Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 18:55
Behavioral task
behavioral1
Sample
71d2cab677b42ca6e47e5cc5c2d074862474a31f4489fa9a11f5d7fc9444e7f6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
71d2cab677b42ca6e47e5cc5c2d074862474a31f4489fa9a11f5d7fc9444e7f6N.exe
Resource
win10v2004-20241007-en
General
-
Target
71d2cab677b42ca6e47e5cc5c2d074862474a31f4489fa9a11f5d7fc9444e7f6N.exe
-
Size
128KB
-
MD5
e476de70c54771c9778bb47b5c73ee30
-
SHA1
3bd507ce149ef54a8548b67c1290f1ea419dab1d
-
SHA256
71d2cab677b42ca6e47e5cc5c2d074862474a31f4489fa9a11f5d7fc9444e7f6
-
SHA512
f26057f1762139e08645f5db334ecfedcf5e74405db661c50624546d7f74689632497a5795f041443d2904a431e14f65b0845a47bade3becada5aeec0d59b830
-
SSDEEP
3072:SoJkYbBVsjQjnLpTH1NkU86zdH13+EE+RaZ6r+GDZnr:dkYniQj9Tn186zd5IF6rfBr
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mhdqdamb.exeJdkaqcpp.exeOahgelgg.exeFlmhkq32.exeKkkice32.exeClnomhii.exeIkamfi32.exeJgmgfjfe.exeNleeqbhl.exeQeqhmbpd.exeNhbmeo32.exeAofjfcco.exeJhmkkc32.exeAhkkob32.exeFddffd32.exeMflgcg32.exeAgflga32.exeGdammiep.exeHmbmag32.exeDoenobpb.exeFfdhni32.exeCjndpicp.exeAcglfm32.exeEjgibo32.exeCddjfkjj.exeGfbeogig.exeBgpomp32.exeEhbmpkcf.exeFidboakb.exeKgqdmmil.exeHnpgfm32.exeIdmeoe32.exePcnipn32.exeHkadplbi.exeMjlepqid.exePkfjdj32.exeIbafiikj.exeKdmnfb32.exeMhjpjj32.exeJnnfdcgj.exeLgnideip.exeAcjillnd.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdqdamb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkaqcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oahgelgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkkice32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnomhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikamfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmgfjfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nleeqbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeqhmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbmeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aofjfcco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhmkkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahkkob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddffd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agflga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdammiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbmag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doenobpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffdhni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjndpicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acglfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejgibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cddjfkjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfbeogig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgpomp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbmpkcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fidboakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgqdmmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnpgfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmeoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnipn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkadplbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjlepqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkfjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibafiikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmnfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnnfdcgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgnideip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjillnd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Fecdpd32.exeFhaplo32.exeFkpmhk32.exeFnnidf32.exeFhcmao32.exeFoneni32.exeFehmkchi.exeFdjnfp32.exeFgijbk32.exeFncboeed.exeFhhfmnej.exeFkgbijdn.exeFneoeeca.exeGdogaojo.exeGgncnkjb.exeGkioni32.exeGnglje32.exeGacgkcih.exeGdadgohl.exeGkkldi32.exeGnjhpd32.exeGddqmo32.exeGgbmij32.exeGoiejg32.exeGecmganl.exeGhbicmmp.exeGgdinj32.exeGnoakdkg.exeGdhjhnbd.exeGggfdiag.exeGonnegbj.exeHfhfba32.exeHhfbnl32.exeHkeojh32.exeHboggbok.exeHdmccmno.exeHglpoi32.exeHocgpf32.exeHnehlceo.exeHdpphm32.exeHhklilde.exeHkihegdi.exeHbcqba32.exeHhmiokbb.exeHgpijhim.exeHnjagb32.exeHddiclhf.exeHknapf32.exeHnmnlb32.exeIfdfno32.exeIgebegeg.exeInokbamd.exeIbjgbp32.exeIdicol32.exeIggokg32.exeIoogld32.exeIbmchp32.exeIdkpdk32.exeIgjlpg32.exeIoadadbd.exeIbopnpah.exeIdnljkpl.exeIglhffop.exeIocqgdpb.exepid Process 4240 Fecdpd32.exe 1092 Fhaplo32.exe 3424 Fkpmhk32.exe 2312 Fnnidf32.exe 1304 Fhcmao32.exe 2212 Foneni32.exe 2000 Fehmkchi.exe 3996 Fdjnfp32.exe 3416 Fgijbk32.exe 860 Fncboeed.exe 640 Fhhfmnej.exe 1388 Fkgbijdn.exe 2276 Fneoeeca.exe 2004 Gdogaojo.exe 3648 Ggncnkjb.exe 4000 Gkioni32.exe 1896 Gnglje32.exe 220 Gacgkcih.exe 3696 Gdadgohl.exe 4948 Gkkldi32.exe 3860 Gnjhpd32.exe 2116 Gddqmo32.exe 3832 Ggbmij32.exe 4132 Goiejg32.exe 1864 Gecmganl.exe 4556 Ghbicmmp.exe 1448 Ggdinj32.exe 4164 Gnoakdkg.exe 4832 Gdhjhnbd.exe 400 Gggfdiag.exe 4676 Gonnegbj.exe 2204 Hfhfba32.exe 752 Hhfbnl32.exe 4436 Hkeojh32.exe 4904 Hboggbok.exe 2680 Hdmccmno.exe 2832 Hglpoi32.exe 2716 Hocgpf32.exe 3660 Hnehlceo.exe 4100 Hdpphm32.exe 2964 Hhklilde.exe 2364 Hkihegdi.exe 2028 Hbcqba32.exe 1676 Hhmiokbb.exe 4844 Hgpijhim.exe 2884 Hnjagb32.exe 2148 Hddiclhf.exe 4388 Hknapf32.exe 208 Hnmnlb32.exe 3116 Ifdfno32.exe 456 Igebegeg.exe 1764 Inokbamd.exe 3092 Ibjgbp32.exe 1184 Idicol32.exe 3516 Iggokg32.exe 3180 Ioogld32.exe 1692 Ibmchp32.exe 4848 Idkpdk32.exe 1892 Igjlpg32.exe 432 Ioadadbd.exe 1840 Ibopnpah.exe 2692 Idnljkpl.exe 3640 Iglhffop.exe 512 Iocqgdpb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fkabcd32.exeMapgnpla.exeAjdahf32.exeHldgbm32.exeMfjjmhql.exeCpklhpag.exeDmcobm32.exeHfeadg32.exeEfdpgkcj.exeBgiaco32.exeDpbbioko.exeQkngopag.exeJdokjngb.exeLbkafe32.exeKdodal32.exeOdliqbkj.exeGpafangb.exeNnkgml32.exePkigjj32.exeGdpfbbad.exeBonoge32.exeOldogm32.exeJllmdpbj.exeNijldmja.exeNkpbgdlj.exeHocgpf32.exePhcempie.exeEelingfo.exeBkbcgfld.exeCjndpicp.exeJkkpmh32.exeFhcmao32.exeBqafldpd.exeFbggbabl.exeNmfahj32.exeOkghhcfb.exeIgfafklm.exeIgnekfmm.exeEhbmpkcf.exedescription ioc Process File created C:\Windows\SysWOW64\Cjjebb32.dll File opened for modification C:\Windows\SysWOW64\Fidboakb.exe Fkabcd32.exe File created C:\Windows\SysWOW64\Melcnn32.exe Mapgnpla.exe File created C:\Windows\SysWOW64\Ahgadcll.exe Ajdahf32.exe File created C:\Windows\SysWOW64\Iojake32.dll Hldgbm32.exe File created C:\Windows\SysWOW64\Afepkn32.exe File opened for modification C:\Windows\SysWOW64\Meljid32.exe Mfjjmhql.exe File created C:\Windows\SysWOW64\Lclokohm.dll Cpklhpag.exe File created C:\Windows\SysWOW64\Doegdllf.exe File created C:\Windows\SysWOW64\Jpaaecga.exe File created C:\Windows\SysWOW64\Enlqkhol.exe File created C:\Windows\SysWOW64\Hhinql32.dll File created C:\Windows\SysWOW64\Dpakni32.exe Dmcobm32.exe File created C:\Windows\SysWOW64\Hicnqb32.exe Hfeadg32.exe File created C:\Windows\SysWOW64\Kiqlip32.dll File created C:\Windows\SysWOW64\Omomfhkb.dll File opened for modification C:\Windows\SysWOW64\Eiblcgbm.exe Efdpgkcj.exe File opened for modification C:\Windows\SysWOW64\Bflaokqo.exe Bgiaco32.exe File opened for modification C:\Windows\SysWOW64\Dgijjlla.exe Dpbbioko.exe File opened for modification C:\Windows\SysWOW64\Qceoqm32.exe Qkngopag.exe File created C:\Windows\SysWOW64\Fgfnimgd.dll Jdokjngb.exe File created C:\Windows\SysWOW64\Mafnnbno.dll File opened for modification C:\Windows\SysWOW64\Lanbablg.exe Lbkafe32.exe File created C:\Windows\SysWOW64\Kcbdmioj.exe Kdodal32.exe File created C:\Windows\SysWOW64\Ohgeaa32.exe Odliqbkj.exe File opened for modification C:\Windows\SysWOW64\Gbpbniff.exe Gpafangb.exe File created C:\Windows\SysWOW64\Cldekd32.dll Nnkgml32.exe File opened for modification C:\Windows\SysWOW64\Podcjijj.exe Pkigjj32.exe File created C:\Windows\SysWOW64\Dpljlo32.exe File opened for modification C:\Windows\SysWOW64\Gbcfno32.exe Gdpfbbad.exe File created C:\Windows\SysWOW64\Balkcqcq.exe Bonoge32.exe File created C:\Windows\SysWOW64\Hhping32.dll File opened for modification C:\Windows\SysWOW64\Oppkgkkl.exe Oldogm32.exe File created C:\Windows\SysWOW64\Jdcden32.exe Jllmdpbj.exe File created C:\Windows\SysWOW64\Fjamcc32.dll File created C:\Windows\SysWOW64\Mjjjbneg.dll File created C:\Windows\SysWOW64\Hapopo32.dll Nijldmja.exe File created C:\Windows\SysWOW64\Nhcbqh32.exe Nkpbgdlj.exe File created C:\Windows\SysWOW64\Nqafnbbg.exe File opened for modification C:\Windows\SysWOW64\Hnehlceo.exe Hocgpf32.exe File opened for modification C:\Windows\SysWOW64\Pkaaikhi.exe Phcempie.exe File created C:\Windows\SysWOW64\Eigenf32.exe Eelingfo.exe File opened for modification C:\Windows\SysWOW64\Lhplfbdg.exe File created C:\Windows\SysWOW64\Bonoge32.exe Bkbcgfld.exe File created C:\Windows\SysWOW64\Dhhbbbgl.exe File created C:\Windows\SysWOW64\Gdkdph32.exe File created C:\Windows\SysWOW64\Cmmpldbc.exe Cjndpicp.exe File created C:\Windows\SysWOW64\Jjnqhecf.exe Jkkpmh32.exe File created C:\Windows\SysWOW64\Higpak32.exe File opened for modification C:\Windows\SysWOW64\Lqldle32.exe File opened for modification C:\Windows\SysWOW64\Nfqlliol.exe File created C:\Windows\SysWOW64\Ilmkedia.dll Fhcmao32.exe File created C:\Windows\SysWOW64\Ccpbhpph.exe Bqafldpd.exe File opened for modification C:\Windows\SysWOW64\Fjnocnco.exe Fbggbabl.exe File opened for modification C:\Windows\SysWOW64\Nabmiifc.exe Nmfahj32.exe File created C:\Windows\SysWOW64\Cnjkojoa.exe File opened for modification C:\Windows\SysWOW64\Obnpiqfd.exe Okghhcfb.exe File opened for modification C:\Windows\SysWOW64\Ikamfi32.exe Igfafklm.exe File opened for modification C:\Windows\SysWOW64\Aghdkclo.exe File created C:\Windows\SysWOW64\Gjkgdggp.dll File opened for modification C:\Windows\SysWOW64\Ioemmcno.exe Ignekfmm.exe File created C:\Windows\SysWOW64\Cpoohmle.dll Ehbmpkcf.exe File created C:\Windows\SysWOW64\Nahmoa32.exe File created C:\Windows\SysWOW64\Gbaanlml.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 13028 14320 1726 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Knmpjmba.exeEfopbf32.exeFgcjmfna.exeHkhjpkla.exeHclidnpd.exeKkkice32.exeOmbadh32.exeNhffqnlm.exeFmpoop32.exeMbkkmcgj.exePhmnnddf.exeDbphjdfg.exeBjbddkmm.exeIqmpcg32.exeMinmindo.exeNepfog32.exeNonbhifl.exeOeamka32.exeBcehgkdg.exeMeljid32.exeAffomo32.exeDfjnpido.exeFljkeaif.exePpcqdikg.exeObnpiqfd.exeQeclmh32.exeGiokpimi.exeHkcaek32.exeBjfgedel.exeFmadji32.exeHkeojh32.exeMlomep32.exeNcljnglc.exeDpdonoil.exeDdedjmmp.exeIdnljkpl.exeMfeabh32.exeQjpohnmb.exeLgnideip.exeMknopcnd.exeMbieajlh.exeOhbflmbp.exeKnhpdhck.exeObkccq32.exeAlpqobgg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmpjmba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efopbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcjmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhjpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclidnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhffqnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmpoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkkmcgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmnnddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbphjdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbddkmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minmindo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepfog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nonbhifl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeamka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcehgkdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meljid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affomo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjnpido.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljkeaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcqdikg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnpiqfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeclmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giokpimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkcaek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfgedel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmadji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkeojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlomep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncljnglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdonoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddedjmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idnljkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeabh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjpohnmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgnideip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mknopcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbieajlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbflmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhpdhck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obkccq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alpqobgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Olleglmk.exeGdhcmh32.exeMmkbllhg.exeOkghhcfb.exeEjpbbpoo.exePlmdhoca.exeDebfginj.exeFaddoo32.exeBjfgedel.exeOdliqbkj.exeIglhffop.exeNonbhifl.exeMlofji32.exeAdohdn32.exeCaohipan.exeKeekahla.exeOhnlam32.exePjflaoem.exePpcqdikg.exeGkmbob32.exePkfjdj32.exeCakibchj.exeJkndmnne.exePhiebe32.exeMgiipc32.exeFkgbijdn.exeMpmeknkb.exeCojenjnk.exeGacgkcih.exeHknapf32.exeBkkmfg32.exeAghhla32.exeAjdahf32.exePanfke32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiklemje.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olleglmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afokhc32.dll" Gdhcmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgakmlgc.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmkbllhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbokmo32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okghhcfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqogmk32.dll" Ejpbbpoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plmdhoca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfeffgj.dll" Debfginj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpiledo.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Faddoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amlajoem.dll" Bjfgedel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odliqbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqkfm32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iglhffop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nonbhifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojincqj.dll" Mlofji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adohdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjebolhp.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caohipan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Keekahla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohnlam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjflaoem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppcqdikg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkmbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maqeekhb.dll" Pkfjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhaoko32.dll" Cakibchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkndmnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phiebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlgpkomm.dll" Mgiipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhgagb32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkgbijdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdchbc32.dll" Mpmeknkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cojenjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfqhm32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gacgkcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hknapf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkkmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcafjj32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbjejfkc.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jldepp32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdcmbqhk.dll" Aghhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajdahf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Panfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopmldik.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
71d2cab677b42ca6e47e5cc5c2d074862474a31f4489fa9a11f5d7fc9444e7f6N.exeFecdpd32.exeFhaplo32.exeFkpmhk32.exeFnnidf32.exeFhcmao32.exeFoneni32.exeFehmkchi.exeFdjnfp32.exeFgijbk32.exeFncboeed.exeFhhfmnej.exeFkgbijdn.exeFneoeeca.exeGdogaojo.exeGgncnkjb.exeGkioni32.exeGnglje32.exeGacgkcih.exeGdadgohl.exeGkkldi32.exeGnjhpd32.exedescription pid Process procid_target PID 3512 wrote to memory of 4240 3512 71d2cab677b42ca6e47e5cc5c2d074862474a31f4489fa9a11f5d7fc9444e7f6N.exe 85 PID 3512 wrote to memory of 4240 3512 71d2cab677b42ca6e47e5cc5c2d074862474a31f4489fa9a11f5d7fc9444e7f6N.exe 85 PID 3512 wrote to memory of 4240 3512 71d2cab677b42ca6e47e5cc5c2d074862474a31f4489fa9a11f5d7fc9444e7f6N.exe 85 PID 4240 wrote to memory of 1092 4240 Fecdpd32.exe 86 PID 4240 wrote to memory of 1092 4240 Fecdpd32.exe 86 PID 4240 wrote to memory of 1092 4240 Fecdpd32.exe 86 PID 1092 wrote to memory of 3424 1092 Fhaplo32.exe 87 PID 1092 wrote to memory of 3424 1092 Fhaplo32.exe 87 PID 1092 wrote to memory of 3424 1092 Fhaplo32.exe 87 PID 3424 wrote to memory of 2312 3424 Fkpmhk32.exe 89 PID 3424 wrote to memory of 2312 3424 Fkpmhk32.exe 89 PID 3424 wrote to memory of 2312 3424 Fkpmhk32.exe 89 PID 2312 wrote to memory of 1304 2312 Fnnidf32.exe 90 PID 2312 wrote to memory of 1304 2312 Fnnidf32.exe 90 PID 2312 wrote to memory of 1304 2312 Fnnidf32.exe 90 PID 1304 wrote to memory of 2212 1304 Fhcmao32.exe 91 PID 1304 wrote to memory of 2212 1304 Fhcmao32.exe 91 PID 1304 wrote to memory of 2212 1304 Fhcmao32.exe 91 PID 2212 wrote to memory of 2000 2212 Foneni32.exe 93 PID 2212 wrote to memory of 2000 2212 Foneni32.exe 93 PID 2212 wrote to memory of 2000 2212 Foneni32.exe 93 PID 2000 wrote to memory of 3996 2000 Fehmkchi.exe 94 PID 2000 wrote to memory of 3996 2000 Fehmkchi.exe 94 PID 2000 wrote to memory of 3996 2000 Fehmkchi.exe 94 PID 3996 wrote to memory of 3416 3996 Fdjnfp32.exe 95 PID 3996 wrote to memory of 3416 3996 Fdjnfp32.exe 95 PID 3996 wrote to memory of 3416 3996 Fdjnfp32.exe 95 PID 3416 wrote to memory of 860 3416 Fgijbk32.exe 96 PID 3416 wrote to memory of 860 3416 Fgijbk32.exe 96 PID 3416 wrote to memory of 860 3416 Fgijbk32.exe 96 PID 860 wrote to memory of 640 860 Fncboeed.exe 97 PID 860 wrote to memory of 640 860 Fncboeed.exe 97 PID 860 wrote to memory of 640 860 Fncboeed.exe 97 PID 640 wrote to memory of 1388 640 Fhhfmnej.exe 99 PID 640 wrote to memory of 1388 640 Fhhfmnej.exe 99 PID 640 wrote to memory of 1388 640 Fhhfmnej.exe 99 PID 1388 wrote to memory of 2276 1388 Fkgbijdn.exe 100 PID 1388 wrote to memory of 2276 1388 Fkgbijdn.exe 100 PID 1388 wrote to memory of 2276 1388 Fkgbijdn.exe 100 PID 2276 wrote to memory of 2004 2276 Fneoeeca.exe 101 PID 2276 wrote to memory of 2004 2276 Fneoeeca.exe 101 PID 2276 wrote to memory of 2004 2276 Fneoeeca.exe 101 PID 2004 wrote to memory of 3648 2004 Gdogaojo.exe 102 PID 2004 wrote to memory of 3648 2004 Gdogaojo.exe 102 PID 2004 wrote to memory of 3648 2004 Gdogaojo.exe 102 PID 3648 wrote to memory of 4000 3648 Ggncnkjb.exe 103 PID 3648 wrote to memory of 4000 3648 Ggncnkjb.exe 103 PID 3648 wrote to memory of 4000 3648 Ggncnkjb.exe 103 PID 4000 wrote to memory of 1896 4000 Gkioni32.exe 104 PID 4000 wrote to memory of 1896 4000 Gkioni32.exe 104 PID 4000 wrote to memory of 1896 4000 Gkioni32.exe 104 PID 1896 wrote to memory of 220 1896 Gnglje32.exe 105 PID 1896 wrote to memory of 220 1896 Gnglje32.exe 105 PID 1896 wrote to memory of 220 1896 Gnglje32.exe 105 PID 220 wrote to memory of 3696 220 Gacgkcih.exe 106 PID 220 wrote to memory of 3696 220 Gacgkcih.exe 106 PID 220 wrote to memory of 3696 220 Gacgkcih.exe 106 PID 3696 wrote to memory of 4948 3696 Gdadgohl.exe 107 PID 3696 wrote to memory of 4948 3696 Gdadgohl.exe 107 PID 3696 wrote to memory of 4948 3696 Gdadgohl.exe 107 PID 4948 wrote to memory of 3860 4948 Gkkldi32.exe 108 PID 4948 wrote to memory of 3860 4948 Gkkldi32.exe 108 PID 4948 wrote to memory of 3860 4948 Gkkldi32.exe 108 PID 3860 wrote to memory of 2116 3860 Gnjhpd32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\71d2cab677b42ca6e47e5cc5c2d074862474a31f4489fa9a11f5d7fc9444e7f6N.exe"C:\Users\Admin\AppData\Local\Temp\71d2cab677b42ca6e47e5cc5c2d074862474a31f4489fa9a11f5d7fc9444e7f6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Fecdpd32.exeC:\Windows\system32\Fecdpd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Fhaplo32.exeC:\Windows\system32\Fhaplo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Fkpmhk32.exeC:\Windows\system32\Fkpmhk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Fnnidf32.exeC:\Windows\system32\Fnnidf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Fhcmao32.exeC:\Windows\system32\Fhcmao32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Foneni32.exeC:\Windows\system32\Foneni32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Fdjnfp32.exeC:\Windows\system32\Fdjnfp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Fgijbk32.exeC:\Windows\system32\Fgijbk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Fncboeed.exeC:\Windows\system32\Fncboeed.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Fhhfmnej.exeC:\Windows\system32\Fhhfmnej.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Fneoeeca.exeC:\Windows\system32\Fneoeeca.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Gdogaojo.exeC:\Windows\system32\Gdogaojo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Gkioni32.exeC:\Windows\system32\Gkioni32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Gnglje32.exeC:\Windows\system32\Gnglje32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Gacgkcih.exeC:\Windows\system32\Gacgkcih.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Gdadgohl.exeC:\Windows\system32\Gdadgohl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Gkkldi32.exeC:\Windows\system32\Gkkldi32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Gnjhpd32.exeC:\Windows\system32\Gnjhpd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe23⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe24⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Goiejg32.exeC:\Windows\system32\Goiejg32.exe25⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe26⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Ghbicmmp.exeC:\Windows\system32\Ghbicmmp.exe27⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Ggdinj32.exeC:\Windows\system32\Ggdinj32.exe28⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Gnoakdkg.exeC:\Windows\system32\Gnoakdkg.exe29⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe30⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Gggfdiag.exeC:\Windows\system32\Gggfdiag.exe31⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Gonnegbj.exeC:\Windows\system32\Gonnegbj.exe32⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Hfhfba32.exeC:\Windows\system32\Hfhfba32.exe33⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Hhfbnl32.exeC:\Windows\system32\Hhfbnl32.exe34⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Hkeojh32.exeC:\Windows\system32\Hkeojh32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4436 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe36⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe37⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Hglpoi32.exeC:\Windows\system32\Hglpoi32.exe38⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Hocgpf32.exeC:\Windows\system32\Hocgpf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Hnehlceo.exeC:\Windows\system32\Hnehlceo.exe40⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe41⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Hhklilde.exeC:\Windows\system32\Hhklilde.exe42⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Hkihegdi.exeC:\Windows\system32\Hkihegdi.exe43⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Hbcqba32.exeC:\Windows\system32\Hbcqba32.exe44⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe45⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Hgpijhim.exeC:\Windows\system32\Hgpijhim.exe46⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe47⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe48⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Hknapf32.exeC:\Windows\system32\Hknapf32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4388 -
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe50⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe51⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Igebegeg.exeC:\Windows\system32\Igebegeg.exe52⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Inokbamd.exeC:\Windows\system32\Inokbamd.exe53⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ibjgbp32.exeC:\Windows\system32\Ibjgbp32.exe54⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Idicol32.exeC:\Windows\system32\Idicol32.exe55⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe56⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe57⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe58⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Idkpdk32.exeC:\Windows\system32\Idkpdk32.exe59⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Igjlpg32.exeC:\Windows\system32\Igjlpg32.exe60⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe61⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Ibopnpah.exeC:\Windows\system32\Ibopnpah.exe62⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe65⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Ibamcooe.exeC:\Windows\system32\Ibamcooe.exe66⤵PID:1584
-
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe67⤵PID:64
-
C:\Windows\SysWOW64\Ignekfmm.exeC:\Windows\system32\Ignekfmm.exe68⤵
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Ioemmcno.exeC:\Windows\system32\Ioemmcno.exe69⤵PID:1496
-
C:\Windows\SysWOW64\Jbdiio32.exeC:\Windows\system32\Jbdiio32.exe70⤵PID:2164
-
C:\Windows\SysWOW64\Jgqbaf32.exeC:\Windows\system32\Jgqbaf32.exe71⤵PID:4688
-
C:\Windows\SysWOW64\Johjbc32.exeC:\Windows\system32\Johjbc32.exe72⤵PID:1244
-
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe73⤵PID:4044
-
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe74⤵PID:1196
-
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe75⤵PID:2104
-
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe76⤵PID:1812
-
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe77⤵PID:1040
-
C:\Windows\SysWOW64\Jnocio32.exeC:\Windows\system32\Jnocio32.exe78⤵PID:4876
-
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe79⤵PID:1452
-
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe80⤵PID:1292
-
C:\Windows\SysWOW64\Kndmdojl.exeC:\Windows\system32\Kndmdojl.exe81⤵PID:2600
-
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe82⤵PID:2736
-
C:\Windows\SysWOW64\Kglamd32.exeC:\Windows\system32\Kglamd32.exe83⤵PID:3236
-
C:\Windows\SysWOW64\Kepbfh32.exeC:\Windows\system32\Kepbfh32.exe84⤵PID:184
-
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe85⤵PID:4080
-
C:\Windows\SysWOW64\Klmghb32.exeC:\Windows\system32\Klmghb32.exe86⤵PID:4740
-
C:\Windows\SysWOW64\Keekahla.exeC:\Windows\system32\Keekahla.exe87⤵
- Modifies registry class
PID:5112 -
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe88⤵
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Kfdhkkcd.exeC:\Windows\system32\Kfdhkkcd.exe89⤵PID:3580
-
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe90⤵PID:2768
-
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe91⤵PID:3020
-
C:\Windows\SysWOW64\Lfgdajaa.exeC:\Windows\system32\Lfgdajaa.exe92⤵PID:2216
-
C:\Windows\SysWOW64\Lejelg32.exeC:\Windows\system32\Lejelg32.exe93⤵PID:3488
-
C:\Windows\SysWOW64\Lpoijpgb.exeC:\Windows\system32\Lpoijpgb.exe94⤵PID:620
-
C:\Windows\SysWOW64\Lihnbe32.exeC:\Windows\system32\Lihnbe32.exe95⤵PID:3624
-
C:\Windows\SysWOW64\Llfjoa32.exeC:\Windows\system32\Llfjoa32.exe96⤵PID:4432
-
C:\Windows\SysWOW64\Lndfkl32.exeC:\Windows\system32\Lndfkl32.exe97⤵PID:5036
-
C:\Windows\SysWOW64\Lflnlj32.exeC:\Windows\system32\Lflnlj32.exe98⤵PID:3380
-
C:\Windows\SysWOW64\Lenngfcf.exeC:\Windows\system32\Lenngfcf.exe99⤵PID:2824
-
C:\Windows\SysWOW64\Llhfdq32.exeC:\Windows\system32\Llhfdq32.exe100⤵PID:1316
-
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe101⤵PID:5088
-
C:\Windows\SysWOW64\Lfnkaiki.exeC:\Windows\system32\Lfnkaiki.exe102⤵PID:4368
-
C:\Windows\SysWOW64\Lilgnejm.exeC:\Windows\system32\Lilgnejm.exe103⤵PID:4968
-
C:\Windows\SysWOW64\Lhogia32.exeC:\Windows\system32\Lhogia32.exe104⤵PID:4408
-
C:\Windows\SysWOW64\Loioflhd.exeC:\Windows\system32\Loioflhd.exe105⤵PID:2296
-
C:\Windows\SysWOW64\Lbekfj32.exeC:\Windows\system32\Lbekfj32.exe106⤵PID:4696
-
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe107⤵PID:2264
-
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe108⤵PID:2536
-
C:\Windows\SysWOW64\Mlmpopgn.exeC:\Windows\system32\Mlmpopgn.exe109⤵PID:1020
-
C:\Windows\SysWOW64\Moklkkfa.exeC:\Windows\system32\Moklkkfa.exe110⤵PID:4880
-
C:\Windows\SysWOW64\Mbghljok.exeC:\Windows\system32\Mbghljok.exe111⤵PID:1236
-
C:\Windows\SysWOW64\Miapid32.exeC:\Windows\system32\Miapid32.exe112⤵PID:3628
-
C:\Windows\SysWOW64\Mhdqdamb.exeC:\Windows\system32\Mhdqdamb.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5156 -
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe114⤵
- System Location Discovery: System Language Discovery
PID:5204 -
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe115⤵
- System Location Discovery: System Language Discovery
PID:5248 -
C:\Windows\SysWOW64\Mfeabh32.exeC:\Windows\system32\Mfeabh32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5292 -
C:\Windows\SysWOW64\Micmnd32.exeC:\Windows\system32\Micmnd32.exe117⤵PID:5328
-
C:\Windows\SysWOW64\Mhfmjqkp.exeC:\Windows\system32\Mhfmjqkp.exe118⤵PID:5380
-
C:\Windows\SysWOW64\Mpmeknkb.exeC:\Windows\system32\Mpmeknkb.exe119⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Mopefk32.exeC:\Windows\system32\Mopefk32.exe120⤵PID:5468
-
C:\Windows\SysWOW64\Mfgnhhbo.exeC:\Windows\system32\Mfgnhhbo.exe121⤵PID:5512
-
C:\Windows\SysWOW64\Mifjdcbb.exeC:\Windows\system32\Mifjdcbb.exe122⤵PID:5556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-