Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 18:53
Static task
static1
Behavioral task
behavioral1
Sample
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe
Resource
win10v2004-20241007-en
General
-
Target
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe
-
Size
302KB
-
MD5
cd3fc070e83791075207a2d6c7a71684
-
SHA1
aad5f5d97c454225964293f61ab3d450a6e7bc22
-
SHA256
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8
-
SHA512
695e00589f383e6f3dbcde78ce0985748239ca547908ad4cf8fc41995c2e30eed18c02b21f86709b509edbf754f68e892f4adc095b7e52b9134942aeb0869568
-
SSDEEP
6144:zUBeuhFrG03FF7fPtcsw6UJZqktbOUqCTGepXgbWHr:zQzFrJ3FF7fFcsw6UJZqktbDqCTGepXH
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ejnflq32.exeHdglca32.exeBbhhcg32.exePcopjdlm.exeDcnnin32.exeHdcbifdk.exeKbclefkd.exeOielpk32.exeFjakin32.exeLfnkaiki.exeLkqiiknp.exeOecbfk32.exeGjeedmmf.exePhgogl32.exeAcafga32.exeEdlkklgh.exeHdmccmno.exeLpafopeo.exeMbieajlh.exeIdmeoe32.exeCmecao32.exeGiokpimi.exeHdiiha32.exeInbfhdag.exeKfpnpk32.exeJnilic32.exeHhhhif32.exeHjieqnij.exeKeghgg32.exeKfkeelko.exeMifjdcbb.exeEmflia32.exeGdopgi32.exeMeemno32.exeIkehaejk.exeNhpppobe.exeAocffm32.exeNaicih32.exeMoeoajng.exeNegcjm32.exeHddiclhf.exePfhckq32.exeIkpgkp32.exeKnifon32.exeJeileifo.exeLbddld32.exeAjfnnf32.exeFblpmp32.exeKdaagl32.exeGkniiinf.exeQhbocj32.exeInqqmkgf.exeLjmmkg32.exeCjnmecod.exeJjkdbeei.exeNnfnbmem.exeNdgpec32.exeNhbmeo32.exeOpinnjcb.exeGphnaj32.exeMhcjjk32.exeMlmpopgn.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejnflq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdglca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhhcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcopjdlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdcbifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbclefkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oielpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjakin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfnkaiki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkqiiknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oecbfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjeedmmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgogl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acafga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edlkklgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmccmno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpafopeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbieajlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmecao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giokpimi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdiiha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inbfhdag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfpnpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnilic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhhhif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjieqnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keghgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfkeelko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifjdcbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emflia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdopgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meemno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmecao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikehaejk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpppobe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocffm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naicih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moeoajng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Negcjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddiclhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mifjdcbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfhckq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikpgkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knifon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeileifo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbddld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfnnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblpmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkniiinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhbocj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqqmkgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjnmecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjkdbeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnfnbmem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgpec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbmeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opinnjcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhcjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlmpopgn.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cjcdeo32.exeCmbpaj32.exeCeihbgbl.exeDmdmgjpg.exeDhjadbom.exeDodiam32.exeDdqbicea.exeDfoneode.exeDepncf32.exeDhokpb32.exeDkmgln32.exeDgdgqo32.exeDokpbl32.exeDeehofho.exeEkapgmff.exeEomlgk32.exeEheqpa32.exeEkdmll32.exeEaneiflp.exeEdlaebkd.exeEelnoe32.exeEhjjkp32.exeEmgbcgoa.exeEhmgapog.exeEogonj32.exeEaekje32.exeFaghoece.exeFajeeeac.exeFhfjgogm.exeFannpd32.exeFdmjlp32.exeFelgfb32.exeGgppcjgp.exeGnjhpd32.exeGhommmob.exeGkniiinf.exeGecmganl.exeGgdinj32.exeGajnlb32.exeGdhjhnbd.exeGggfdiag.exeGnanqc32.exeHfhfba32.exeHdkgmnpa.exeHnckfc32.exeHboggbok.exeHdmccmno.exeHocgpf32.exeHbadla32.exeHdpphm32.exeHoedff32.exeHfombpco.exeHklekg32.exeHogakejo.exeHddiclhf.exeHknapf32.exeHnmnlb32.exeHbhjmqgp.exeIgebegeg.exeIffbcomf.exeIkckkfln.exeIoogld32.exeIbmchp32.exeIgjlpg32.exepid Process 2012 Cjcdeo32.exe 3124 Cmbpaj32.exe 1976 Ceihbgbl.exe 2632 Dmdmgjpg.exe 4628 Dhjadbom.exe 5044 Dodiam32.exe 2180 Ddqbicea.exe 4320 Dfoneode.exe 4540 Depncf32.exe 3996 Dhokpb32.exe 2252 Dkmgln32.exe 4416 Dgdgqo32.exe 4308 Dokpbl32.exe 5104 Deehofho.exe 3052 Ekapgmff.exe 4748 Eomlgk32.exe 3752 Eheqpa32.exe 2112 Ekdmll32.exe 4992 Eaneiflp.exe 1636 Edlaebkd.exe 1712 Eelnoe32.exe 3132 Ehjjkp32.exe 3584 Emgbcgoa.exe 3680 Ehmgapog.exe 4988 Eogonj32.exe 5000 Eaekje32.exe 4364 Faghoece.exe 4016 Fajeeeac.exe 5024 Fhfjgogm.exe 3340 Fannpd32.exe 2660 Fdmjlp32.exe 3608 Felgfb32.exe 4040 Ggppcjgp.exe 4676 Gnjhpd32.exe 3100 Ghommmob.exe 3056 Gkniiinf.exe 4928 Gecmganl.exe 3280 Ggdinj32.exe 3264 Gajnlb32.exe 4068 Gdhjhnbd.exe 3080 Gggfdiag.exe 3092 Gnanqc32.exe 2336 Hfhfba32.exe 4644 Hdkgmnpa.exe 472 Hnckfc32.exe 3740 Hboggbok.exe 2604 Hdmccmno.exe 112 Hocgpf32.exe 4692 Hbadla32.exe 4484 Hdpphm32.exe 1288 Hoedff32.exe 4476 Hfombpco.exe 1072 Hklekg32.exe 1396 Hogakejo.exe 4944 Hddiclhf.exe 1004 Hknapf32.exe 4232 Hnmnlb32.exe 1000 Hbhjmqgp.exe 4740 Igebegeg.exe 4132 Iffbcomf.exe 4464 Ikckkfln.exe 1492 Ioogld32.exe 1872 Ibmchp32.exe 3804 Igjlpg32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ajfnnf32.exeDcdnpfjd.exePcampdjk.exeDiambckg.exeHgmejb32.exeObkccq32.exeDjhffhke.exeNhmmpi32.exeAocffm32.exeLpdbeo32.exeOiklfqpj.exeAhekijbj.exeBfghcl32.exeKinklg32.exeFgcjmfna.exeQeclmh32.exeCcienngm.exeEaieca32.exeHkcaek32.exeDkmgln32.exeHdkgmnpa.exeLpafopeo.exeLfpggiif.exeJnilic32.exeDdqbicea.exeDepncf32.exeBmockf32.exeQojcpnjq.exeHogakejo.exeFlddffdg.exeJkbfmg32.exeLnnokqig.exeMjlepqid.exeAgdoaall.exePlijnc32.exeDmcobm32.exeFpkgke32.exeLjkpegnb.exeOldhlf32.exeNefmoc32.exeIcoopkpo.exeMgbcod32.exeFhfjgogm.exeLjhcpgpe.exeFmohei32.exeLihnbe32.exeCfgajjfa.exeGmhjkh32.exeInbfhdag.exeEkdmll32.exeIkckkfln.exeBcfobahc.exeKbhepfgo.exeBpaibaia.exeNoiabc32.exePajckl32.exeHmbmag32.exeMkqleb32.exeLadhba32.exeAcobgljo.exeDafhnanl.exedescription ioc Process File created C:\Windows\SysWOW64\Aqeglj32.dll Ajfnnf32.exe File created C:\Windows\SysWOW64\Ejnflq32.exe Dcdnpfjd.exe File opened for modification C:\Windows\SysWOW64\Pjkemn32.exe Pcampdjk.exe File created C:\Windows\SysWOW64\Ndjdcbcn.dll Diambckg.exe File created C:\Windows\SysWOW64\Hkiakapm.exe Hgmejb32.exe File created C:\Windows\SysWOW64\Oejpplhk.exe Obkccq32.exe File created C:\Windows\SysWOW64\Daaocb32.exe Djhffhke.exe File created C:\Windows\SysWOW64\Jklfki32.dll Nhmmpi32.exe File created C:\Windows\SysWOW64\Lmiapm32.dll Aocffm32.exe File created C:\Windows\SysWOW64\Mpddiica.dll Lpdbeo32.exe File created C:\Windows\SysWOW64\Mqljkjng.dll Oiklfqpj.exe File opened for modification C:\Windows\SysWOW64\Aqlcjgbl.exe Ahekijbj.exe File created C:\Windows\SysWOW64\Bqmlae32.exe Bfghcl32.exe File created C:\Windows\SysWOW64\Kphcianj.exe Kinklg32.exe File created C:\Windows\SysWOW64\Baockl32.dll Fgcjmfna.exe File created C:\Windows\SysWOW64\Qhbhid32.exe Qeclmh32.exe File opened for modification C:\Windows\SysWOW64\Cfgajjfa.exe Ccienngm.exe File opened for modification C:\Windows\SysWOW64\Ehbmpkcf.exe Eaieca32.exe File created C:\Windows\SysWOW64\Maiacfgg.dll Hkcaek32.exe File created C:\Windows\SysWOW64\Dgdgqo32.exe Dkmgln32.exe File opened for modification C:\Windows\SysWOW64\Hnckfc32.exe Hdkgmnpa.exe File created C:\Windows\SysWOW64\Dkhompeo.dll Lpafopeo.exe File opened for modification C:\Windows\SysWOW64\Lioccdhj.exe Lfpggiif.exe File created C:\Windows\SysWOW64\Abmpikmc.dll Jnilic32.exe File created C:\Windows\SysWOW64\Dfoneode.exe Ddqbicea.exe File opened for modification C:\Windows\SysWOW64\Dhokpb32.exe Depncf32.exe File created C:\Windows\SysWOW64\Hcppmo32.dll Bmockf32.exe File opened for modification C:\Windows\SysWOW64\Qeclmh32.exe Qojcpnjq.exe File created C:\Windows\SysWOW64\Hddiclhf.exe Hogakejo.exe File created C:\Windows\SysWOW64\Pbqohbbj.dll Flddffdg.exe File created C:\Windows\SysWOW64\Knpbib32.exe Jkbfmg32.exe File created C:\Windows\SysWOW64\Gjaogm32.dll Lnnokqig.exe File created C:\Windows\SysWOW64\Mmkbllhg.exe Mjlepqid.exe File created C:\Windows\SysWOW64\Mcminn32.dll Agdoaall.exe File opened for modification C:\Windows\SysWOW64\Qccbkmdl.exe Plijnc32.exe File created C:\Windows\SysWOW64\Oodhaebe.dll Dmcobm32.exe File created C:\Windows\SysWOW64\Hhgfnggb.dll Fpkgke32.exe File created C:\Windows\SysWOW64\Ljipmm32.dll Ljkpegnb.exe File created C:\Windows\SysWOW64\Jadhdfkj.dll Oldhlf32.exe File created C:\Windows\SysWOW64\Nhdiko32.exe Nefmoc32.exe File created C:\Windows\SysWOW64\Ikfgaipa.exe Icoopkpo.exe File created C:\Windows\SysWOW64\Lajgfa32.dll Mgbcod32.exe File created C:\Windows\SysWOW64\Fannpd32.exe Fhfjgogm.exe File created C:\Windows\SysWOW64\Bgkoekpa.dll Lfpggiif.exe File opened for modification C:\Windows\SysWOW64\Labkla32.exe Ljhcpgpe.exe File created C:\Windows\SysWOW64\Cabbolpq.dll Fmohei32.exe File created C:\Windows\SysWOW64\Kghpqbfb.dll Lihnbe32.exe File created C:\Windows\SysWOW64\Kajbmk32.dll Cfgajjfa.exe File created C:\Windows\SysWOW64\Aimlmk32.dll Gmhjkh32.exe File opened for modification C:\Windows\SysWOW64\Ipqbdpqk.exe Inbfhdag.exe File opened for modification C:\Windows\SysWOW64\Eaneiflp.exe Ekdmll32.exe File created C:\Windows\SysWOW64\Ioogld32.exe Ikckkfln.exe File created C:\Windows\SysWOW64\Bfeknmgf.exe Bcfobahc.exe File created C:\Windows\SysWOW64\Legala32.exe Kbhepfgo.exe File created C:\Windows\SysWOW64\Qnfjlfgb.dll Bpaibaia.exe File opened for modification C:\Windows\SysWOW64\Nagnno32.exe Noiabc32.exe File created C:\Windows\SysWOW64\Phdlgfma.exe Pajckl32.exe File created C:\Windows\SysWOW64\Hdlenagg.exe Hmbmag32.exe File opened for modification C:\Windows\SysWOW64\Mjclapbl.exe Mkqleb32.exe File created C:\Windows\SysWOW64\Labkla32.exe Ljhcpgpe.exe File opened for modification C:\Windows\SysWOW64\Lilpcofa.exe Ladhba32.exe File created C:\Windows\SysWOW64\Dpiplj32.dll Acobgljo.exe File opened for modification C:\Windows\SysWOW64\Knpbib32.exe Jkbfmg32.exe File created C:\Windows\SysWOW64\Dfcqfhld.exe Dafhnanl.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 14348 13428 WerFault.exe 752 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ichipl32.exeJnlincim.exeLkboddha.exeEkapgmff.exeJgeklege.exePfhckq32.exeGkkeic32.exeMbnnmi32.exeGapdkn32.exeKneldaab.exeIcmbklaa.exeMnlklnmg.exeJjemcjqj.exeLnhhkedi.exeAkcajo32.exeEjgibo32.exeCbknoe32.exeEcmpfeaj.exeLmcllm32.exeDkmgln32.exeEheqpa32.exeLadhba32.exeBjmdoe32.exeJdkaqcpp.exeLbddld32.exeJkbfmg32.exeDbdaec32.exeEhjjkp32.exeHgmejb32.exeMhcjjk32.exeCfmgjekp.exeHnckfc32.exeKinklg32.exeKiijgaff.exeOhaobfod.exeHboggbok.exeJnkjnpbg.exeGjeedmmf.exeKmjien32.exeIkpgkp32.exePacfaj32.exeDmqbmn32.exeEogonj32.exeLfgdajaa.exeAmhnjhdk.exeDmklmb32.exeNcbfjdcd.exeLbkafe32.exeCilcfpjd.exeHdglca32.exeKqooen32.exeEfefaa32.exeFmhadjfg.exeIcfljmhj.exeIdgejomj.exeFhfjgogm.exeKglamd32.exeBqmlae32.exeQlkgdc32.exeHjdleo32.exeLekkgqbm.exeObpmopdb.exeAcaolk32.exeEdlaebkd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichipl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlincim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkboddha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekapgmff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgeklege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhckq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkeic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnnmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapdkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kneldaab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmbklaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlklnmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjemcjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhhkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejgibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbknoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmpfeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcllm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmgln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheqpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladhba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmdoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdkaqcpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbddld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbfmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjjkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcjjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmgjekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnckfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kinklg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiijgaff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohaobfod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hboggbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkjnpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjeedmmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpgkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmqbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgdajaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhnjhdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmklmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbfjdcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkafe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilcfpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdglca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqooen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efefaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhadjfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfljmhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgejomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfjgogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmlae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlkgdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekkgqbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpmopdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acaolk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlaebkd.exe -
Modifies registry class 64 IoCs
Processes:
Hogakejo.exePpcqdikg.exeAfmocg32.exeMkqleb32.exeMndhgdjk.exeAoqiqm32.exeFjnocnco.exeEomlgk32.exeIgjlpg32.exeIkdafofp.exeHcabom32.exeHdmccmno.exeNljefh32.exeNbigna32.exePobmoopi.exeKdaagl32.exeFiaook32.exeQfbfao32.exeDaaocb32.exeAkcajo32.exeNhmmpi32.exeCinpkpha.exeCmnfgnle.exeLfpggiif.exeEjhpme32.exeAlbmdb32.exeGajnlb32.exeLbnefkfe.exeCgknin32.exed6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exeIffbcomf.exeIcfljmhj.exeNhdiko32.exeHhhhif32.exeBhenea32.exeIkmdkjhl.exeNlklqn32.exeOccqof32.exePlfnicob.exeBqmlae32.exeBbhhcg32.exeJphieo32.exeJgqbaf32.exeAhekijbj.exeKqbbedfd.exeKkgphfbo.exeLcndhgel.exeLbekfj32.exePohnee32.exeHdlenagg.exeNjkile32.exeJpcojp32.exeJjpmnd32.exeFannpd32.exeBfghcl32.exeFpqgakql.exeKginmnod.exeBjmdoe32.exeGdepmbmo.exeNeadddca.exeCkjpblig.exeGgppcjgp.exeIqomiffj.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hogakejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdpcoi32.dll" Ppcqdikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmlao32.dll" Afmocg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkqleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mndhgdjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoqiqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjnocnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgkeb32.dll" Eomlgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbooci32.dll" Igjlpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikdafofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcabom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdmccmno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkbhb32.dll" Nljefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbigna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbgcfghj.dll" Pobmoopi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdaagl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiaook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfbfao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daaocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akcajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhmmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfgbf32.dll" Cinpkpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmnfgnle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfpggiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejhpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffldfabj.dll" Albmdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcaalm32.dll" Gajnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbnefkfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgknin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkbdp32.dll" Iffbcomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icfljmhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhdiko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhhhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhodocpo.dll" Bhenea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikmdkjhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlklqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbhed32.dll" Occqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plfnicob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqmlae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbhhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jphieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlegqbi.dll" Jgqbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahekijbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqbbedfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oemobl32.dll" Kkgphfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcndhgel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceboie32.dll" Lbekfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pohnee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdlenagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njkile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmkil32.dll" Fiaook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpcojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fodbmp32.dll" Jjpmnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fannpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfghcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpqgakql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhpab32.dll" Kginmnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjmdoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdepmbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmefclen.dll" Neadddca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldfnf32.dll" Ckjpblig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggppcjgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqomiffj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exeCjcdeo32.exeCmbpaj32.exeCeihbgbl.exeDmdmgjpg.exeDhjadbom.exeDodiam32.exeDdqbicea.exeDfoneode.exeDepncf32.exeDhokpb32.exeDkmgln32.exeDgdgqo32.exeDokpbl32.exeDeehofho.exeEkapgmff.exeEomlgk32.exeEheqpa32.exeEkdmll32.exeEaneiflp.exeEdlaebkd.exeEelnoe32.exedescription pid Process procid_target PID 3272 wrote to memory of 2012 3272 d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe 83 PID 3272 wrote to memory of 2012 3272 d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe 83 PID 3272 wrote to memory of 2012 3272 d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe 83 PID 2012 wrote to memory of 3124 2012 Cjcdeo32.exe 84 PID 2012 wrote to memory of 3124 2012 Cjcdeo32.exe 84 PID 2012 wrote to memory of 3124 2012 Cjcdeo32.exe 84 PID 3124 wrote to memory of 1976 3124 Cmbpaj32.exe 86 PID 3124 wrote to memory of 1976 3124 Cmbpaj32.exe 86 PID 3124 wrote to memory of 1976 3124 Cmbpaj32.exe 86 PID 1976 wrote to memory of 2632 1976 Ceihbgbl.exe 88 PID 1976 wrote to memory of 2632 1976 Ceihbgbl.exe 88 PID 1976 wrote to memory of 2632 1976 Ceihbgbl.exe 88 PID 2632 wrote to memory of 4628 2632 Dmdmgjpg.exe 89 PID 2632 wrote to memory of 4628 2632 Dmdmgjpg.exe 89 PID 2632 wrote to memory of 4628 2632 Dmdmgjpg.exe 89 PID 4628 wrote to memory of 5044 4628 Dhjadbom.exe 91 PID 4628 wrote to memory of 5044 4628 Dhjadbom.exe 91 PID 4628 wrote to memory of 5044 4628 Dhjadbom.exe 91 PID 5044 wrote to memory of 2180 5044 Dodiam32.exe 92 PID 5044 wrote to memory of 2180 5044 Dodiam32.exe 92 PID 5044 wrote to memory of 2180 5044 Dodiam32.exe 92 PID 2180 wrote to memory of 4320 2180 Ddqbicea.exe 93 PID 2180 wrote to memory of 4320 2180 Ddqbicea.exe 93 PID 2180 wrote to memory of 4320 2180 Ddqbicea.exe 93 PID 4320 wrote to memory of 4540 4320 Dfoneode.exe 94 PID 4320 wrote to memory of 4540 4320 Dfoneode.exe 94 PID 4320 wrote to memory of 4540 4320 Dfoneode.exe 94 PID 4540 wrote to memory of 3996 4540 Depncf32.exe 95 PID 4540 wrote to memory of 3996 4540 Depncf32.exe 95 PID 4540 wrote to memory of 3996 4540 Depncf32.exe 95 PID 3996 wrote to memory of 2252 3996 Dhokpb32.exe 96 PID 3996 wrote to memory of 2252 3996 Dhokpb32.exe 96 PID 3996 wrote to memory of 2252 3996 Dhokpb32.exe 96 PID 2252 wrote to memory of 4416 2252 Dkmgln32.exe 97 PID 2252 wrote to memory of 4416 2252 Dkmgln32.exe 97 PID 2252 wrote to memory of 4416 2252 Dkmgln32.exe 97 PID 4416 wrote to memory of 4308 4416 Dgdgqo32.exe 98 PID 4416 wrote to memory of 4308 4416 Dgdgqo32.exe 98 PID 4416 wrote to memory of 4308 4416 Dgdgqo32.exe 98 PID 4308 wrote to memory of 5104 4308 Dokpbl32.exe 99 PID 4308 wrote to memory of 5104 4308 Dokpbl32.exe 99 PID 4308 wrote to memory of 5104 4308 Dokpbl32.exe 99 PID 5104 wrote to memory of 3052 5104 Deehofho.exe 100 PID 5104 wrote to memory of 3052 5104 Deehofho.exe 100 PID 5104 wrote to memory of 3052 5104 Deehofho.exe 100 PID 3052 wrote to memory of 4748 3052 Ekapgmff.exe 101 PID 3052 wrote to memory of 4748 3052 Ekapgmff.exe 101 PID 3052 wrote to memory of 4748 3052 Ekapgmff.exe 101 PID 4748 wrote to memory of 3752 4748 Eomlgk32.exe 102 PID 4748 wrote to memory of 3752 4748 Eomlgk32.exe 102 PID 4748 wrote to memory of 3752 4748 Eomlgk32.exe 102 PID 3752 wrote to memory of 2112 3752 Eheqpa32.exe 103 PID 3752 wrote to memory of 2112 3752 Eheqpa32.exe 103 PID 3752 wrote to memory of 2112 3752 Eheqpa32.exe 103 PID 2112 wrote to memory of 4992 2112 Ekdmll32.exe 104 PID 2112 wrote to memory of 4992 2112 Ekdmll32.exe 104 PID 2112 wrote to memory of 4992 2112 Ekdmll32.exe 104 PID 4992 wrote to memory of 1636 4992 Eaneiflp.exe 105 PID 4992 wrote to memory of 1636 4992 Eaneiflp.exe 105 PID 4992 wrote to memory of 1636 4992 Eaneiflp.exe 105 PID 1636 wrote to memory of 1712 1636 Edlaebkd.exe 106 PID 1636 wrote to memory of 1712 1636 Edlaebkd.exe 106 PID 1636 wrote to memory of 1712 1636 Edlaebkd.exe 106 PID 1712 wrote to memory of 3132 1712 Eelnoe32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe"C:\Users\Admin\AppData\Local\Temp\d6b54a63133ae05dc8f4b2e5619b56b504046576653e6014842d1f3863b927a8.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Cjcdeo32.exeC:\Windows\system32\Cjcdeo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Cmbpaj32.exeC:\Windows\system32\Cmbpaj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Ceihbgbl.exeC:\Windows\system32\Ceihbgbl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Dmdmgjpg.exeC:\Windows\system32\Dmdmgjpg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Dhjadbom.exeC:\Windows\system32\Dhjadbom.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Dodiam32.exeC:\Windows\system32\Dodiam32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Ddqbicea.exeC:\Windows\system32\Ddqbicea.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Dfoneode.exeC:\Windows\system32\Dfoneode.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Depncf32.exeC:\Windows\system32\Depncf32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Dhokpb32.exeC:\Windows\system32\Dhokpb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Dkmgln32.exeC:\Windows\system32\Dkmgln32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Dgdgqo32.exeC:\Windows\system32\Dgdgqo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Dokpbl32.exeC:\Windows\system32\Dokpbl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Deehofho.exeC:\Windows\system32\Deehofho.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Ekapgmff.exeC:\Windows\system32\Ekapgmff.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Eomlgk32.exeC:\Windows\system32\Eomlgk32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Eheqpa32.exeC:\Windows\system32\Eheqpa32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Ekdmll32.exeC:\Windows\system32\Ekdmll32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Eaneiflp.exeC:\Windows\system32\Eaneiflp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Edlaebkd.exeC:\Windows\system32\Edlaebkd.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Eelnoe32.exeC:\Windows\system32\Eelnoe32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ehjjkp32.exeC:\Windows\system32\Ehjjkp32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132 -
C:\Windows\SysWOW64\Emgbcgoa.exeC:\Windows\system32\Emgbcgoa.exe24⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Ehmgapog.exeC:\Windows\system32\Ehmgapog.exe25⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Eogonj32.exeC:\Windows\system32\Eogonj32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4988 -
C:\Windows\SysWOW64\Eaekje32.exeC:\Windows\system32\Eaekje32.exe27⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Faghoece.exeC:\Windows\system32\Faghoece.exe28⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Fajeeeac.exeC:\Windows\system32\Fajeeeac.exe29⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Windows\SysWOW64\Fannpd32.exeC:\Windows\system32\Fannpd32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe32⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Felgfb32.exeC:\Windows\system32\Felgfb32.exe33⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Ggppcjgp.exeC:\Windows\system32\Ggppcjgp.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Gnjhpd32.exeC:\Windows\system32\Gnjhpd32.exe35⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Ghommmob.exeC:\Windows\system32\Ghommmob.exe36⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Gkniiinf.exeC:\Windows\system32\Gkniiinf.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe38⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Ggdinj32.exeC:\Windows\system32\Ggdinj32.exe39⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Gajnlb32.exeC:\Windows\system32\Gajnlb32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe41⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Gggfdiag.exeC:\Windows\system32\Gggfdiag.exe42⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe43⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Hfhfba32.exeC:\Windows\system32\Hfhfba32.exe44⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Hdkgmnpa.exeC:\Windows\system32\Hdkgmnpa.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4644 -
C:\Windows\SysWOW64\Hnckfc32.exeC:\Windows\system32\Hnckfc32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:472 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Hocgpf32.exeC:\Windows\system32\Hocgpf32.exe49⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Hbadla32.exeC:\Windows\system32\Hbadla32.exe50⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe51⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Hoedff32.exeC:\Windows\system32\Hoedff32.exe52⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Hfombpco.exeC:\Windows\system32\Hfombpco.exe53⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe54⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Hogakejo.exeC:\Windows\system32\Hogakejo.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Hknapf32.exeC:\Windows\system32\Hknapf32.exe57⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe58⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Hbhjmqgp.exeC:\Windows\system32\Hbhjmqgp.exe59⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Igebegeg.exeC:\Windows\system32\Igebegeg.exe60⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Iffbcomf.exeC:\Windows\system32\Iffbcomf.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4132 -
C:\Windows\SysWOW64\Ikckkfln.exeC:\Windows\system32\Ikckkfln.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4464 -
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe63⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe64⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Igjlpg32.exeC:\Windows\system32\Igjlpg32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Ikehaejk.exeC:\Windows\system32\Ikehaejk.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Ifklnn32.exeC:\Windows\system32\Ifklnn32.exe67⤵PID:3792
-
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe68⤵PID:2192
-
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe69⤵PID:2796
-
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe70⤵PID:5096
-
C:\Windows\SysWOW64\Ikjale32.exeC:\Windows\system32\Ikjale32.exe71⤵PID:4648
-
C:\Windows\SysWOW64\Inhnhp32.exeC:\Windows\system32\Inhnhp32.exe72⤵PID:1404
-
C:\Windows\SysWOW64\Jebfej32.exeC:\Windows\system32\Jebfej32.exe73⤵PID:4696
-
C:\Windows\SysWOW64\Jgqbaf32.exeC:\Windows\system32\Jgqbaf32.exe74⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Jnkjnpbg.exeC:\Windows\system32\Jnkjnpbg.exe75⤵
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe76⤵PID:3744
-
C:\Windows\SysWOW64\Jgcofe32.exeC:\Windows\system32\Jgcofe32.exe77⤵PID:3920
-
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe78⤵PID:3244
-
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe79⤵PID:2332
-
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe80⤵
- System Location Discovery: System Language Discovery
PID:4120 -
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe81⤵PID:4584
-
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe83⤵PID:3708
-
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe84⤵PID:2432
-
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe85⤵PID:1144
-
C:\Windows\SysWOW64\Kfkeelko.exeC:\Windows\system32\Kfkeelko.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Kglamd32.exeC:\Windows\system32\Kglamd32.exe87⤵
- System Location Discovery: System Language Discovery
PID:4904 -
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe88⤵PID:4140
-
C:\Windows\SysWOW64\Kepbfh32.exeC:\Windows\system32\Kepbfh32.exe89⤵PID:596
-
C:\Windows\SysWOW64\Khonbdoj.exeC:\Windows\system32\Khonbdoj.exe90⤵PID:3840
-
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:408 -
C:\Windows\SysWOW64\Kinklg32.exeC:\Windows\system32\Kinklg32.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe94⤵PID:3076
-
C:\Windows\SysWOW64\Kfbkfk32.exeC:\Windows\system32\Kfbkfk32.exe95⤵PID:4832
-
C:\Windows\SysWOW64\Khchmc32.exeC:\Windows\system32\Khchmc32.exe96⤵PID:4604
-
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe97⤵PID:1772
-
C:\Windows\SysWOW64\Kfdhkkcd.exeC:\Windows\system32\Kfdhkkcd.exe98⤵PID:1348
-
C:\Windows\SysWOW64\Keghgg32.exeC:\Windows\system32\Keghgg32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4920 -
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe100⤵PID:3700
-
C:\Windows\SysWOW64\Lfgdajaa.exeC:\Windows\system32\Lfgdajaa.exe101⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe102⤵PID:2248
-
C:\Windows\SysWOW64\Llcmia32.exeC:\Windows\system32\Llcmia32.exe103⤵PID:4336
-
C:\Windows\SysWOW64\Lbnefkfe.exeC:\Windows\system32\Lbnefkfe.exe104⤵
- Modifies registry class
PID:4368 -
C:\Windows\SysWOW64\Lelabgfi.exeC:\Windows\system32\Lelabgfi.exe105⤵PID:416
-
C:\Windows\SysWOW64\Lihnbe32.exeC:\Windows\system32\Lihnbe32.exe106⤵
- Drops file in System32 directory
PID:3604 -
C:\Windows\SysWOW64\Lpafopeo.exeC:\Windows\system32\Lpafopeo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Lbpbkkdc.exeC:\Windows\system32\Lbpbkkdc.exe108⤵PID:5144
-
C:\Windows\SysWOW64\Lenngfcf.exeC:\Windows\system32\Lenngfcf.exe109⤵PID:5188
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe110⤵PID:5232
-
C:\Windows\SysWOW64\Lpdbeo32.exeC:\Windows\system32\Lpdbeo32.exe111⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Lfnkaiki.exeC:\Windows\system32\Lfnkaiki.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Lilgnejm.exeC:\Windows\system32\Lilgnejm.exe113⤵PID:5364
-
C:\Windows\SysWOW64\Llkcjpiq.exeC:\Windows\system32\Llkcjpiq.exe114⤵PID:5408
-
C:\Windows\SysWOW64\Lbekfj32.exeC:\Windows\system32\Lbekfj32.exe115⤵
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe117⤵PID:5540
-
C:\Windows\SysWOW64\Mlmpopgn.exeC:\Windows\system32\Mlmpopgn.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Miapid32.exeC:\Windows\system32\Miapid32.exe119⤵PID:5640
-
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5684 -
C:\Windows\SysWOW64\Mopefk32.exeC:\Windows\system32\Mopefk32.exe121⤵PID:5728
-
C:\Windows\SysWOW64\Mfgnhhbo.exeC:\Windows\system32\Mfgnhhbo.exe122⤵PID:5776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-