Analysis
-
max time kernel
93s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 04:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d952980dc72d6ee64f7ff121a61635ad70b6f330dfafe7087892ac592c1d4654.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
d952980dc72d6ee64f7ff121a61635ad70b6f330dfafe7087892ac592c1d4654.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d952980dc72d6ee64f7ff121a61635ad70b6f330dfafe7087892ac592c1d4654.exe
-
Size
96KB
-
MD5
f62e50c1f3a6f7c7bca25fa7ecc4b8ac
-
SHA1
c84d1a1e60b12945f3f910f51fa379d96fb17f48
-
SHA256
d952980dc72d6ee64f7ff121a61635ad70b6f330dfafe7087892ac592c1d4654
-
SHA512
ddb1ad481c2e94044deb6b9902b6f9d1b4b46cf7d5f34d9b90b03a9ccb7faeaa537775677adfabbaf6fc2db62d79a457c0e2c15b2416c642653681bcf59a7385
-
SSDEEP
3072:zzZjjrXqCSxcw8GNmsPlzi94Sp+7H7wWkq+:zdraHcwXN1Plzi9BOHhK
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Igpdfb32.exeDejacond.exePejkmk32.exeKoaagkcb.exeChfegk32.exeCdmfllhn.exeHpabni32.exeCihclh32.exeHdhedh32.exeIdfaefkd.exeOanokhdb.exeDhlpqc32.exeHdkidohn.exeLqpamb32.exeIikmbh32.exeKgknhl32.exeEblpgjha.exeCcbadp32.exeOhlqcagj.exeKbekqdjh.exeDakacjdb.exeGmiclo32.exeOobfob32.exeDmennnni.exeBanllbdn.exeOokjdn32.exeQcdbfk32.exeAbbkcpma.exeGlgjlm32.exeJgkdbacp.exeDooaoj32.exeMhdjehhj.exeOohgdhfn.exeKkpbin32.exeFkihnmhj.exeIdjlpc32.exeBggnof32.exeEiobceef.exeOcffempp.exeFbbpmb32.exeFmqgpgoc.exeEciplm32.exeQhkdof32.exeHlnjbedi.exeAfbgkl32.exeFhdohp32.exeMcjmel32.exeDmcain32.exeGifkpknp.exeAjpqnneo.exeIojbpo32.exeHbhijepa.exeDmglcj32.exeEjalcgkg.exeHfjdqmng.exeLpfgmnfp.exeAmfjeobf.exeEolhbc32.exeGafmaj32.exeIbobdqid.exeKjlopc32.exeLjeafb32.exeAjkaii32.exePlpqil32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejkmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chfegk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmfllhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpabni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihclh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oanokhdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhlpqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkidohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqpamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgknhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbekqdjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dakacjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmiclo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Banllbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ookjdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcdbfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glgjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdjehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oohgdhfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpbin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkihnmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idjlpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggnof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiobceef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocffempp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmqgpgoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eciplm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkdof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjbedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbgkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdohp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcain32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifkpknp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpqnneo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojbpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhijepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmglcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejalcgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjdqmng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfgmnfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfjeobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eolhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gafmaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjlopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljeafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqil32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Odapnf32.exeOgpmjb32.exeOqhacgdh.exeOgbipa32.exePqknig32.exePfhfan32.exePmannhhj.exePfjcgn32.exePnakhkol.exePcncpbmd.exePncgmkmj.exePcppfaka.exePgllfp32.exePqdqof32.exePcbmka32.exePfaigm32.exeQnhahj32.exeQqfmde32.exeQgqeappe.exeQqijje32.exeQffbbldm.exeAmpkof32.exeAcjclpcf.exeAjckij32.exeAglemn32.exeAjkaii32.exeAccfbokl.exeBnhjohkb.exeBfdodjhm.exeBmngqdpj.exeBgcknmop.exeBjagjhnc.exeBmpcfdmg.exeBfhhoi32.exeBanllbdn.exeBfkedibe.exeBmemac32.exeBcoenmao.exeCfmajipb.exeCndikf32.exeCmgjgcgo.exeCfpnph32.exeCdcoim32.exeCfbkeh32.exeCeckcp32.exeCfdhkhjj.exeCajlhqjp.exeCnnlaehj.exeCalhnpgn.exeDjdmffnn.exeDopigd32.exeDejacond.exeDfknkg32.exeDaqbip32.exeDfnjafap.exeDkifae32.exeDeokon32.exeDhmgki32.exeDmjocp32.exeDeagdn32.exeDknpmdfc.exeEecdjmfi.exeEkpmbddq.exeEolhbc32.exepid Process 1408 Odapnf32.exe 2900 Ogpmjb32.exe 1672 Oqhacgdh.exe 3612 Ogbipa32.exe 3620 Pqknig32.exe 2896 Pfhfan32.exe 592 Pmannhhj.exe 440 Pfjcgn32.exe 3928 Pnakhkol.exe 3704 Pcncpbmd.exe 2372 Pncgmkmj.exe 620 Pcppfaka.exe 4608 Pgllfp32.exe 732 Pqdqof32.exe 4836 Pcbmka32.exe 4988 Pfaigm32.exe 4512 Qnhahj32.exe 64 Qqfmde32.exe 4548 Qgqeappe.exe 3504 Qqijje32.exe 428 Qffbbldm.exe 2664 Ampkof32.exe 2748 Acjclpcf.exe 4696 Ajckij32.exe 1524 Aglemn32.exe 3932 Ajkaii32.exe 4620 Accfbokl.exe 4424 Bnhjohkb.exe 3448 Bfdodjhm.exe 2628 Bmngqdpj.exe 1316 Bgcknmop.exe 1476 Bjagjhnc.exe 2092 Bmpcfdmg.exe 864 Bfhhoi32.exe 1560 Banllbdn.exe 3628 Bfkedibe.exe 4852 Bmemac32.exe 2076 Bcoenmao.exe 1552 Cfmajipb.exe 1556 Cndikf32.exe 2648 Cmgjgcgo.exe 3060 Cfpnph32.exe 1888 Cdcoim32.exe 5044 Cfbkeh32.exe 2428 Ceckcp32.exe 2432 Cfdhkhjj.exe 2020 Cajlhqjp.exe 1528 Cnnlaehj.exe 2516 Calhnpgn.exe 752 Djdmffnn.exe 2784 Dopigd32.exe 3088 Dejacond.exe 3716 Dfknkg32.exe 1120 Daqbip32.exe 2044 Dfnjafap.exe 1108 Dkifae32.exe 4136 Deokon32.exe 1464 Dhmgki32.exe 4564 Dmjocp32.exe 3976 Deagdn32.exe 3588 Dknpmdfc.exe 3940 Eecdjmfi.exe 2796 Ekpmbddq.exe 1080 Eolhbc32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dfknkg32.exeHocqam32.exeCnfaohbj.exeIbffhhek.exeQlmgopjq.exeHhihdcbp.exeEfffmo32.exeNbgcih32.exePlndcl32.exeHpofii32.exeIkpjbq32.exeLqojclne.exeCnkkjh32.exeDhclmp32.exeEmmdom32.exeLckiihok.exePfiddm32.exeLpbopfag.exeAqaffn32.exeDiffglam.exeFhmigagd.exeAjdjin32.exeBomkcm32.exeIojbpo32.exeDeagdn32.exeEigonjcj.exePkegpb32.exeJoahqn32.exeEachem32.exeGhbbcd32.exeOpogbbig.exeBqdblmhl.exeBhpfqcln.exeCamddhoi.exeIgajal32.exeHbmcbime.exeMjahlgpf.exeAddaif32.exeDooaoj32.exeBjagjhnc.exeOpadhb32.exePofjpl32.exeIbobdqid.exeLqpamb32.exeFlpmagqi.exePnfiplog.exeCfmajipb.exeEobocb32.exeMkjnfkma.exeOmjpeo32.exeGaadfkgc.exeGgnedlao.exeGbofcghl.exeJcdala32.exeMcecjmkl.exeFmnkkg32.exeDmoohe32.exeMmpdhboj.exeNhahaiec.exeDflfac32.exeOocddono.exeEdjgfcec.exeOeokal32.exeGlcaambb.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Daqbip32.exe Dfknkg32.exe File opened for modification C:\Windows\SysWOW64\Hofmfmhj.exe Hocqam32.exe File created C:\Windows\SysWOW64\Cfnjpfcl.exe Cnfaohbj.exe File opened for modification C:\Windows\SysWOW64\Idgojc32.exe Ibffhhek.exe File created C:\Windows\SysWOW64\Aokcklid.exe Qlmgopjq.exe File opened for modification C:\Windows\SysWOW64\Hocqam32.exe Hhihdcbp.exe File opened for modification C:\Windows\SysWOW64\Eidbij32.exe Efffmo32.exe File opened for modification C:\Windows\SysWOW64\Oehlkc32.exe Nbgcih32.exe File created C:\Windows\SysWOW64\Ilkibdpe.dll Plndcl32.exe File created C:\Windows\SysWOW64\Hginecde.exe Hpofii32.exe File created C:\Windows\SysWOW64\Blafme32.dll Ikpjbq32.exe File opened for modification C:\Windows\SysWOW64\Lncjlq32.exe Lqojclne.exe File opened for modification C:\Windows\SysWOW64\Cbfgkffn.exe Cnkkjh32.exe File created C:\Windows\SysWOW64\Domdjj32.exe Dhclmp32.exe File created C:\Windows\SysWOW64\Ebimgcfi.exe Emmdom32.exe File created C:\Windows\SysWOW64\Ngidlo32.dll Lckiihok.exe File created C:\Windows\SysWOW64\Pnplfj32.exe Pfiddm32.exe File opened for modification C:\Windows\SysWOW64\Lbqklb32.exe Lpbopfag.exe File created C:\Windows\SysWOW64\Acpbbi32.exe Aqaffn32.exe File opened for modification C:\Windows\SysWOW64\Dmbbhkjf.exe Diffglam.exe File created C:\Windows\SysWOW64\Chembclp.dll Fhmigagd.exe File opened for modification C:\Windows\SysWOW64\Akffafgg.exe Ajdjin32.exe File created C:\Windows\SysWOW64\Qffkpn32.dll Bomkcm32.exe File created C:\Windows\SysWOW64\Cgdgna32.dll Iojbpo32.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Deagdn32.exe File created C:\Windows\SysWOW64\Qnmghonf.dll Eigonjcj.exe File created C:\Windows\SysWOW64\Popbpqjh.exe Pkegpb32.exe File created C:\Windows\SysWOW64\Jghpbk32.exe Joahqn32.exe File created C:\Windows\SysWOW64\Fnjhjn32.exe Eachem32.exe File opened for modification C:\Windows\SysWOW64\Ggeboaob.exe Ghbbcd32.exe File created C:\Windows\SysWOW64\Oekpkigo.exe Opogbbig.exe File created C:\Windows\SysWOW64\Bogcgj32.exe Bqdblmhl.exe File created C:\Windows\SysWOW64\Kmdpiacg.dll Bhpfqcln.exe File opened for modification C:\Windows\SysWOW64\Chglab32.exe Camddhoi.exe File created C:\Windows\SysWOW64\Fdahdiml.dll Igajal32.exe File opened for modification C:\Windows\SysWOW64\Hnddgjbj.exe Hbmcbime.exe File created C:\Windows\SysWOW64\Mmpdhboj.exe Mjahlgpf.exe File opened for modification C:\Windows\SysWOW64\Anmfbl32.exe Addaif32.exe File opened for modification C:\Windows\SysWOW64\Dfiildio.exe Dooaoj32.exe File opened for modification C:\Windows\SysWOW64\Bmpcfdmg.exe Bjagjhnc.exe File created C:\Windows\SysWOW64\Jmppfooc.dll Opadhb32.exe File created C:\Windows\SysWOW64\Qcbfakec.exe Pofjpl32.exe File created C:\Windows\SysWOW64\Jbaojpgb.exe Ibobdqid.exe File created C:\Windows\SysWOW64\Bchign32.dll Lqpamb32.exe File created C:\Windows\SysWOW64\Fnnjmbpm.exe Flpmagqi.exe File created C:\Windows\SysWOW64\Pmiikh32.exe Pnfiplog.exe File created C:\Windows\SysWOW64\Cndikf32.exe Cfmajipb.exe File created C:\Windows\SysWOW64\Popieg32.dll Eobocb32.exe File created C:\Windows\SysWOW64\Fedbbjgh.dll Mkjnfkma.exe File opened for modification C:\Windows\SysWOW64\Pddhbipj.exe Omjpeo32.exe File created C:\Windows\SysWOW64\Ggnlobej.exe Gaadfkgc.exe File opened for modification C:\Windows\SysWOW64\Gdafnpqh.exe Ggnedlao.exe File created C:\Windows\SysWOW64\Gjfnedho.exe Gbofcghl.exe File created C:\Windows\SysWOW64\Jjoiil32.exe Jcdala32.exe File opened for modification C:\Windows\SysWOW64\Mjokgg32.exe Mcecjmkl.exe File opened for modification C:\Windows\SysWOW64\Fhdohp32.exe Fmnkkg32.exe File created C:\Windows\SysWOW64\Dcigeooj.exe Dmoohe32.exe File created C:\Windows\SysWOW64\Ofhjkmkl.dll Mmpdhboj.exe File created C:\Windows\SysWOW64\Nnkpnclp.exe Nhahaiec.exe File created C:\Windows\SysWOW64\Dmennnni.exe Dflfac32.exe File opened for modification C:\Windows\SysWOW64\Oenlqi32.exe Oocddono.exe File created C:\Windows\SysWOW64\Ehfcfb32.exe Edjgfcec.exe File created C:\Windows\SysWOW64\Pickil32.dll Oeokal32.exe File opened for modification C:\Windows\SysWOW64\Gbmingjo.exe Glcaambb.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 7192 6400 WerFault.exe 1012 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nbnpcj32.exeHpofii32.exeLdgccb32.exePmannhhj.exeNpgabc32.exeDbcmakpl.exeLqpamb32.exeMbedga32.exeBqkill32.exeQffbbldm.exeInnfnl32.exeMmnhcb32.exeDkqaoe32.exeBjaqpbkh.exeCfnjpfcl.exeFeoodn32.exeHpqldc32.exeJgakbm32.exePlbfdekd.exeQaalblgi.exeJgbchj32.exeOjdnid32.exeAoalgn32.exeGbeejp32.exeHfhgkmpj.exeDabhdinj.exeEfjimhnh.exeBmjkic32.exeNgdfdmdi.exeOhqbhdpj.exeCglgjeci.exeHedafk32.exeLckiihok.exeBdfpkm32.exeQoifflkg.exeAihaoqlp.exeBclang32.exeFipkjb32.exeGeaepk32.exeOfhknodl.exeBahdob32.exeGijekg32.exeNaaqofgj.exeGipdap32.exeEifaim32.exeAmjbbfgo.exeCponen32.exeQaflgago.exeAojlaeei.exeEmdajb32.exeMnjqmpgg.exeLhkgoiqe.exeJnelok32.exePopbpqjh.exeFpbflg32.exePcppfaka.exeAqkpeopg.exeDmihij32.exeOmcjep32.exeJenmcggo.exeIdgojc32.exeFdcjlb32.exeLenicahg.exeEnkdaepb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnpcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmannhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgabc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcmakpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqkill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffbbldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innfnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmnhcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjaqpbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnjpfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feoodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgakbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaalblgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdnid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoalgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhgkmpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjimhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjkic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdfdmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohqbhdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglgjeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckiihok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfpkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoifflkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihaoqlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclang32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahdob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naaqofgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cponen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaflgago.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojlaeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqmpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkgoiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnelok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popbpqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcppfaka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkpeopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmihij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcjep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenmcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgojc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe -
Modifies registry class 64 IoCs
Processes:
Kjblje32.exePmiikh32.exePnakhkol.exeEciplm32.exeEblpgjha.exeKomhll32.exeMffjcopi.exePfnegggi.exeDlkbjqgm.exeHginecde.exeLidmhmnp.exeBclang32.exeCglgjeci.exeIbobdqid.exeAcmobchj.exeEfeihb32.exeIgdgglfl.exeBnhjohkb.exeAflaie32.exeAjjjocap.exeDhlpqc32.exeGbmingjo.exeFnnjmbpm.exeBcddcbab.exeGoedpofl.exeMefmimif.exeMhoipb32.exeNhbolp32.exeJgenbfoa.exeBlhpqhlh.exeOobfob32.exeMgeakekd.exeAimkjp32.exeIfmqfm32.exeNcnofeof.exeIikmbh32.exePhfcipoo.exeCkjknfnh.exeAqkpeopg.exeEjoomhmi.exeGbofcghl.exeBhkmec32.exeMcgiefen.exeAfnnnd32.exeEiobceef.exeKglmio32.exeImiehfao.exeFbbpmb32.exeOohgdhfn.exeJcbdgb32.exeKcejco32.exeNcabfkqo.exeBggnof32.exeBfendmoc.exeAoalgn32.exePqknig32.exePcppfaka.exeDknpmdfc.exeKfcdfbqo.exeQqijje32.exePcepkfld.exeBopocbcq.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmacdg32.dll" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnjgdn.dll" Pmiikh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnakhkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eciplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mffjcopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfnegggi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcldf32.dll" Dlkbjqgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqpjb32.dll" Lidmhmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bclang32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnobqph.dll" Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjdiliki.dll" Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efeihb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igdgglfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnhjohkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnefj32.dll" Mffjcopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihjjl32.dll" Aflaie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajjjocap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhlpqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakdmb32.dll" Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambfbo32.dll" Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liaolo32.dll" Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnkfijp.dll" Goedpofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mefmimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghocf32.dll" Nhbolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icahfh32.dll" Jgenbfoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oobfob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aimkjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifmqfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll" Phfcipoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhajknb.dll" Aqkpeopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejoomhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfadafe.dll" Gbofcghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhkmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkeajoj.dll" Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afnnnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milcqamo.dll" Kglmio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepgfb32.dll" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oohgdhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojjf32.dll" Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcejco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmjgpgc.dll" Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fajbad32.dll" Hginecde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoalgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqknig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfcdfbqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll" Qqijje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcepkfld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbcpja32.dll" Bopocbcq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d952980dc72d6ee64f7ff121a61635ad70b6f330dfafe7087892ac592c1d4654.exeOdapnf32.exeOgpmjb32.exeOqhacgdh.exeOgbipa32.exePqknig32.exePfhfan32.exePmannhhj.exePfjcgn32.exePnakhkol.exePcncpbmd.exePncgmkmj.exePcppfaka.exePgllfp32.exePqdqof32.exePcbmka32.exePfaigm32.exeQnhahj32.exeQqfmde32.exeQgqeappe.exeQqijje32.exeQffbbldm.exedescription pid Process procid_target PID 1156 wrote to memory of 1408 1156 d952980dc72d6ee64f7ff121a61635ad70b6f330dfafe7087892ac592c1d4654.exe 83 PID 1156 wrote to memory of 1408 1156 d952980dc72d6ee64f7ff121a61635ad70b6f330dfafe7087892ac592c1d4654.exe 83 PID 1156 wrote to memory of 1408 1156 d952980dc72d6ee64f7ff121a61635ad70b6f330dfafe7087892ac592c1d4654.exe 83 PID 1408 wrote to memory of 2900 1408 Odapnf32.exe 84 PID 1408 wrote to memory of 2900 1408 Odapnf32.exe 84 PID 1408 wrote to memory of 2900 1408 Odapnf32.exe 84 PID 2900 wrote to memory of 1672 2900 Ogpmjb32.exe 85 PID 2900 wrote to memory of 1672 2900 Ogpmjb32.exe 85 PID 2900 wrote to memory of 1672 2900 Ogpmjb32.exe 85 PID 1672 wrote to memory of 3612 1672 Oqhacgdh.exe 86 PID 1672 wrote to memory of 3612 1672 Oqhacgdh.exe 86 PID 1672 wrote to memory of 3612 1672 Oqhacgdh.exe 86 PID 3612 wrote to memory of 3620 3612 Ogbipa32.exe 87 PID 3612 wrote to memory of 3620 3612 Ogbipa32.exe 87 PID 3612 wrote to memory of 3620 3612 Ogbipa32.exe 87 PID 3620 wrote to memory of 2896 3620 Pqknig32.exe 88 PID 3620 wrote to memory of 2896 3620 Pqknig32.exe 88 PID 3620 wrote to memory of 2896 3620 Pqknig32.exe 88 PID 2896 wrote to memory of 592 2896 Pfhfan32.exe 89 PID 2896 wrote to memory of 592 2896 Pfhfan32.exe 89 PID 2896 wrote to memory of 592 2896 Pfhfan32.exe 89 PID 592 wrote to memory of 440 592 Pmannhhj.exe 90 PID 592 wrote to memory of 440 592 Pmannhhj.exe 90 PID 592 wrote to memory of 440 592 Pmannhhj.exe 90 PID 440 wrote to memory of 3928 440 Pfjcgn32.exe 91 PID 440 wrote to memory of 3928 440 Pfjcgn32.exe 91 PID 440 wrote to memory of 3928 440 Pfjcgn32.exe 91 PID 3928 wrote to memory of 3704 3928 Pnakhkol.exe 92 PID 3928 wrote to memory of 3704 3928 Pnakhkol.exe 92 PID 3928 wrote to memory of 3704 3928 Pnakhkol.exe 92 PID 3704 wrote to memory of 2372 3704 Pcncpbmd.exe 93 PID 3704 wrote to memory of 2372 3704 Pcncpbmd.exe 93 PID 3704 wrote to memory of 2372 3704 Pcncpbmd.exe 93 PID 2372 wrote to memory of 620 2372 Pncgmkmj.exe 94 PID 2372 wrote to memory of 620 2372 Pncgmkmj.exe 94 PID 2372 wrote to memory of 620 2372 Pncgmkmj.exe 94 PID 620 wrote to memory of 4608 620 Pcppfaka.exe 95 PID 620 wrote to memory of 4608 620 Pcppfaka.exe 95 PID 620 wrote to memory of 4608 620 Pcppfaka.exe 95 PID 4608 wrote to memory of 732 4608 Pgllfp32.exe 96 PID 4608 wrote to memory of 732 4608 Pgllfp32.exe 96 PID 4608 wrote to memory of 732 4608 Pgllfp32.exe 96 PID 732 wrote to memory of 4836 732 Pqdqof32.exe 97 PID 732 wrote to memory of 4836 732 Pqdqof32.exe 97 PID 732 wrote to memory of 4836 732 Pqdqof32.exe 97 PID 4836 wrote to memory of 4988 4836 Pcbmka32.exe 98 PID 4836 wrote to memory of 4988 4836 Pcbmka32.exe 98 PID 4836 wrote to memory of 4988 4836 Pcbmka32.exe 98 PID 4988 wrote to memory of 4512 4988 Pfaigm32.exe 99 PID 4988 wrote to memory of 4512 4988 Pfaigm32.exe 99 PID 4988 wrote to memory of 4512 4988 Pfaigm32.exe 99 PID 4512 wrote to memory of 64 4512 Qnhahj32.exe 100 PID 4512 wrote to memory of 64 4512 Qnhahj32.exe 100 PID 4512 wrote to memory of 64 4512 Qnhahj32.exe 100 PID 64 wrote to memory of 4548 64 Qqfmde32.exe 101 PID 64 wrote to memory of 4548 64 Qqfmde32.exe 101 PID 64 wrote to memory of 4548 64 Qqfmde32.exe 101 PID 4548 wrote to memory of 3504 4548 Qgqeappe.exe 102 PID 4548 wrote to memory of 3504 4548 Qgqeappe.exe 102 PID 4548 wrote to memory of 3504 4548 Qgqeappe.exe 102 PID 3504 wrote to memory of 428 3504 Qqijje32.exe 103 PID 3504 wrote to memory of 428 3504 Qqijje32.exe 103 PID 3504 wrote to memory of 428 3504 Qqijje32.exe 103 PID 428 wrote to memory of 2664 428 Qffbbldm.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d952980dc72d6ee64f7ff121a61635ad70b6f330dfafe7087892ac592c1d4654.exe"C:\Users\Admin\AppData\Local\Temp\d952980dc72d6ee64f7ff121a61635ad70b6f330dfafe7087892ac592c1d4654.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe23⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe24⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe25⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe26⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe28⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe30⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe31⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe32⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe34⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe35⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe37⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe38⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe39⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe41⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe42⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe43⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe44⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe45⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe46⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe47⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe48⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe49⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe50⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe51⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe52⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3716 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe55⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe56⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe57⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe58⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe59⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe60⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3976 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe63⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe64⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe66⤵PID:2644
-
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe67⤵PID:344
-
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe68⤵PID:2388
-
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe69⤵PID:3048
-
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe70⤵
- Drops file in System32 directory
PID:4088 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe71⤵
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe72⤵PID:2436
-
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe73⤵PID:404
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe74⤵PID:3252
-
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe75⤵PID:1800
-
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe76⤵PID:2756
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe77⤵PID:4804
-
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe78⤵PID:2400
-
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe79⤵PID:1352
-
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe80⤵PID:1636
-
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe81⤵PID:3664
-
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe82⤵PID:1684
-
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe83⤵
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe84⤵PID:4688
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe85⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe86⤵PID:2536
-
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe87⤵PID:1252
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4528 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe89⤵PID:3068
-
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe90⤵PID:5088
-
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe91⤵
- Drops file in System32 directory
PID:3996 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe92⤵PID:2064
-
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe93⤵PID:1300
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe94⤵PID:1348
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe95⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe96⤵PID:1572
-
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe97⤵PID:2136
-
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe98⤵
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe99⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe100⤵PID:4148
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe101⤵
- Drops file in System32 directory
PID:4076 -
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe102⤵
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe103⤵PID:5180
-
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe105⤵PID:5268
-
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe106⤵PID:5316
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe107⤵PID:5356
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe108⤵PID:5400
-
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe109⤵PID:5436
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe110⤵PID:5488
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe111⤵PID:5532
-
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe112⤵PID:5576
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5620 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe114⤵PID:5664
-
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe115⤵PID:5708
-
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe116⤵PID:5756
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe117⤵PID:5800
-
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe118⤵PID:5844
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe119⤵PID:5888
-
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe120⤵PID:5932
-
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-