32.exePdfehh32.exeHiipmhmk.exeBkgeainn.exeNklbmllg.exeAllpejfe.exeJlhljhbg.exeJiiicf32.exeMjpbam32.exeBcddcbab.exeJkhgmf32.exeLjclki32.exeGnepna32.exeDdgibkpc.exeFimodc32.exeJdfjld32.exeOnapdl32.exeLbpdblmo.exeNahgoe32.exeCmflbf32.exeCiafbg32.exeGfkbde32.exeDkhnjk32.exeJgogbgei.exePhincl32.exedescription ioc Process File created C:\Windows\SysWOW64\Qofmkc32.dll Njpdnedf.exe File created C:\Windows\SysWOW64\Klplbbaq.dll Omegjomb.exe File created C:\Windows\SysWOW64\Imjfmjln.dll Jnfcia32.exe File opened for modification C:\Windows\SysWOW64\Lnbklm32.exe Lldopb32.exe File created C:\Windows\SysWOW64\Cobkhb32.exe Cmcolgbj.exe File created C:\Windows\SysWOW64\Ldhikb32.dll Fjadje32.exe File opened for modification C:\Windows\SysWOW64\Gbabigfj.exe Gpcfmkff.exe File created C:\Windows\SysWOW64\Bllbaa32.exe Bafndi32.exe File created C:\Windows\SysWOW64\Cajdjn32.dll Kpmdfonj.exe File created C:\Windows\SysWOW64\Ipgijcij.dll Kngkqbgl.exe File created C:\Windows\SysWOW64\Dlghoa32.exe Dfjpfj32.exe File opened for modification C:\Windows\SysWOW64\Dokgdkeh.exe Chqogq32.exe File created C:\Windows\SysWOW64\Ljkifn32.exe Lijlof32.exe File created C:\Windows\SysWOW64\Icland32.dll Cjecpkcg.exe File created C:\Windows\SysWOW64\Jhglpo32.dll Clchbqoo.exe File created C:\Windows\SysWOW64\Cleegp32.exe Cdnmfclj.exe File created C:\Windows\SysWOW64\Hffken32.exe Hfcnpn32.exe File created C:\Windows\SysWOW64\Lieccf32.exe Lejgch32.exe File opened for modification C:\Windows\SysWOW64\Mecjif32.exe Mbenmk32.exe File created C:\Windows\SysWOW64\Clchbqoo.exe Camddhoi.exe File created C:\Windows\SysWOW64\Oaompd32.exe Oblmdhdo.exe File opened for modification C:\Windows\SysWOW64\Kpcjgnhb.exe Kjjbjd32.exe File opened for modification C:\Windows\SysWOW64\Plbmokop.exe Phganm32.exe File created C:\Windows\SysWOW64\Bhhqlkph.dll Kkpbin32.exe File opened for modification C:\Windows\SysWOW64\Pdfehh32.exe Pmlmkn32.exe File created C:\Windows\SysWOW64\Kmephjke.dll Pnkbkk32.exe File opened for modification C:\Windows\SysWOW64\Bkdcbd32.exe Bheffh32.exe File created C:\Windows\SysWOW64\Cfqmpl32.exe Ccbadp32.exe File created C:\Windows\SysWOW64\Lomqcjie.exe Lcgpni32.exe File opened for modification C:\Windows\SysWOW64\Jgpfbjlo.exe Jcanll32.exe File created C:\Windows\SysWOW64\Coegoe32.exe Cgnomg32.exe File opened for modification C:\Windows\SysWOW64\Coegoe32.exe Cgnomg32.exe File created C:\Windows\SysWOW64\Igjngh32.exe Iqpfjnba.exe File created C:\Windows\SysWOW64\Hfombjbg.dll Knkekn32.exe File created C:\Windows\SysWOW64\Kgninn32.exe Kdpmbc32.exe File created C:\Windows\SysWOW64\Mkjnfkma.exe Mccfdmmo.exe File opened for modification C:\Windows\SysWOW64\Ffnknafg.exe Fngcmcfe.exe File opened for modification C:\Windows\SysWOW64\Fpgpgfmh.exe Fmhdkknd.exe File created C:\Windows\SysWOW64\Bcahmb32.exe Bkkple32.exe File created C:\Windows\SysWOW64\Apaadpng.exe Aopemh32.exe File opened for modification C:\Windows\SysWOW64\Pajeam32.exe Pdfehh32.exe File opened for modification C:\Windows\SysWOW64\Iepaaico.exe Hiipmhmk.exe File created C:\Windows\SysWOW64\Baannc32.exe Bkgeainn.exe File created C:\Windows\SysWOW64\Peehmbji.dll Nklbmllg.exe File opened for modification C:\Windows\SysWOW64\Akoqpg32.exe Allpejfe.exe File created C:\Windows\SysWOW64\Jcbdgb32.exe Jlhljhbg.exe File opened for modification C:\Windows\SysWOW64\Jcanll32.exe Jiiicf32.exe File opened for modification C:\Windows\SysWOW64\Mbgjbkfg.exe Mjpbam32.exe File created C:\Windows\SysWOW64\Bmlilh32.exe Bcddcbab.exe File created C:\Windows\SysWOW64\Pjigamma.dll Jkhgmf32.exe File created C:\Windows\SysWOW64\Bdpkjpdi.dll Ljclki32.exe File created C:\Windows\SysWOW64\Gfodeohd.exe Gnepna32.exe File created C:\Windows\SysWOW64\Glfdiedd.dll Ddgibkpc.exe File opened for modification C:\Windows\SysWOW64\Fllkqn32.exe Fimodc32.exe File created C:\Windows\SysWOW64\Jcikgacl.exe Jdfjld32.exe File created C:\Windows\SysWOW64\Gdmpga32.dll Onapdl32.exe File created C:\Windows\SysWOW64\Lijlof32.exe Lbpdblmo.exe File created C:\Windows\SysWOW64\Befhip32.dll Nahgoe32.exe File created C:\Windows\SysWOW64\Ccpdoqgd.exe Cmflbf32.exe File created C:\Windows\SysWOW64\Ckpbnb32.exe Ciafbg32.exe File created C:\Windows\SysWOW64\Pofkjd32.dll Gfkbde32.exe File created C:\Windows\SysWOW64\Dodjjimm.exe Dkhnjk32.exe File opened for modification C:\Windows\SysWOW64\Jkjcbe32.exe Jgogbgei.exe File created C:\Windows\SysWOW64\Idjnmo32.dll Phincl32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 12660 12388 WerFault.exe 665 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Aodogdmn.exeQemhbj32.exeAhpmjejp.exeAehgnied.exeFbelcblk.exeBphgeo32.exeBcddcbab.exeMjcngpjh.exeKjmmepfj.exeGipdap32.exeFelbnn32.exeGmggfp32.exeKmaopfjm.exeEmmdom32.exeFbjena32.exeLgkpdcmi.exeNijeec32.exePdfehh32.exePejkmk32.exeQkipkani.exeBdagpnbk.exeMeefofek.exeCkkiccep.exeDlghoa32.exeOogpjbbb.exeIepaaico.exeOpclldhj.exeLajagj32.exeBkmmaeap.exeDifpmfna.exeEcgcfm32.exeJdfjld32.exeChnlgjlb.exeCkclhn32.exeIefgbh32.exeIqbbpm32.exeJhpqaiji.exeLelchgne.exeMalgcg32.exeNiooqcad.exeNajmjokc.exeKeqdmihc.exeDmhand32.exeGbabigfj.exeGkhkjd32.exeApaadpng.exeOffnhpfo.exeMbighjdd.exeCcbadp32.exeMoipoh32.exeAmjbbfgo.exeDkhnjk32.exeFfnknafg.exeJdnoplhh.exeLjbfpo32.exeFjhacf32.exeIkbfgppo.exeKnooej32.exePdkoch32.exeMnegbp32.exeCcpdoqgd.exeFjohde32.exeObafpg32.exePkogiikb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodogdmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpmjejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehgnied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbelcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmmepfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmggfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkpdcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejkmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkipkani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdagpnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meefofek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkiccep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlghoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogpjbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepaaico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opclldhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmmaeap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgcfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnlgjlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefgbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpqaiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelchgne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niooqcad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najmjokc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqdmihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbabigfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhkjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offnhpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbighjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbadp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moipoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffnknafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnoplhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbfgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkoch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjohde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obafpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkogiikb.exe -
Modifies registry class 64 IoCs
Processes:
Kjhcjq32.exeHlegnjbm.exeLclpdncg.exeKkfcndce.exeDpdaepai.exeBhkfkmmg.exeLqkgbcff.exeDpgnjo32.exeLnangaoa.exeApmhiq32.exeConanfli.exeQebhhp32.exeMnkggfkb.exeMfqlfb32.exeAggpfkjj.exeJqglkmlj.exeCkmehb32.exeDpphjp32.exeIdhnkf32.exeKqphfe32.exeMbenmk32.exePchlpfjb.exeMccfdmmo.exeAgdcpkll.exeMkhapk32.exeFihnomjp.exePhedhmhi.exeEiobceef.exeNgndaccj.exeIgjngh32.exeFpdcag32.exeMalpia32.exeDkhnjk32.exePlndcl32.exeDbqqkkbo.exeJbiejoaj.exeNbcjnilj.exeAopemh32.exeCndeii32.exeOpclldhj.exeCkpbnb32.exeOnnmdcjm.exeChqogq32.exeFfnknafg.exeGmiclo32.exeClchbqoo.exeJgpfbjlo.exeBmjkic32.exeAafemk32.exeKdinljnk.exeMilidebi.exeQaflgago.exeFbelcblk.exeJnfcia32.exeJcanll32.exeFbcfhibj.exeMnphmkji.exeNhpbfpka.exeOkgaijaj.exeGpcfmkff.exeIcfekc32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achgjc32.dll" Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkfcndce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpdaepai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhkfkmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqkgbcff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmnhl32.dll" Lnangaoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apmhiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhocin32.dll" Qebhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnkggfkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aggpfkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfdnejf.dll" Jqglkmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckmehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edflhb32.dll" Idhnkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbenmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pchlpfjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijikdfig.dll" Agdcpkll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phedhmhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbjqfjb.dll" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neoogc32.dll" Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdmbe32.dll" Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejncidp.dll" Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plndcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmipen.dll" Jbiejoaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbcjnilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlephen.dll" Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll" Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqhcce32.dll" Ckpbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onnmdcjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clchbqoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" Bmjkic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aafemk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpdcag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdinljnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Milidebi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibingd32.dll" Fbelcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnfcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhfif32.dll" Jcanll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qebhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdnfjpa.dll" Fbcfhibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhmmpnk.dll" Mnphmkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjjnh32.dll" Nhpbfpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okgaijaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpcfmkff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icfekc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exeIqpfjnba.exeIgjngh32.exeIjhjcchb.exeIndfca32.exeIqbbpm32.exeJdnoplhh.exeJglklggl.exeJkhgmf32.exeJnfcia32.exeJqdoem32.exeJdpkflfe.exeJgogbgei.exeJkjcbe32.exeJnhpoamf.exeJqglkmlj.exeJdbhkk32.exeJhndljll.exeJklphekp.exeJnkldqkc.exeJbfheo32.exeJdedak32.exedescription pid Process procid_target PID 3704 wrote to memory of 3488 3704 fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe 83 PID 3704 wrote to memory of 3488 3704 fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe 83 PID 3704 wrote to memory of 3488 3704 fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe 83 PID 3488 wrote to memory of 1664 3488 Iqpfjnba.exe 84 PID 3488 wrote to memory of 1664 3488 Iqpfjnba.exe 84 PID 3488 wrote to memory of 1664 3488 Iqpfjnba.exe 84 PID 1664 wrote to memory of 3312 1664 Igjngh32.exe 85 PID 1664 wrote to memory of 3312 1664 Igjngh32.exe 85 PID 1664 wrote to memory of 3312 1664 Igjngh32.exe 85 PID 3312 wrote to memory of 3876 3312 Ijhjcchb.exe 86 PID 3312 wrote to memory of 3876 3312 Ijhjcchb.exe 86 PID 3312 wrote to memory of 3876 3312 Ijhjcchb.exe 86 PID 3876 wrote to memory of 1084 3876 Indfca32.exe 87 PID 3876 wrote to memory of 1084 3876 Indfca32.exe 87 PID 3876 wrote to memory of 1084 3876 Indfca32.exe 87 PID 1084 wrote to memory of 3616 1084 Iqbbpm32.exe 88 PID 1084 wrote to memory of 3616 1084 Iqbbpm32.exe 88 PID 1084 wrote to memory of 3616 1084 Iqbbpm32.exe 88 PID 3616 wrote to memory of 4000 3616 Jdnoplhh.exe 89 PID 3616 wrote to memory of 4000 3616 Jdnoplhh.exe 89 PID 3616 wrote to memory of 4000 3616 Jdnoplhh.exe 89 PID 4000 wrote to memory of 3144 4000 Jglklggl.exe 90 PID 4000 wrote to memory of 3144 4000 Jglklggl.exe 90 PID 4000 wrote to memory of 3144 4000 Jglklggl.exe 90 PID 3144 wrote to memory of 2760 3144 Jkhgmf32.exe 91 PID 3144 wrote to memory of 2760 3144 Jkhgmf32.exe 91 PID 3144 wrote to memory of 2760 3144 Jkhgmf32.exe 91 PID 2760 wrote to memory of 1696 2760 Jnfcia32.exe 92 PID 2760 wrote to memory of 1696 2760 Jnfcia32.exe 92 PID 2760 wrote to memory of 1696 2760 Jnfcia32.exe 92 PID 1696 wrote to memory of 3688 1696 Jqdoem32.exe 93 PID 1696 wrote to memory of 3688 1696 Jqdoem32.exe 93 PID 1696 wrote to memory of 3688 1696 Jqdoem32.exe 93 PID 3688 wrote to memory of 2736 3688 Jdpkflfe.exe 94 PID 3688 wrote to memory of 2736 3688 Jdpkflfe.exe 94 PID 3688 wrote to memory of 2736 3688 Jdpkflfe.exe 94 PID 2736 wrote to memory of 4812 2736 Jgogbgei.exe 95 PID 2736 wrote to memory of 4812 2736 Jgogbgei.exe 95 PID 2736 wrote to memory of 4812 2736 Jgogbgei.exe 95 PID 4812 wrote to memory of 1564 4812 Jkjcbe32.exe 96 PID 4812 wrote to memory of 1564 4812 Jkjcbe32.exe 96 PID 4812 wrote to memory of 1564 4812 Jkjcbe32.exe 96 PID 1564 wrote to memory of 2280 1564 Jnhpoamf.exe 97 PID 1564 wrote to memory of 2280 1564 Jnhpoamf.exe 97 PID 1564 wrote to memory of 2280 1564 Jnhpoamf.exe 97 PID 2280 wrote to memory of 4064 2280 Jqglkmlj.exe 98 PID 2280 wrote to memory of 4064 2280 Jqglkmlj.exe 98 PID 2280 wrote to memory of 4064 2280 Jqglkmlj.exe 98 PID 4064 wrote to memory of 1132 4064 Jdbhkk32.exe 99 PID 4064 wrote to memory of 1132 4064 Jdbhkk32.exe 99 PID 4064 wrote to memory of 1132 4064 Jdbhkk32.exe 99 PID 1132 wrote to memory of 2384 1132 Jhndljll.exe 100 PID 1132 wrote to memory of 2384 1132 Jhndljll.exe 100 PID 1132 wrote to memory of 2384 1132 Jhndljll.exe 100 PID 2384 wrote to memory of 1280 2384 Jklphekp.exe 101 PID 2384 wrote to memory of 1280 2384 Jklphekp.exe 101 PID 2384 wrote to memory of 1280 2384 Jklphekp.exe 101 PID 1280 wrote to memory of 4564 1280 Jnkldqkc.exe 102 PID 1280 wrote to memory of 4564 1280 Jnkldqkc.exe 102 PID 1280 wrote to memory of 4564 1280 Jnkldqkc.exe 102 PID 4564 wrote to memory of 1740 4564 Jbfheo32.exe 103 PID 4564 wrote to memory of 1740 4564 Jbfheo32.exe 103 PID 4564 wrote to memory of 1740 4564 Jbfheo32.exe 103 PID 1740 wrote to memory of 1964 1740 Jdedak32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe"C:\Users\Admin\AppData\Local\Temp\fa1752792f9b31b83f6e68a185905e41103d4e3db1c725aed73b4d95a438a73dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe24⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe25⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe27⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe28⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe29⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe31⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe33⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe34⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe35⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe36⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe39⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe40⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe41⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe42⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe43⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe44⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe46⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:348 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe49⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe50⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe51⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4692 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe55⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe57⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe58⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe59⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe60⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe61⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe62⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3768 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe64⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4776 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe66⤵PID:2276
-
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe67⤵PID:5128
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5168 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5208 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe70⤵PID:5248
-
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe71⤵
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe72⤵
- Drops file in System32 directory
PID:5328 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5368 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe74⤵PID:5408
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe76⤵PID:5488
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe77⤵PID:5528
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5608 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe80⤵PID:5648
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe81⤵
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe82⤵PID:5732
-
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe83⤵
- System Location Discovery: System Language Discovery
PID:5776 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe84⤵PID:5816
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe85⤵PID:5860
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe86⤵
- System Location Discovery: System Language Discovery
PID:5900 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe87⤵
- System Location Discovery: System Language Discovery
PID:5944 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5984 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe89⤵PID:6024
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe90⤵
- Modifies registry class
PID:6064 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6104 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe92⤵PID:3236
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe93⤵PID:2284
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe94⤵PID:1676
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe95⤵PID:1488
-
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe96⤵PID:4200
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe97⤵PID:1844
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe98⤵PID:4388
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe100⤵PID:2100
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe101⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe102⤵
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe103⤵PID:5216
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe104⤵
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe105⤵PID:5360
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe106⤵PID:5440
-
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe107⤵
- Drops file in System32 directory
PID:5516 -
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe108⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe109⤵PID:5656
-
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe110⤵PID:5724
-
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5812 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe112⤵PID:5888
-
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe113⤵PID:5936
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe114⤵PID:6012
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe115⤵PID:6092
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe116⤵PID:4184
-
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe117⤵PID:3540
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe118⤵PID:3576
-
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe119⤵
- Drops file in System32 directory
PID:4612 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe120⤵PID:3672
-
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe121⤵PID:1584
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe122⤵PID:2700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-