Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 18:47
Static task
static1
Behavioral task
behavioral1
Sample
857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exe
Resource
win10v2004-20241007-en
General
-
Target
857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exe
-
Size
74KB
-
MD5
f0a50a272ef2b1696d445ec43bf8c070
-
SHA1
78756e9dc85e7833db63375f22794409283c183e
-
SHA256
857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4
-
SHA512
d8ac55555fb623d1b9a6e24c9cfdbd5118242856d138693f68e47d00f9c0554a0c5be92b1e7c465923e53480fe23f3e42386427c92dfa6c02ce52630d31a4641
-
SSDEEP
1536:asXqrJexf921VefE4xTqM7/gKyGRdYIMTrZhQ7pkoIGip:lxf81EpQKzYvTNhQuH
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ejfeng32.exeJpfepf32.exeBhkmec32.exeMjodla32.exeDkhgod32.exeMfenglqf.exeMpapnfhg.exePbhgoh32.exeEpmmqheb.exeKpmdfonj.exeAaoaic32.exeBdmmeo32.exeJbojlfdp.exeDlieda32.exeHmpjmn32.exeFqbliicp.exeJpnakk32.exeGpbpbecj.exeHlpfhe32.exeBoldhf32.exeEqncnj32.exeGbofcghl.exeHpabni32.exeHdokdg32.exeKcmmhj32.exeLoighj32.exeAonhghjl.exeLpochfji.exePaihlpfi.exeIkdcmpnl.exeOjajin32.exeJcgnbaeo.exeGlfmgp32.exeHlppno32.exeNhhdnf32.exeIpoopgnf.exeKnfeeimj.exeGeoapenf.exeHajkqfoe.exePoimpapp.exeBlqllqqa.exeIoolkncg.exeKmaopfjm.exeOalipoiq.exeJpenfp32.exeQmeigg32.exeOqoefand.exeDdjmba32.exeCkjknfnh.exeHhfpbpdo.exeGiinpa32.exeQdoacabq.exeDhikci32.exeFkfcqb32.exeKcoccc32.exeEbjcajjd.exePafkgphl.exeCglbhhga.exeFganqbgg.exeMlofcf32.exeNbbeml32.exeObjkmkjj.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejfeng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpfepf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjodla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpapnfhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epmmqheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaoaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmmeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlieda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqbliicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpnakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqncnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbofcghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcmmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loighj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonhghjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpochfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paihlpfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpochfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcgnbaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlppno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhhdnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knfeeimj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hajkqfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioolkncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalipoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmeigg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqoefand.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjmba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjknfnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfpbpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giinpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdoacabq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebjcajjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafkgphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlofcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbeml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objkmkjj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cjjlkk32.exeCmhigf32.exeCbeapmll.exeCmjemflb.exeCcdnjp32.exeCbgnemjj.exeCkpbnb32.exeDbjkkl32.exeDiccgfpd.exeDpnkdq32.exeDjcoai32.exeDpphjp32.exeDfjpfj32.exeDmdhcddh.exeDcnqpo32.exeDjhimica.exeDlieda32.exeDcpmen32.exeDjjebh32.exeDpgnjo32.exeEbejfk32.exeEfafgifc.exeEcefqnel.exeEbhglj32.exeEjoomhmi.exeEbjcajjd.exeEfepbi32.exeEidlnd32.exeEblpgjha.exeEifhdd32.exeEppqqn32.exeEjfeng32.exeEiieicml.exeFikbocki.exeFlinkojm.exeFdqfll32.exeFjjnifbl.exeFmikeaap.exeFbfcmhpg.exeFipkjb32.exeFlngfn32.exeFbhpch32.exeFjohde32.exeFlqdlnde.exeFbjmhh32.exeFjadje32.exeFmpqfq32.exeGpnmbl32.exeGfheof32.exeGlengm32.exeGbofcghl.exeGiinpa32.exeGpcfmkff.exeGbabigfj.exeGkhkjd32.exeGljgbllj.exeGdaociml.exeGfokoelp.exeGingkqkd.exeGbfldf32.exeGgahedjn.exeGipdap32.exeHpjmnjqn.exeHgdejd32.exepid Process 872 Cjjlkk32.exe 2504 Cmhigf32.exe 2288 Cbeapmll.exe 3176 Cmjemflb.exe 2548 Ccdnjp32.exe 1840 Cbgnemjj.exe 4692 Ckpbnb32.exe 4204 Dbjkkl32.exe 2720 Diccgfpd.exe 4472 Dpnkdq32.exe 2044 Djcoai32.exe 1972 Dpphjp32.exe 2052 Dfjpfj32.exe 2904 Dmdhcddh.exe 2456 Dcnqpo32.exe 2324 Djhimica.exe 4704 Dlieda32.exe 3760 Dcpmen32.exe 4656 Djjebh32.exe 208 Dpgnjo32.exe 4100 Ebejfk32.exe 1332 Efafgifc.exe 1444 Ecefqnel.exe 2076 Ebhglj32.exe 4084 Ejoomhmi.exe 2248 Ebjcajjd.exe 628 Efepbi32.exe 3772 Eidlnd32.exe 1248 Eblpgjha.exe 636 Eifhdd32.exe 2656 Eppqqn32.exe 4760 Ejfeng32.exe 4368 Eiieicml.exe 4556 Fikbocki.exe 3596 Flinkojm.exe 4148 Fdqfll32.exe 1936 Fjjnifbl.exe 5048 Fmikeaap.exe 2564 Fbfcmhpg.exe 2480 Fipkjb32.exe 3672 Flngfn32.exe 4932 Fbhpch32.exe 4496 Fjohde32.exe 1092 Flqdlnde.exe 3248 Fbjmhh32.exe 760 Fjadje32.exe 2100 Fmpqfq32.exe 4864 Gpnmbl32.exe 3684 Gfheof32.exe 5100 Glengm32.exe 4388 Gbofcghl.exe 1004 Giinpa32.exe 3560 Gpcfmkff.exe 1864 Gbabigfj.exe 4456 Gkhkjd32.exe 2992 Gljgbllj.exe 3196 Gdaociml.exe 3600 Gfokoelp.exe 2396 Gingkqkd.exe 532 Gbfldf32.exe 3400 Ggahedjn.exe 3440 Gipdap32.exe 4776 Hpjmnjqn.exe 4856 Hgdejd32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kcndbp32.exeFbbpmb32.exeGflhoo32.exeAonhghjl.exeMapppn32.exeMjlalkmd.exeOmmceclc.exeHginecde.exeKnalji32.exeCofnik32.exeHlpfhe32.exeOnocomdo.exeHlppno32.exeJpbjfjci.exeKlndfj32.exeOjemig32.exeCbgnemjj.exeGpnfge32.exeQdoacabq.exeCpbjkn32.exeGmfplibd.exeMqdcnl32.exeBpfkpp32.exeCdkifmjq.exeKheekkjl.exePiapkbeg.exeOhkkhhmh.exeLqmmmmph.exeGaloohke.exeLdgccb32.exeMkhapk32.exeJiiicf32.exeQjiipk32.exeGihpkd32.exeKkpbin32.exeFlpmagqi.exeCacckp32.exeJbojlfdp.exeMgaokl32.exeHbhboolf.exeNmipdk32.exeQhhpop32.exeKhiofk32.exeDcnqpo32.exeJkgpbp32.exeLqpamb32.exeQhmqdemc.exeGoglcahb.exeJoahqn32.exeJgbchj32.exeAokkahlo.exeBhhiemoj.exeLakfeodm.exeGdaociml.exeCkmonl32.exeEpmmqheb.exeIplkpa32.exeBddcenpi.exePafkgphl.exe857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exeDcpmen32.exeHmpjmn32.exeImgicgca.exeDkndie32.exedescription ioc Process File created C:\Windows\SysWOW64\Kqbdldnq.exe Kcndbp32.exe File created C:\Windows\SysWOW64\Fimhbfpl.dll Fbbpmb32.exe File opened for modification C:\Windows\SysWOW64\Gmfplibd.exe Gflhoo32.exe File created C:\Windows\SysWOW64\Lielhgaa.dll Aonhghjl.exe File opened for modification C:\Windows\SysWOW64\Mhjhmhhd.exe Mapppn32.exe File created C:\Windows\SysWOW64\Mpeiie32.exe Mjlalkmd.exe File opened for modification C:\Windows\SysWOW64\Objkmkjj.exe Ommceclc.exe File opened for modification C:\Windows\SysWOW64\Hpabni32.exe Hginecde.exe File created C:\Windows\SysWOW64\Kcndbp32.exe Knalji32.exe File created C:\Windows\SysWOW64\Cdbfab32.exe Cofnik32.exe File created C:\Windows\SysWOW64\Hplbickp.exe Hlpfhe32.exe File created C:\Windows\SysWOW64\Ojenek32.dll Onocomdo.exe File created C:\Windows\SysWOW64\Hkhcdb32.dll Hlppno32.exe File created C:\Windows\SysWOW64\Jadgnb32.exe Jpbjfjci.exe File created C:\Windows\SysWOW64\Kbhmbdle.exe Klndfj32.exe File created C:\Windows\SysWOW64\Fljhbbae.dll Ojemig32.exe File created C:\Windows\SysWOW64\Ckpbnb32.exe Cbgnemjj.exe File created C:\Windows\SysWOW64\Gfhndpol.exe Gpnfge32.exe File created C:\Windows\SysWOW64\Nhhlki32.dll Qdoacabq.exe File created C:\Windows\SysWOW64\Bjlfmfbi.dll Cpbjkn32.exe File created C:\Windows\SysWOW64\Goglcahb.exe Gmfplibd.exe File created C:\Windows\SysWOW64\Mnhdgpii.exe Mqdcnl32.exe File opened for modification C:\Windows\SysWOW64\Bgpcliao.exe Bpfkpp32.exe File created C:\Windows\SysWOW64\Cgifbhid.exe Cdkifmjq.exe File created C:\Windows\SysWOW64\Koonge32.exe Kheekkjl.exe File opened for modification C:\Windows\SysWOW64\Paihlpfi.exe Piapkbeg.exe File created C:\Windows\SysWOW64\Oodcdb32.exe Ohkkhhmh.exe File created C:\Windows\SysWOW64\Lopmii32.exe Lqmmmmph.exe File created C:\Windows\SysWOW64\Gebekb32.dll Galoohke.exe File created C:\Windows\SysWOW64\Lgepom32.exe Ldgccb32.exe File created C:\Windows\SysWOW64\Mminhceb.exe Mkhapk32.exe File created C:\Windows\SysWOW64\Jlgepanl.exe Jiiicf32.exe File created C:\Windows\SysWOW64\Hockka32.dll Qjiipk32.exe File opened for modification C:\Windows\SysWOW64\Glfmgp32.exe Gihpkd32.exe File created C:\Windows\SysWOW64\Kjccdkki.exe Kkpbin32.exe File created C:\Windows\SysWOW64\Ahbohd32.dll Flpmagqi.exe File opened for modification C:\Windows\SysWOW64\Cgqlcg32.exe Cacckp32.exe File created C:\Windows\SysWOW64\Jpbjfjci.exe Jbojlfdp.exe File created C:\Windows\SysWOW64\Mnkggfkb.exe Mgaokl32.exe File created C:\Windows\SysWOW64\Pqknpl32.dll Hbhboolf.exe File created C:\Windows\SysWOW64\Adfnba32.dll Nmipdk32.exe File created C:\Windows\SysWOW64\Qmeigg32.exe Qhhpop32.exe File created C:\Windows\SysWOW64\Ichelm32.dll Khiofk32.exe File created C:\Windows\SysWOW64\Geibhp32.dll Dcnqpo32.exe File opened for modification C:\Windows\SysWOW64\Jpdhkf32.exe Jkgpbp32.exe File created C:\Windows\SysWOW64\Gjmgfljg.dll Lqpamb32.exe File opened for modification C:\Windows\SysWOW64\Aojefobm.exe Qhmqdemc.exe File created C:\Windows\SysWOW64\Nqdmimbf.dll Goglcahb.exe File opened for modification C:\Windows\SysWOW64\Jghpbk32.exe Joahqn32.exe File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Jgbchj32.exe File created C:\Windows\SysWOW64\Apmhiq32.exe Aokkahlo.exe File opened for modification C:\Windows\SysWOW64\Baannc32.exe Bhhiemoj.exe File created C:\Windows\SysWOW64\Llqjbhdc.exe Lakfeodm.exe File created C:\Windows\SysWOW64\Gfokoelp.exe Gdaociml.exe File created C:\Windows\SysWOW64\Dnmhpg32.exe Ckmonl32.exe File created C:\Windows\SysWOW64\Nlnhqepf.dll Epmmqheb.exe File created C:\Windows\SysWOW64\Ioolkncg.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Bknlbhhe.exe Bddcenpi.exe File created C:\Windows\SysWOW64\Pbhgoh32.exe Pafkgphl.exe File opened for modification C:\Windows\SysWOW64\Cjjlkk32.exe 857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exe File created C:\Windows\SysWOW64\Djjebh32.exe Dcpmen32.exe File created C:\Windows\SysWOW64\Gdgiklme.dll Hmpjmn32.exe File created C:\Windows\SysWOW64\Ibcaknbi.exe Imgicgca.exe File created C:\Windows\SysWOW64\Jilpfgkh.dll Dkndie32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 12664 12584 WerFault.exe 628 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ckmonl32.exeEbgpad32.exePpgegd32.exeLcfidb32.exeMhanngbl.exeBlqllqqa.exeJgmjmjnb.exeIafkld32.exeJbojlfdp.exeJahqiaeb.exeFbjmhh32.exeLknojl32.exePajeam32.exeDdnfmqng.exeBdojjo32.exeCkjknfnh.exeHcpojd32.exeKjccdkki.exeGncchb32.exeIibccgep.exeBahdob32.exeCggimh32.exePpdbgncl.exeKcbnnpka.exeIlcldb32.exeMmmqhl32.exeMqkiok32.exeJpgdai32.exeNjljch32.exeDpnkdq32.exeIkdcmpnl.exeDbnmke32.exeHajkqfoe.exeNqfbpb32.exeHmpjmn32.exeDhbebj32.exeNckkfp32.exeEbejfk32.exeOalipoiq.exeHmpcbhji.exeJoqafgni.exeNbbeml32.exeIphioh32.exeMchppmij.exeJpenfp32.exeJgpfbjlo.exeHlambk32.exeJkgpbp32.exeCncnob32.exeFbdehlip.exeFmhdkknd.exeIpmbjgpi.exeAonhghjl.exeKifojnol.exeGoglcahb.exeIebngial.exeEfepbi32.exeIgpdfb32.exeJlobkg32.exeKnalji32.exeMmkkmc32.exeDbkqfe32.exeNclbpf32.exeBpfkpp32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfidb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhanngbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqllqqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjmjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafkld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbojlfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahqiaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lknojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfmqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjknfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjccdkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibccgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahdob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdbgncl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqkiok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgdai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njljch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnkdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikdcmpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajkqfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqfbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckkfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpcbhji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joqafgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbeml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpenfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncnob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdehlip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmbjgpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonhghjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifojnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goglcahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebngial.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efepbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knalji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfkpp32.exe -
Modifies registry class 64 IoCs
Processes:
Eidlnd32.exeGdaociml.exeNenbjo32.exeGiecfejd.exeOckdmmoj.exeNciopppp.exeEiieicml.exeNlhkgi32.exeDnmhpg32.exeJepjhg32.exeLjceqb32.exeJbojlfdp.exeJncoikmp.exeJdmgfedl.exeGmfplibd.exeEgohdegl.exeMjlalkmd.exePjlcjf32.exeJjafok32.exeMnkggfkb.exePoimpapp.exeGihpkd32.exeHifmmb32.exeLlqjbhdc.exeGbabigfj.exeQhkdof32.exeEiloco32.exeKcbfcigf.exeGpnmbl32.exeDkfadkgf.exeLjdkll32.exeFbelcblk.exeGfhndpol.exeBdojjo32.exeOikjkc32.exeGfokoelp.exeHpabni32.exeIibccgep.exeLjhnlb32.exePpjbmc32.exeGnpphljo.exeBgpcliao.exeEhpadhll.exeGpcfmkff.exeIpflihfq.exeIdhnkf32.exeIpjoja32.exeMmpmnl32.exeNmipdk32.exeDheibpje.exeAhaceo32.exeChkobkod.exeObqanjdb.exeMapppn32.exeEfeihb32.exeIoolkncg.exePdmdnadc.exeHajkqfoe.exeJimldogg.exeLllagh32.exeDomdjj32.exeOghghb32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eidlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjelhg32.dll" Gdaociml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nenbjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ockdmmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nciopppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiieicml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodoah32.dll" Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnmhpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoipp32.dll" Ljceqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddplkbaa.dll" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdaia32.dll" Gmfplibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egohdegl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjlcjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbcfp32.dll" Jjafok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihgqfld.dll" Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpbai32.dll" Hifmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llqjbhdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqomgid.dll" Gpnmbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll" Ljdkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbelcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll" Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackhdo32.dll" Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll" Ljhnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll" Bgpcliao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll" Ehpadhll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpcfmkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipflihfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmipdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdecba32.dll" Dheibpje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahaceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll" Obqanjdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mapppn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdggc32.dll" Hajkqfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lllagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeghb32.dll" Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibohd32.dll" Oghghb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exeCjjlkk32.exeCmhigf32.exeCbeapmll.exeCmjemflb.exeCcdnjp32.exeCbgnemjj.exeCkpbnb32.exeDbjkkl32.exeDiccgfpd.exeDpnkdq32.exeDjcoai32.exeDpphjp32.exeDfjpfj32.exeDmdhcddh.exeDcnqpo32.exeDjhimica.exeDlieda32.exeDcpmen32.exeDjjebh32.exeDpgnjo32.exeEbejfk32.exedescription pid Process procid_target PID 3212 wrote to memory of 872 3212 857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exe 83 PID 3212 wrote to memory of 872 3212 857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exe 83 PID 3212 wrote to memory of 872 3212 857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exe 83 PID 872 wrote to memory of 2504 872 Cjjlkk32.exe 84 PID 872 wrote to memory of 2504 872 Cjjlkk32.exe 84 PID 872 wrote to memory of 2504 872 Cjjlkk32.exe 84 PID 2504 wrote to memory of 2288 2504 Cmhigf32.exe 85 PID 2504 wrote to memory of 2288 2504 Cmhigf32.exe 85 PID 2504 wrote to memory of 2288 2504 Cmhigf32.exe 85 PID 2288 wrote to memory of 3176 2288 Cbeapmll.exe 86 PID 2288 wrote to memory of 3176 2288 Cbeapmll.exe 86 PID 2288 wrote to memory of 3176 2288 Cbeapmll.exe 86 PID 3176 wrote to memory of 2548 3176 Cmjemflb.exe 87 PID 3176 wrote to memory of 2548 3176 Cmjemflb.exe 87 PID 3176 wrote to memory of 2548 3176 Cmjemflb.exe 87 PID 2548 wrote to memory of 1840 2548 Ccdnjp32.exe 88 PID 2548 wrote to memory of 1840 2548 Ccdnjp32.exe 88 PID 2548 wrote to memory of 1840 2548 Ccdnjp32.exe 88 PID 1840 wrote to memory of 4692 1840 Cbgnemjj.exe 90 PID 1840 wrote to memory of 4692 1840 Cbgnemjj.exe 90 PID 1840 wrote to memory of 4692 1840 Cbgnemjj.exe 90 PID 4692 wrote to memory of 4204 4692 Ckpbnb32.exe 91 PID 4692 wrote to memory of 4204 4692 Ckpbnb32.exe 91 PID 4692 wrote to memory of 4204 4692 Ckpbnb32.exe 91 PID 4204 wrote to memory of 2720 4204 Dbjkkl32.exe 92 PID 4204 wrote to memory of 2720 4204 Dbjkkl32.exe 92 PID 4204 wrote to memory of 2720 4204 Dbjkkl32.exe 92 PID 2720 wrote to memory of 4472 2720 Diccgfpd.exe 94 PID 2720 wrote to memory of 4472 2720 Diccgfpd.exe 94 PID 2720 wrote to memory of 4472 2720 Diccgfpd.exe 94 PID 4472 wrote to memory of 2044 4472 Dpnkdq32.exe 95 PID 4472 wrote to memory of 2044 4472 Dpnkdq32.exe 95 PID 4472 wrote to memory of 2044 4472 Dpnkdq32.exe 95 PID 2044 wrote to memory of 1972 2044 Djcoai32.exe 96 PID 2044 wrote to memory of 1972 2044 Djcoai32.exe 96 PID 2044 wrote to memory of 1972 2044 Djcoai32.exe 96 PID 1972 wrote to memory of 2052 1972 Dpphjp32.exe 97 PID 1972 wrote to memory of 2052 1972 Dpphjp32.exe 97 PID 1972 wrote to memory of 2052 1972 Dpphjp32.exe 97 PID 2052 wrote to memory of 2904 2052 Dfjpfj32.exe 99 PID 2052 wrote to memory of 2904 2052 Dfjpfj32.exe 99 PID 2052 wrote to memory of 2904 2052 Dfjpfj32.exe 99 PID 2904 wrote to memory of 2456 2904 Dmdhcddh.exe 100 PID 2904 wrote to memory of 2456 2904 Dmdhcddh.exe 100 PID 2904 wrote to memory of 2456 2904 Dmdhcddh.exe 100 PID 2456 wrote to memory of 2324 2456 Dcnqpo32.exe 101 PID 2456 wrote to memory of 2324 2456 Dcnqpo32.exe 101 PID 2456 wrote to memory of 2324 2456 Dcnqpo32.exe 101 PID 2324 wrote to memory of 4704 2324 Djhimica.exe 102 PID 2324 wrote to memory of 4704 2324 Djhimica.exe 102 PID 2324 wrote to memory of 4704 2324 Djhimica.exe 102 PID 4704 wrote to memory of 3760 4704 Dlieda32.exe 103 PID 4704 wrote to memory of 3760 4704 Dlieda32.exe 103 PID 4704 wrote to memory of 3760 4704 Dlieda32.exe 103 PID 3760 wrote to memory of 4656 3760 Dcpmen32.exe 104 PID 3760 wrote to memory of 4656 3760 Dcpmen32.exe 104 PID 3760 wrote to memory of 4656 3760 Dcpmen32.exe 104 PID 4656 wrote to memory of 208 4656 Djjebh32.exe 105 PID 4656 wrote to memory of 208 4656 Djjebh32.exe 105 PID 4656 wrote to memory of 208 4656 Djjebh32.exe 105 PID 208 wrote to memory of 4100 208 Dpgnjo32.exe 106 PID 208 wrote to memory of 4100 208 Dpgnjo32.exe 106 PID 208 wrote to memory of 4100 208 Dpgnjo32.exe 106 PID 4100 wrote to memory of 1332 4100 Ebejfk32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exe"C:\Users\Admin\AppData\Local\Temp\857cbab0efdd6f3e11a6f10f33cdf603daeece3822527b3ee42fa979cf971be4N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe23⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe24⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe25⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe26⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Eidlnd32.exeC:\Windows\system32\Eidlnd32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3772 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe30⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe31⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe32⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4368 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe35⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe36⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe37⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe38⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe39⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe40⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe41⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe42⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe43⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe44⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe45⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3248 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe47⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe48⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4864 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe50⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe51⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe56⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe57⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3600 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe60⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe61⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe62⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe63⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe64⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe65⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe66⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe67⤵PID:1548
-
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe68⤵PID:4120
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe70⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe72⤵
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe73⤵PID:5116
-
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1116 -
C:\Windows\SysWOW64\Hkicaahi.exeC:\Windows\system32\Hkicaahi.exe75⤵PID:3632
-
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe76⤵PID:4716
-
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe77⤵
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe78⤵
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe79⤵PID:1056
-
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe80⤵
- System Location Discovery: System Language Discovery
PID:3300 -
C:\Windows\SysWOW64\Inlihl32.exeC:\Windows\system32\Inlihl32.exe81⤵PID:4628
-
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe82⤵PID:5072
-
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe83⤵PID:4764
-
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe84⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe85⤵
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe86⤵PID:1908
-
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4344 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe89⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe90⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4352 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe92⤵PID:528
-
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe93⤵PID:5000
-
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe94⤵PID:4788
-
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe96⤵PID:4880
-
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe97⤵PID:4572
-
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe98⤵PID:856
-
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe99⤵PID:5160
-
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240 -
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe101⤵PID:5288
-
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe102⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Jlobkg32.exeC:\Windows\system32\Jlobkg32.exe103⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe104⤵PID:5456
-
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe105⤵PID:5532
-
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe106⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe107⤵
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5664 -
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe109⤵PID:5712
-
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe110⤵PID:5756
-
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe111⤵PID:5804
-
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5856 -
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe113⤵
- Drops file in System32 directory
PID:5908 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe114⤵PID:5952
-
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe115⤵PID:5996
-
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6040 -
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe117⤵
- System Location Discovery: System Language Discovery
PID:6084 -
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe118⤵PID:6128
-
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe119⤵PID:5140
-
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe120⤵PID:5272
-
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5320 -
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe122⤵
- Drops file in System32 directory
PID:5444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-