Analysis
-
max time kernel
93s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 05:29
Static task
static1
Behavioral task
behavioral1
Sample
f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exe
Resource
win10v2004-20241007-en
General
-
Target
f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exe
-
Size
96KB
-
MD5
eeb66d9674238fa7df5556d2ef40a243
-
SHA1
5d6d8b123401d8de40f180de81efce232265e762
-
SHA256
f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496
-
SHA512
32eb27504ce7b374f84955b1599af8ea3f5685a3347ea5eee0333017352df3994d32cac3d6eb8540a9bc386f82e795074109b0525f464e8b7e6689a8de55120e
-
SSDEEP
1536:ET0HLAVM968fUWmNWpjzx6FuAt/t7X/BOmDJCMy0QiLiizHNQNdq:c0HLAAUWmNyz4FuANt7X5Om1CMyELiAd
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fnnjmbpm.exeDjdflp32.exeOocmii32.exeEbdlangb.exePfillg32.exeOaompd32.exeFqgedh32.exePlagcbdn.exeEpmmqheb.exeOgcnmc32.exeHefnkkkj.exef94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exeGaefgd32.exeKdkdgchl.exeMnmdme32.exeGljgbllj.exeBaadiiif.exeLgdidgjg.exeMfqlfb32.exeHalhfe32.exeGlldgljg.exeFmcjpl32.exeDkndie32.exeFgcjfbed.exeIhkjno32.exeHhiajmod.exeJklphekp.exeMchppmij.exeCfbcke32.exeLcfidb32.exeDlkbjqgm.exeBgeaifia.exeOaajed32.exeAhgcjddh.exeJlgoek32.exeKmkbfeab.exeLnohlgep.exeChlflabp.exePlbfdekd.exeLobjni32.exeBdagpnbk.exeNqfbpb32.exeFlqdlnde.exeNjkkbehl.exeOeokal32.exeNckkfp32.exeLgjijmin.exeLenicahg.exeFaenpf32.exeKkmioc32.exeMejpje32.exeQofcff32.exeQebhhp32.exeCiafbg32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnnjmbpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdflp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfillg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaompd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqgedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plagcbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmmqheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hefnkkkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaefgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gljgbllj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadiiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Halhfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljgbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glldgljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcjpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkndie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcjfbed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkjno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhiajmod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklphekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaajed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgcjddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmkbfeab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnohlgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plbfdekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lobjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nckkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lenicahg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faenpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmioc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qofcff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qebhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciafbg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Phelcc32.exePlagcbdn.exePfillg32.exePlcdiabk.exePgihfj32.exePhjenbhp.exePpamophb.exePgkelj32.exeAgbkmijg.exeAmodep32.exeAqkpeopg.exeAfghneoo.exeAmaqjp32.exeAggegh32.exeAmcmpodi.exeAobilkcl.exeAgiamhdo.exeAijnep32.exeAqaffn32.exeAfnnnd32.exeAmhfkopc.exeBjlgdc32.exeBoipmj32.exeBgpgng32.exeBfchidda.exeBqilgmdg.exeBmomlnjk.exeBgeaifia.exeBppfmigl.exeBggnof32.exeCqpbglno.exeCjhfpa32.exeCpeohh32.exeCimcan32.exeCadlbk32.exeCjmpkqqj.exeCceddf32.exeCmniml32.exeCjaifp32.exeDcjnoece.exeDjdflp32.exeDhhfedil.exeDmdonkgc.exeDcogje32.exeDikpbl32.exeDfoplpla.exeDpgeee32.exeDjmibn32.exeEpjajeqo.exeEibfck32.exeEdhjqc32.exeEjbbmnnb.exeEpokedmj.exeEjdocm32.exeEpagkd32.exeEfkphnbd.exeEmehdh32.exeEaqdegaj.exeEdopabqn.exeFiliii32.exeFpeafcfa.exeFhmigagd.exeFineoi32.exeFaenpf32.exepid Process 3224 Phelcc32.exe 4796 Plagcbdn.exe 3056 Pfillg32.exe 3524 Plcdiabk.exe 4464 Pgihfj32.exe 4260 Phjenbhp.exe 4920 Ppamophb.exe 1272 Pgkelj32.exe 2732 Agbkmijg.exe 3132 Amodep32.exe 5024 Aqkpeopg.exe 2816 Afghneoo.exe 1764 Amaqjp32.exe 2124 Aggegh32.exe 1384 Amcmpodi.exe 3336 Aobilkcl.exe 5008 Agiamhdo.exe 4068 Aijnep32.exe 1236 Aqaffn32.exe 716 Afnnnd32.exe 4604 Amhfkopc.exe 3604 Bjlgdc32.exe 4612 Boipmj32.exe 2140 Bgpgng32.exe 4540 Bfchidda.exe 1284 Bqilgmdg.exe 2268 Bmomlnjk.exe 2940 Bgeaifia.exe 3968 Bppfmigl.exe 4860 Bggnof32.exe 988 Cqpbglno.exe 4956 Cjhfpa32.exe 636 Cpeohh32.exe 1036 Cimcan32.exe 4892 Cadlbk32.exe 3880 Cjmpkqqj.exe 4432 Cceddf32.exe 4240 Cmniml32.exe 3316 Cjaifp32.exe 1460 Dcjnoece.exe 3764 Djdflp32.exe 1244 Dhhfedil.exe 512 Dmdonkgc.exe 1280 Dcogje32.exe 100 Dikpbl32.exe 2460 Dfoplpla.exe 372 Dpgeee32.exe 4144 Djmibn32.exe 4936 Epjajeqo.exe 4916 Eibfck32.exe 4280 Edhjqc32.exe 2928 Ejbbmnnb.exe 4600 Epokedmj.exe 4476 Ejdocm32.exe 2860 Epagkd32.exe 4760 Efkphnbd.exe 2820 Emehdh32.exe 4360 Eaqdegaj.exe 1508 Edopabqn.exe 4376 Filiii32.exe 3116 Fpeafcfa.exe 3956 Fhmigagd.exe 2272 Fineoi32.exe 4596 Faenpf32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gdcliikj.exeHkdjfb32.exeOelolmnd.exeQdoacabq.exeGpaihooo.exeEpikpo32.exeIpihpkkd.exeFaenpf32.exeKdkdgchl.exeKbhmbdle.exeNbnpcj32.exeHpjmnjqn.exeJilfifme.exeJphkkpbp.exeEbfign32.exeBmomlnjk.exeLknojl32.exeMcjmel32.exeAefjii32.exeFligqhga.exeKageaj32.exeMkmkkjko.exeAhjgjj32.exeNlmdbh32.exeOgjdmbil.exeDdifgk32.exeFgcjfbed.exeJnelok32.exePfandnla.exeLjkifn32.exeMejpje32.exeKnchpiom.exeDhclmp32.exeJlolpq32.exeBmjkic32.exeMcqjon32.exePkgcea32.exeDeqcbpld.exeEehicoel.exeFhflnpoi.exeJklphekp.exeEmphocjj.exeNnicid32.exeEomffaag.exeCkfphc32.exeKjccdkki.exePpolhcnm.exeFdnhih32.exeHpbiip32.exeBkkple32.exeLhenai32.exeHplicjok.exeOdhifjkg.exeMjcngpjh.exeNmhijd32.exeDpgeee32.exeCihclh32.exeIcnklbmj.exedescription ioc Process File created C:\Windows\SysWOW64\Glaecb32.dll Gdcliikj.exe File opened for modification C:\Windows\SysWOW64\Hmbfbn32.exe Hkdjfb32.exe File created C:\Windows\SysWOW64\Klplbbaq.dll Oelolmnd.exe File created C:\Windows\SysWOW64\Godcje32.dll Qdoacabq.exe File created C:\Windows\SysWOW64\Gbpedjnb.exe Gpaihooo.exe File created C:\Windows\SysWOW64\Fpjqcaao.dll Epikpo32.exe File opened for modification C:\Windows\SysWOW64\Iolhkh32.exe Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Bbhildae.exe File created C:\Windows\SysWOW64\Fmcldc32.dll Faenpf32.exe File created C:\Windows\SysWOW64\Kkeldnpi.exe Kdkdgchl.exe File created C:\Windows\SysWOW64\Kibeoo32.exe Kbhmbdle.exe File created C:\Windows\SysWOW64\Jofabneq.dll Nbnpcj32.exe File created C:\Windows\SysWOW64\Hgdejd32.exe Hpjmnjqn.exe File created C:\Windows\SysWOW64\Gifjfmcq.dll Jilfifme.exe File created C:\Windows\SysWOW64\Jleiba32.dll Jphkkpbp.exe File created C:\Windows\SysWOW64\Edeeci32.exe Ebfign32.exe File created C:\Windows\SysWOW64\Looknpmn.dll Bmomlnjk.exe File created C:\Windows\SysWOW64\Lnmkfh32.exe Lknojl32.exe File created C:\Windows\SysWOW64\Ncdmbe32.dll Mcjmel32.exe File created C:\Windows\SysWOW64\Pfkbfh32.dll Aefjii32.exe File created C:\Windows\SysWOW64\Gmiadfmi.dll Fligqhga.exe File created C:\Windows\SysWOW64\Kkmioc32.exe Kageaj32.exe File opened for modification C:\Windows\SysWOW64\Mnkggfkb.exe Mkmkkjko.exe File created C:\Windows\SysWOW64\Aodogdmn.exe Ahjgjj32.exe File opened for modification C:\Windows\SysWOW64\Nnkpnclp.exe Nlmdbh32.exe File created C:\Windows\SysWOW64\Ojhpimhp.exe Ogjdmbil.exe File created C:\Windows\SysWOW64\Ndjaei32.dll Ddifgk32.exe File created C:\Windows\SysWOW64\Gmefoohh.dll Fgcjfbed.exe File created C:\Windows\SysWOW64\Lflpengd.dll Jnelok32.exe File created C:\Windows\SysWOW64\Fidhnlin.dll Pfandnla.exe File created C:\Windows\SysWOW64\Qbajeg32.exe File opened for modification C:\Windows\SysWOW64\Mbbagk32.exe Ljkifn32.exe File created C:\Windows\SysWOW64\Knaalh32.dll Mejpje32.exe File created C:\Windows\SysWOW64\Nfcconde.dll Knchpiom.exe File created C:\Windows\SysWOW64\Domdjj32.exe Dhclmp32.exe File created C:\Windows\SysWOW64\Komhll32.exe Jlolpq32.exe File created C:\Windows\SysWOW64\Gjecbd32.dll Bmjkic32.exe File opened for modification C:\Windows\SysWOW64\Ckpamabg.exe File created C:\Windows\SysWOW64\Cdhffg32.exe File created C:\Windows\SysWOW64\Ejnocehc.dll Mcqjon32.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Pkgcea32.exe File created C:\Windows\SysWOW64\Emhkdmlg.exe Deqcbpld.exe File created C:\Windows\SysWOW64\Ggpcfd32.dll Eehicoel.exe File created C:\Windows\SysWOW64\Ppgomnai.exe File created C:\Windows\SysWOW64\Dcdepb32.dll Fhflnpoi.exe File opened for modification C:\Windows\SysWOW64\Jnkldqkc.exe Jklphekp.exe File created C:\Windows\SysWOW64\Gckdpj32.dll Emphocjj.exe File created C:\Windows\SysWOW64\Nagpeo32.exe Nnicid32.exe File created C:\Windows\SysWOW64\Fpmfmgnc.dll Eomffaag.exe File created C:\Windows\SysWOW64\Gkbndlfi.dll Ckfphc32.exe File opened for modification C:\Windows\SysWOW64\Kmaopfjm.exe Kjccdkki.exe File created C:\Windows\SysWOW64\Phfcipoo.exe Ppolhcnm.exe File created C:\Windows\SysWOW64\Jcdihk32.dll Fdnhih32.exe File created C:\Windows\SysWOW64\Mpeaedjn.dll Hpbiip32.exe File opened for modification C:\Windows\SysWOW64\Bbdhiojo.exe Bkkple32.exe File created C:\Windows\SysWOW64\Kdohflaf.dll Lhenai32.exe File created C:\Windows\SysWOW64\Gckoph32.dll Hplicjok.exe File opened for modification C:\Windows\SysWOW64\Oloahhki.exe Odhifjkg.exe File opened for modification C:\Windows\SysWOW64\Pcgdhkem.exe File opened for modification C:\Windows\SysWOW64\Nmbjcljl.exe Mjcngpjh.exe File opened for modification C:\Windows\SysWOW64\Nofefp32.exe Nmhijd32.exe File created C:\Windows\SysWOW64\Djmibn32.exe Dpgeee32.exe File created C:\Windows\SysWOW64\Opngmi32.dll Cihclh32.exe File opened for modification C:\Windows\SysWOW64\Ikdcmpnl.exe Icnklbmj.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 7928 7776 1210 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kfpcoefj.exeNmipdk32.exeKkmioc32.exeAnclbkbp.exeEnbjad32.exeIepaaico.exeGpaihooo.exeNjbgmjgl.exeIgjngh32.exeHkdjfb32.exeNjkkbehl.exeJenmcggo.exeMnmmboed.exeApjkcadp.exeGkdpbpih.exeMfbaalbi.exeDkfadkgf.exeEnkdaepb.exePkhjph32.exeMepfiq32.exeNnkpnclp.exeBojomm32.exeKkfcndce.exeKnchpiom.exeCammjakm.exeEgcaod32.exeAobilkcl.exeOfkgcobj.exeDkcndeen.exeBopocbcq.exeHgdejd32.exeLcggio32.exeOeheqm32.exeDgeenfog.exeDdifgk32.exeBjlgdc32.exeMajjng32.exeLenicahg.exeCacckp32.exeAaldccip.exeKeifdpif.exeLhenai32.exeMbbagk32.exeMhafeb32.exeCamddhoi.exeKapfiqoj.exeAmcmpodi.exeAojlaeei.exeNenbjo32.exeCkjknfnh.exeFfaong32.exeMfqlfb32.exeJqknkedi.exeHoclopne.exeIeojgc32.exeCndeii32.exePmiikh32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmipdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmioc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anclbkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepaaico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaihooo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbgmjgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenmcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmmboed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjkcadp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdpbpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbaalbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfadkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mepfiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpnclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfcndce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knchpiom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cammjakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobilkcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkgcobj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcndeen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopocbcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgdejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcggio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeheqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgeenfog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddifgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlgdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaldccip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keifdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhafeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapfiqoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcmpodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojlaeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenbjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjknfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqlfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqknkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoclopne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieojgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikh32.exe -
Modifies registry class 64 IoCs
Processes:
Lnoaaaad.exeKibeoo32.exeBahkih32.exeEifaim32.exeLnohlgep.exeFhofmq32.exeFmqgpgoc.exeLlflea32.exeNblolm32.exeQaqegecm.exeChdialdl.exeLgffic32.exePhbhcmjl.exeHpcodihc.exeGdjibj32.exeOnmfimga.exeNbebbk32.exeEblpgjha.exeCfkmkf32.exeMjggal32.exeFndpmndl.exeEpjajeqo.exeIdbodn32.exeLnadagbm.exePecellgl.exeIpihpkkd.exeAekddhcb.exeOfkgcobj.exePdhkcb32.exeDkcndeen.exeEmehdh32.exeJqdoem32.exeOgekbb32.exePlcdiabk.exeKkhpdcab.exeBfngdn32.exeHbhboolf.exeKkfcndce.exeOmegjomb.exeGpbpbecj.exePmpolgoi.exeQachgk32.exeQlimed32.exeQfmmplad.exeLckiihok.exeLcgpni32.exeDmdonkgc.exeQkjgegae.exeKjjbjd32.exeEbifmm32.exeGicgpelg.exeHhaggp32.exeKnfeeimj.exeAkglloai.exeKkmioc32.exeLknojl32.exeChfegk32.exeOdjeljhd.exePdhbmh32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnoaaaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll" Kibeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmmqg32.dll" Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhofmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfkck32.dll" Fmqgpgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llflea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alapqh32.dll" Nblolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgffic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phbhcmjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpcodihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdjibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eblpgjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll" Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fndpmndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epjajeqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hplfookn.dll" Idbodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnadagbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pecellgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipihpkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll" Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkcndeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plcdiabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkhpdcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejlkojm.dll" Bfngdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbhboolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achgjc32.dll" Kkfcndce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjnkpdc.dll" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlimed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lckiihok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcgpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfhgch.dll" Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbhgp32.dll" Ebifmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhfp32.dll" Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljejh32.dll" Knfeeimj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahiiai32.dll" Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll" Chfegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odjeljhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfkeihph.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exePhelcc32.exePlagcbdn.exePfillg32.exePlcdiabk.exePgihfj32.exePhjenbhp.exePpamophb.exePgkelj32.exeAgbkmijg.exeAmodep32.exeAqkpeopg.exeAfghneoo.exeAmaqjp32.exeAggegh32.exeAmcmpodi.exeAobilkcl.exeAgiamhdo.exeAijnep32.exeAqaffn32.exeAfnnnd32.exeAmhfkopc.exedescription pid Process procid_target PID 1432 wrote to memory of 3224 1432 f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exe 82 PID 1432 wrote to memory of 3224 1432 f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exe 82 PID 1432 wrote to memory of 3224 1432 f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exe 82 PID 3224 wrote to memory of 4796 3224 Phelcc32.exe 83 PID 3224 wrote to memory of 4796 3224 Phelcc32.exe 83 PID 3224 wrote to memory of 4796 3224 Phelcc32.exe 83 PID 4796 wrote to memory of 3056 4796 Plagcbdn.exe 84 PID 4796 wrote to memory of 3056 4796 Plagcbdn.exe 84 PID 4796 wrote to memory of 3056 4796 Plagcbdn.exe 84 PID 3056 wrote to memory of 3524 3056 Pfillg32.exe 85 PID 3056 wrote to memory of 3524 3056 Pfillg32.exe 85 PID 3056 wrote to memory of 3524 3056 Pfillg32.exe 85 PID 3524 wrote to memory of 4464 3524 Plcdiabk.exe 86 PID 3524 wrote to memory of 4464 3524 Plcdiabk.exe 86 PID 3524 wrote to memory of 4464 3524 Plcdiabk.exe 86 PID 4464 wrote to memory of 4260 4464 Pgihfj32.exe 87 PID 4464 wrote to memory of 4260 4464 Pgihfj32.exe 87 PID 4464 wrote to memory of 4260 4464 Pgihfj32.exe 87 PID 4260 wrote to memory of 4920 4260 Phjenbhp.exe 88 PID 4260 wrote to memory of 4920 4260 Phjenbhp.exe 88 PID 4260 wrote to memory of 4920 4260 Phjenbhp.exe 88 PID 4920 wrote to memory of 1272 4920 Ppamophb.exe 89 PID 4920 wrote to memory of 1272 4920 Ppamophb.exe 89 PID 4920 wrote to memory of 1272 4920 Ppamophb.exe 89 PID 1272 wrote to memory of 2732 1272 Pgkelj32.exe 90 PID 1272 wrote to memory of 2732 1272 Pgkelj32.exe 90 PID 1272 wrote to memory of 2732 1272 Pgkelj32.exe 90 PID 2732 wrote to memory of 3132 2732 Agbkmijg.exe 91 PID 2732 wrote to memory of 3132 2732 Agbkmijg.exe 91 PID 2732 wrote to memory of 3132 2732 Agbkmijg.exe 91 PID 3132 wrote to memory of 5024 3132 Amodep32.exe 92 PID 3132 wrote to memory of 5024 3132 Amodep32.exe 92 PID 3132 wrote to memory of 5024 3132 Amodep32.exe 92 PID 5024 wrote to memory of 2816 5024 Aqkpeopg.exe 93 PID 5024 wrote to memory of 2816 5024 Aqkpeopg.exe 93 PID 5024 wrote to memory of 2816 5024 Aqkpeopg.exe 93 PID 2816 wrote to memory of 1764 2816 Afghneoo.exe 94 PID 2816 wrote to memory of 1764 2816 Afghneoo.exe 94 PID 2816 wrote to memory of 1764 2816 Afghneoo.exe 94 PID 1764 wrote to memory of 2124 1764 Amaqjp32.exe 95 PID 1764 wrote to memory of 2124 1764 Amaqjp32.exe 95 PID 1764 wrote to memory of 2124 1764 Amaqjp32.exe 95 PID 2124 wrote to memory of 1384 2124 Aggegh32.exe 96 PID 2124 wrote to memory of 1384 2124 Aggegh32.exe 96 PID 2124 wrote to memory of 1384 2124 Aggegh32.exe 96 PID 1384 wrote to memory of 3336 1384 Amcmpodi.exe 97 PID 1384 wrote to memory of 3336 1384 Amcmpodi.exe 97 PID 1384 wrote to memory of 3336 1384 Amcmpodi.exe 97 PID 3336 wrote to memory of 5008 3336 Aobilkcl.exe 98 PID 3336 wrote to memory of 5008 3336 Aobilkcl.exe 98 PID 3336 wrote to memory of 5008 3336 Aobilkcl.exe 98 PID 5008 wrote to memory of 4068 5008 Agiamhdo.exe 99 PID 5008 wrote to memory of 4068 5008 Agiamhdo.exe 99 PID 5008 wrote to memory of 4068 5008 Agiamhdo.exe 99 PID 4068 wrote to memory of 1236 4068 Aijnep32.exe 100 PID 4068 wrote to memory of 1236 4068 Aijnep32.exe 100 PID 4068 wrote to memory of 1236 4068 Aijnep32.exe 100 PID 1236 wrote to memory of 716 1236 Aqaffn32.exe 101 PID 1236 wrote to memory of 716 1236 Aqaffn32.exe 101 PID 1236 wrote to memory of 716 1236 Aqaffn32.exe 101 PID 716 wrote to memory of 4604 716 Afnnnd32.exe 102 PID 716 wrote to memory of 4604 716 Afnnnd32.exe 102 PID 716 wrote to memory of 4604 716 Afnnnd32.exe 102 PID 4604 wrote to memory of 3604 4604 Amhfkopc.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exe"C:\Users\Admin\AppData\Local\Temp\f94e0909b13e0f0d8a0e573574e04d962efab22db895c5018dc9cdee2e900496.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe24⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe25⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe26⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe27⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe30⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe31⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe32⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe33⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe34⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe35⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe36⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe37⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe38⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe39⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe40⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe41⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe43⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:512 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe45⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe46⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe47⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:372 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe49⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe51⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe52⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe53⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe54⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe55⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe56⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe57⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe59⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe60⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe61⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe62⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe63⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe64⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4596 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe66⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe67⤵PID:2228
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe68⤵PID:544
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe69⤵PID:3860
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe70⤵PID:4192
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe71⤵PID:3400
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe72⤵PID:1180
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe73⤵PID:1556
-
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe74⤵PID:1804
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe75⤵PID:2080
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe76⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe77⤵PID:4828
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe78⤵
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe79⤵PID:4448
-
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe80⤵PID:700
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe81⤵PID:540
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe82⤵PID:2088
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe83⤵PID:3416
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe84⤵PID:2316
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe85⤵PID:4512
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe86⤵PID:3504
-
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe87⤵PID:4060
-
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe88⤵PID:2956
-
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1476 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe90⤵PID:4804
-
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe91⤵PID:4876
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe92⤵PID:2032
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe93⤵PID:2888
-
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe94⤵PID:1724
-
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe95⤵PID:2492
-
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe96⤵PID:3672
-
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe97⤵PID:4304
-
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe98⤵PID:4716
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe99⤵
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4128 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe101⤵PID:4016
-
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe102⤵PID:2028
-
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe103⤵PID:5152
-
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe104⤵PID:5196
-
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe105⤵PID:5244
-
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe106⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe107⤵PID:5332
-
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe108⤵PID:5376
-
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe109⤵PID:5420
-
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe110⤵PID:5468
-
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe111⤵PID:5512
-
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe112⤵PID:5556
-
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe113⤵PID:5600
-
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe114⤵PID:5644
-
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe115⤵PID:5692
-
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe116⤵PID:5736
-
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe117⤵PID:5780
-
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe118⤵
- System Location Discovery: System Language Discovery
PID:5824 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe119⤵PID:5868
-
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe120⤵PID:5912
-
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe121⤵PID:5956
-
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe122⤵PID:6000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-