Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 10:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e006c5a89e605f32297cc202a6326c19dad7a208586e72c9569ede27d48288ceN.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
e006c5a89e605f32297cc202a6326c19dad7a208586e72c9569ede27d48288ceN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
e006c5a89e605f32297cc202a6326c19dad7a208586e72c9569ede27d48288ceN.exe
-
Size
512KB
-
MD5
b3d7c1ff113946cde22734ee95dcecc0
-
SHA1
2ba2fe1ea606a44c632bc512e919d00ffc49873d
-
SHA256
e006c5a89e605f32297cc202a6326c19dad7a208586e72c9569ede27d48288ce
-
SHA512
968375042cd6649b95278475f718a1ab8f4c598733357a8cce4cf84f953e93fdb3ca96dd01a2192d2dc30af3d238ceef71adb741be6448d0443f204750ca5e1a
-
SSDEEP
6144:p5r1MQuY11I1kFM6234lKm3mo8Yvi4KsLTFM6234lKm3r8SeNpgdyuH1lZfRo0V/:p/MQ1lFB24lwR45FB24lJ87g7/VycgEl
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mminhceb.exeInmpcc32.exeJgadgf32.exeKniieo32.exeLbpdblmo.exeNbnpcj32.exePhbhcmjl.exeDmdhcddh.exeAkpoaj32.exeFajbjh32.exeLplfcf32.exeOjdgnn32.exeIjhjcchb.exeObcceg32.exeCfnqklgh.exeIllfdc32.exeMmkdcm32.exeNagiji32.exeOgekbb32.exeOhlqcagj.exeHbnaeh32.exeNjghbl32.exeAhenokjf.exeNcchae32.exePdhkcb32.exeEdeeci32.exeLqkqhm32.exeJnlkedai.exeFipbdikp.exeGijekg32.exeHgelek32.exeMejpje32.exeEblpgjha.exeNccokk32.exeCfpffeaj.exeJahqiaeb.exeCkclhn32.exeFmcjpl32.exeMmpmnl32.exeCoohhlpe.exeDhclmp32.exeAajhndkb.exeInebjihf.exeKcmfnd32.exeLljdai32.exeKkfcndce.exeOihagaji.exeDjjebh32.exePajeam32.exeImpliekg.exeBmeandma.exeJimldogg.exeKqpoakco.exePkenjh32.exeMmfkhmdi.exeJeocna32.exeKkeldnpi.exeKpiqfima.exeJnmijq32.exeMngegmbc.exeIgbalblk.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mminhceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgadgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kniieo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpdblmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbnpcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbhcmjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akpoaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lplfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojdgnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhjcchb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfnqklgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmkdcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbnaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njghbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahenokjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edeeci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnlkedai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipbdikp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijekg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgelek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccokk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jahqiaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aajhndkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inebjihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcmfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lljdai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkfcndce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djjebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pajeam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmeandma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimldogg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nccokk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeocna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgadgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkeldnpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiqfima.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mngegmbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igbalblk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ehhpla32.exeEiildjag.exeEmehdh32.exeEdopabqn.exeEfmmmn32.exeFacqkg32.exeFdamgb32.exeFfpicn32.exeFineoi32.exeFaenpf32.exeFdcjlb32.exeFgbfhmll.exeFipbdikp.exeFpjjac32.exeFhabbp32.exeFkpool32.exeFmnkkg32.exeFajgkfio.exeFdhcgaic.exeFggocmhf.exeFmqgpgoc.exeFpodlbng.exeFdkpma32.exeGgilil32.exeGigheh32.exeGmcdffmq.exeGpaqbbld.exeGdmmbq32.exeGgkiol32.exeGijekg32.exeGmeakf32.exeGpcmga32.exeGgnedlao.exeGkiaej32.exeGnhnaf32.exeGdafnpqh.exeGklnjj32.exeGnjjfegi.exeGphgbafl.exeGgbook32.exeGiqkkf32.exeGpkchqdj.exeHgelek32.exeHjchaf32.exeHajpbckl.exeHhdhon32.exeHkbdki32.exeHammhcij.exeHdkidohn.exeHkeaqi32.exeHaoimcgg.exeHhiajmod.exeHkgnfhnh.exeHaafcb32.exeHdpbon32.exeHgnoki32.exeHjlkge32.exeHpfcdojl.exeIhnkel32.exeIjogmdqm.exeIafonaao.exeIddljmpc.exeIgchfiof.exeIkndgg32.exepid Process 1076 Ehhpla32.exe 3076 Eiildjag.exe 116 Emehdh32.exe 2872 Edopabqn.exe 3624 Efmmmn32.exe 2940 Facqkg32.exe 3284 Fdamgb32.exe 928 Ffpicn32.exe 4948 Fineoi32.exe 4732 Faenpf32.exe 3400 Fdcjlb32.exe 4444 Fgbfhmll.exe 4852 Fipbdikp.exe 1388 Fpjjac32.exe 3328 Fhabbp32.exe 840 Fkpool32.exe 2532 Fmnkkg32.exe 2912 Fajgkfio.exe 1208 Fdhcgaic.exe 1284 Fggocmhf.exe 2580 Fmqgpgoc.exe 3164 Fpodlbng.exe 4184 Fdkpma32.exe 3304 Ggilil32.exe 4572 Gigheh32.exe 1988 Gmcdffmq.exe 3172 Gpaqbbld.exe 2328 Gdmmbq32.exe 4560 Ggkiol32.exe 2272 Gijekg32.exe 4972 Gmeakf32.exe 4400 Gpcmga32.exe 3080 Ggnedlao.exe 1944 Gkiaej32.exe 1668 Gnhnaf32.exe 1192 Gdafnpqh.exe 4448 Gklnjj32.exe 2840 Gnjjfegi.exe 2664 Gphgbafl.exe 2848 Ggbook32.exe 4384 Giqkkf32.exe 1928 Gpkchqdj.exe 3244 Hgelek32.exe 3856 Hjchaf32.exe 4468 Hajpbckl.exe 2416 Hhdhon32.exe 5104 Hkbdki32.exe 1812 Hammhcij.exe 1524 Hdkidohn.exe 1720 Hkeaqi32.exe 2256 Haoimcgg.exe 1796 Hhiajmod.exe 4176 Hkgnfhnh.exe 1584 Haafcb32.exe 2396 Hdpbon32.exe 3660 Hgnoki32.exe 3156 Hjlkge32.exe 516 Hpfcdojl.exe 4716 Ihnkel32.exe 2600 Ijogmdqm.exe 868 Iafonaao.exe 452 Iddljmpc.exe 4780 Igchfiof.exe 1144 Ikndgg32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Efmmmn32.exeAeddnp32.exeNmgjia32.exeOcgbld32.exeNceefd32.exeIgedlh32.exeNgjbaj32.exeKgflcifg.exeKpoalo32.exeLokdnjkg.exeEbkbbmqj.exeOhnohn32.exeCofecami.exeLggldm32.exePnifekmd.exeCpmapodj.exeLghcocol.exeIgpdfb32.exeLekmnajj.exeKjjbjd32.exeAhfmpnql.exeCoiaiakf.exeLndagg32.exeNmfcok32.exeNmipdk32.exePnplfj32.exeLjilqnlm.exeCfnqklgh.exeQlimed32.exeAekddhcb.exeCkjbhmad.exeIgjngh32.exeKjepjkhf.exeEbimgcfi.exeEnbjad32.exeFpodlbng.exeHlhccj32.exeKjlopc32.exeIlfennic.exeOoibkpmi.exeIgchfiof.exeKjhcjq32.exePdjgha32.exeObjpoh32.exeGghdaa32.exeLejgch32.exeHgmgqc32.exeMogcihaj.exeNglhld32.exeMejpje32.exeAlnmjjdb.exeGpdennml.exeJblmgf32.exeMhldbh32.exeNckkfp32.exeCdpjlb32.exeGejhef32.exePfagighf.exeObafpg32.exeOimkbaed.exePkenjh32.exedescription ioc Process File created C:\Windows\SysWOW64\Facqkg32.exe Efmmmn32.exe File created C:\Windows\SysWOW64\Ppejnh32.dll Aeddnp32.exe File created C:\Windows\SysWOW64\Jjgobjmp.dll Nmgjia32.exe File opened for modification C:\Windows\SysWOW64\Onmfimga.exe Ocgbld32.exe File opened for modification C:\Windows\SysWOW64\Nfcabp32.exe Nceefd32.exe File opened for modification C:\Windows\SysWOW64\Ijcahd32.exe Igedlh32.exe File created C:\Windows\SysWOW64\Njinmf32.exe Ngjbaj32.exe File opened for modification C:\Windows\SysWOW64\Knqepc32.exe Kgflcifg.exe File opened for modification C:\Windows\SysWOW64\Kgiiiidd.exe Kpoalo32.exe File opened for modification C:\Windows\SysWOW64\Ljqhkckn.exe Lokdnjkg.exe File opened for modification C:\Windows\SysWOW64\Fooclapd.exe Ebkbbmqj.exe File opened for modification C:\Windows\SysWOW64\Facqkg32.exe Efmmmn32.exe File created C:\Windows\SysWOW64\Obcceg32.exe Ohnohn32.exe File created C:\Windows\SysWOW64\Cjliajmo.exe Cofecami.exe File created C:\Windows\SysWOW64\Lekmnajj.exe Lggldm32.exe File opened for modification C:\Windows\SysWOW64\Ppjbmc32.exe Pnifekmd.exe File created C:\Windows\SysWOW64\Ckbemgcp.exe Cpmapodj.exe File opened for modification C:\Windows\SysWOW64\Lldopb32.exe Lghcocol.exe File created C:\Windows\SysWOW64\Iinqbn32.exe Igpdfb32.exe File created C:\Windows\SysWOW64\Gjmgfljg.dll Lekmnajj.exe File created C:\Windows\SysWOW64\Kpcjgnhb.exe Kjjbjd32.exe File opened for modification C:\Windows\SysWOW64\Aopemh32.exe Ahfmpnql.exe File created C:\Windows\SysWOW64\Cjnffjkl.exe Coiaiakf.exe File opened for modification C:\Windows\SysWOW64\Lenicahg.exe Lndagg32.exe File created C:\Windows\SysWOW64\Cjijid32.dll Nmfcok32.exe File created C:\Windows\SysWOW64\Ncchae32.exe Nmipdk32.exe File created C:\Windows\SysWOW64\Dddjmo32.dll Pnplfj32.exe File created C:\Windows\SysWOW64\Edeleklf.dll Ljilqnlm.exe File created C:\Windows\SysWOW64\Ngqpijkf.dll Cfnqklgh.exe File created C:\Windows\SysWOW64\Addaif32.exe Qlimed32.exe File created C:\Windows\SysWOW64\Bochmn32.exe Aekddhcb.exe File opened for modification C:\Windows\SysWOW64\Cfpffeaj.exe Ckjbhmad.exe File created C:\Windows\SysWOW64\Neoogc32.dll Igjngh32.exe File created C:\Windows\SysWOW64\Kkeldnpi.exe Kjepjkhf.exe File opened for modification C:\Windows\SysWOW64\Emoadlfo.exe Ebimgcfi.exe File created C:\Windows\SysWOW64\Fmcjpl32.exe Enbjad32.exe File opened for modification C:\Windows\SysWOW64\Fdkpma32.exe Fpodlbng.exe File created C:\Windows\SysWOW64\Hgmgqc32.exe Hlhccj32.exe File created C:\Windows\SysWOW64\Jkjpda32.dll Kjlopc32.exe File created C:\Windows\SysWOW64\Inebjihf.exe Ilfennic.exe File opened for modification C:\Windows\SysWOW64\Oiagde32.exe Ooibkpmi.exe File opened for modification C:\Windows\SysWOW64\Ikndgg32.exe Igchfiof.exe File created C:\Windows\SysWOW64\Kbpkkn32.exe Kjhcjq32.exe File created C:\Windows\SysWOW64\Kdmpmdpj.dll Kgflcifg.exe File opened for modification C:\Windows\SysWOW64\Pnplfj32.exe Pdjgha32.exe File created C:\Windows\SysWOW64\Ingcceof.dll Objpoh32.exe File created C:\Windows\SysWOW64\Gaqhjggp.exe Gghdaa32.exe File created C:\Windows\SysWOW64\Fmdmqp32.dll Lejgch32.exe File created C:\Windows\SysWOW64\Cgdojhec.dll Hgmgqc32.exe File created C:\Windows\SysWOW64\Dfpcgbim.dll Kjepjkhf.exe File opened for modification C:\Windows\SysWOW64\Mfqlfb32.exe Mogcihaj.exe File created C:\Windows\SysWOW64\Lnmodnoo.dll Nglhld32.exe File created C:\Windows\SysWOW64\Mhilfa32.exe Mejpje32.exe File opened for modification C:\Windows\SysWOW64\Aomifecf.exe Alnmjjdb.exe File opened for modification C:\Windows\SysWOW64\Gbbajjlp.exe Gpdennml.exe File created C:\Windows\SysWOW64\Iaejqcdo.dll Jblmgf32.exe File created C:\Windows\SysWOW64\Hcoejf32.dll Mhldbh32.exe File created C:\Windows\SysWOW64\Kofljo32.dll Nckkfp32.exe File created C:\Windows\SysWOW64\Nbenoa32.dll Cdpjlb32.exe File created C:\Windows\SysWOW64\Gghdaa32.exe Gejhef32.exe File created C:\Windows\SysWOW64\Ppikbm32.exe Pfagighf.exe File created C:\Windows\SysWOW64\Hmkjpibb.dll Obafpg32.exe File created C:\Windows\SysWOW64\Hnnpaa32.dll Oimkbaed.exe File opened for modification C:\Windows\SysWOW64\Papfgbmg.exe Pkenjh32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 6356 5916 WerFault.exe 806 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Njinmf32.exeBklomh32.exeHammhcij.exeKdinljnk.exeLejgch32.exeMnphmkji.exeBljlfh32.exeIbjqaf32.exePpikbm32.exeIbobdqid.exeNajceeoo.exeNmgjia32.exeCkclhn32.exeAagkhd32.exePbcncibp.exePkenjh32.exeCihclh32.exeBdbnjdfg.exeJpenfp32.exeKpnjah32.exeNgjbaj32.exeEbgpad32.exeCkbemgcp.exeGgbook32.exeKageaj32.exeOlbdhn32.exeCfnqklgh.exeHlhccj32.exeDkndie32.exeFgbfhmll.exeKkjlic32.exeCkpbnb32.exeDfefkkqp.exeCklhcfle.exeGgkiol32.exeFimodc32.exeLikhem32.exeNoblkqca.exePififb32.exeNmipdk32.exeNfcabp32.exeCgifbhid.exeKghjhemo.exeKbpkkn32.exeLbngllob.exeNdflak32.exeImkbnf32.exeIlibdmgp.exeDoccpcja.exeGeoapenf.exeKpccmhdg.exeGpaqbbld.exeLjilqnlm.exeBkoigdom.exeAddaif32.exeDahmfpap.exeJgogbgei.exeJdbhkk32.exePnifekmd.exeEbaplnie.exeEohmkb32.exeOhlqcagj.exeCpfcfmlp.exeHhiajmod.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hammhcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdinljnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejgch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnphmkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljlfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppikbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibobdqid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najceeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcncibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkenjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbnjdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpenfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpnjah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kageaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbdhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnqklgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbfhmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjlic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfefkkqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likhem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noblkqca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pififb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmipdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghjhemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbngllob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndflak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilibdmgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doccpcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geoapenf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpccmhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaqbbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljilqnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkoigdom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahmfpap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgogbgei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbhkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnifekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebaplnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohlqcagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfcfmlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhiajmod.exe -
Modifies registry class 64 IoCs
Processes:
Jdedak32.exeBoihcf32.exeEbimgcfi.exeLoighj32.exeCammjakm.exeDfjpfj32.exeLljdai32.exeGnqfcbnj.exeBoenhgdd.exeGhojbq32.exeDbqqkkbo.exeIphioh32.exeFbgihaji.exeAagkhd32.exeIakiia32.exeLbngllob.exeCkpbnb32.exeLpgmhg32.exePhganm32.exePkgcea32.exeFmnkkg32.exeGmeakf32.exeGklnjj32.exeNccokk32.exeEhpadhll.exeIojkeh32.exeJdbhkk32.exeJgbjbp32.exeKjlopc32.exeDoojec32.exeEdeeci32.exeLelchgne.exeQepkbpak.exeLjqhkckn.exeHloqml32.exeIgpdfb32.exeIpoheakj.exeFnkfmm32.exeFpjjac32.exeHhiajmod.exePojcjh32.exeIinqbn32.exeNlcalieg.exeOgekbb32.exeAhofoogd.exeEqlfhjig.exeFqgedh32.exeGicgpelg.exeHhimhobl.exeIafonaao.exeGpecbk32.exeEofgpikj.exeJimldogg.exeBbdhiojo.exeNnicid32.exeJpfepf32.exePbcncibp.exeFajbjh32.exeFdkpma32.exeOdoogi32.exeQpcecb32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boihcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebimgcfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Loighj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cammjakm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfjpfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lljdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boenhgdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbqqkkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iphioh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll" Aagkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqhcce32.dll" Ckpbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phganm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmanjof.dll" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaddoaap.dll" Fmnkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbemad32.dll" Gmeakf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gklnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegcnaoo.dll" Ehpadhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklliiom.dll" Iojkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdbhkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgbjbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjlopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doojec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljqhkckn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hloqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhbih32.dll" Fnkfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhiajmod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddooacnk.dll" Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpfi32.dll" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogekbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahofoogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqlfhjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baampdgc.dll" Fqgedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll" Gicgpelg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhimhobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iafonaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneoha32.dll" Jimldogg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbdhiojo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panlem32.dll" Hhimhobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpfepf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbcncibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpaoan32.dll" Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfjphid.dll" Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmddqemj.dll" Odoogi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qpcecb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e006c5a89e605f32297cc202a6326c19dad7a208586e72c9569ede27d48288ceN.exeEhhpla32.exeEiildjag.exeEmehdh32.exeEdopabqn.exeEfmmmn32.exeFacqkg32.exeFdamgb32.exeFfpicn32.exeFineoi32.exeFaenpf32.exeFdcjlb32.exeFgbfhmll.exeFipbdikp.exeFpjjac32.exeFhabbp32.exeFkpool32.exeFmnkkg32.exeFajgkfio.exeFdhcgaic.exeFggocmhf.exeFmqgpgoc.exedescription pid Process procid_target PID 404 wrote to memory of 1076 404 e006c5a89e605f32297cc202a6326c19dad7a208586e72c9569ede27d48288ceN.exe 82 PID 404 wrote to memory of 1076 404 e006c5a89e605f32297cc202a6326c19dad7a208586e72c9569ede27d48288ceN.exe 82 PID 404 wrote to memory of 1076 404 e006c5a89e605f32297cc202a6326c19dad7a208586e72c9569ede27d48288ceN.exe 82 PID 1076 wrote to memory of 3076 1076 Ehhpla32.exe 83 PID 1076 wrote to memory of 3076 1076 Ehhpla32.exe 83 PID 1076 wrote to memory of 3076 1076 Ehhpla32.exe 83 PID 3076 wrote to memory of 116 3076 Eiildjag.exe 84 PID 3076 wrote to memory of 116 3076 Eiildjag.exe 84 PID 3076 wrote to memory of 116 3076 Eiildjag.exe 84 PID 116 wrote to memory of 2872 116 Emehdh32.exe 85 PID 116 wrote to memory of 2872 116 Emehdh32.exe 85 PID 116 wrote to memory of 2872 116 Emehdh32.exe 85 PID 2872 wrote to memory of 3624 2872 Edopabqn.exe 86 PID 2872 wrote to memory of 3624 2872 Edopabqn.exe 86 PID 2872 wrote to memory of 3624 2872 Edopabqn.exe 86 PID 3624 wrote to memory of 2940 3624 Efmmmn32.exe 87 PID 3624 wrote to memory of 2940 3624 Efmmmn32.exe 87 PID 3624 wrote to memory of 2940 3624 Efmmmn32.exe 87 PID 2940 wrote to memory of 3284 2940 Facqkg32.exe 88 PID 2940 wrote to memory of 3284 2940 Facqkg32.exe 88 PID 2940 wrote to memory of 3284 2940 Facqkg32.exe 88 PID 3284 wrote to memory of 928 3284 Fdamgb32.exe 89 PID 3284 wrote to memory of 928 3284 Fdamgb32.exe 89 PID 3284 wrote to memory of 928 3284 Fdamgb32.exe 89 PID 928 wrote to memory of 4948 928 Ffpicn32.exe 90 PID 928 wrote to memory of 4948 928 Ffpicn32.exe 90 PID 928 wrote to memory of 4948 928 Ffpicn32.exe 90 PID 4948 wrote to memory of 4732 4948 Fineoi32.exe 91 PID 4948 wrote to memory of 4732 4948 Fineoi32.exe 91 PID 4948 wrote to memory of 4732 4948 Fineoi32.exe 91 PID 4732 wrote to memory of 3400 4732 Faenpf32.exe 92 PID 4732 wrote to memory of 3400 4732 Faenpf32.exe 92 PID 4732 wrote to memory of 3400 4732 Faenpf32.exe 92 PID 3400 wrote to memory of 4444 3400 Fdcjlb32.exe 93 PID 3400 wrote to memory of 4444 3400 Fdcjlb32.exe 93 PID 3400 wrote to memory of 4444 3400 Fdcjlb32.exe 93 PID 4444 wrote to memory of 4852 4444 Fgbfhmll.exe 94 PID 4444 wrote to memory of 4852 4444 Fgbfhmll.exe 94 PID 4444 wrote to memory of 4852 4444 Fgbfhmll.exe 94 PID 4852 wrote to memory of 1388 4852 Fipbdikp.exe 95 PID 4852 wrote to memory of 1388 4852 Fipbdikp.exe 95 PID 4852 wrote to memory of 1388 4852 Fipbdikp.exe 95 PID 1388 wrote to memory of 3328 1388 Fpjjac32.exe 96 PID 1388 wrote to memory of 3328 1388 Fpjjac32.exe 96 PID 1388 wrote to memory of 3328 1388 Fpjjac32.exe 96 PID 3328 wrote to memory of 840 3328 Fhabbp32.exe 97 PID 3328 wrote to memory of 840 3328 Fhabbp32.exe 97 PID 3328 wrote to memory of 840 3328 Fhabbp32.exe 97 PID 840 wrote to memory of 2532 840 Fkpool32.exe 98 PID 840 wrote to memory of 2532 840 Fkpool32.exe 98 PID 840 wrote to memory of 2532 840 Fkpool32.exe 98 PID 2532 wrote to memory of 2912 2532 Fmnkkg32.exe 99 PID 2532 wrote to memory of 2912 2532 Fmnkkg32.exe 99 PID 2532 wrote to memory of 2912 2532 Fmnkkg32.exe 99 PID 2912 wrote to memory of 1208 2912 Fajgkfio.exe 100 PID 2912 wrote to memory of 1208 2912 Fajgkfio.exe 100 PID 2912 wrote to memory of 1208 2912 Fajgkfio.exe 100 PID 1208 wrote to memory of 1284 1208 Fdhcgaic.exe 101 PID 1208 wrote to memory of 1284 1208 Fdhcgaic.exe 101 PID 1208 wrote to memory of 1284 1208 Fdhcgaic.exe 101 PID 1284 wrote to memory of 2580 1284 Fggocmhf.exe 102 PID 1284 wrote to memory of 2580 1284 Fggocmhf.exe 102 PID 1284 wrote to memory of 2580 1284 Fggocmhf.exe 102 PID 2580 wrote to memory of 3164 2580 Fmqgpgoc.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e006c5a89e605f32297cc202a6326c19dad7a208586e72c9569ede27d48288ceN.exe"C:\Users\Admin\AppData\Local\Temp\e006c5a89e605f32297cc202a6326c19dad7a208586e72c9569ede27d48288ceN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe25⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe26⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe27⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3172 -
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe29⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4560 -
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe33⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe34⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe35⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe36⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe37⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4448 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe39⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe40⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe42⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe43⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe45⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe46⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe47⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe48⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe50⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe51⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe52⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe54⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe55⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe56⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe57⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe58⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe59⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe60⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe61⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe63⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4780 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe65⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe67⤵PID:4992
-
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe68⤵
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe69⤵PID:456
-
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe70⤵
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe71⤵PID:1920
-
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe72⤵PID:5160
-
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe73⤵PID:5200
-
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe74⤵PID:5240
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe75⤵PID:5280
-
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe76⤵
- Drops file in System32 directory
PID:5320 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe78⤵
- System Location Discovery: System Language Discovery
PID:5400 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe79⤵PID:5436
-
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe80⤵PID:5480
-
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe81⤵PID:5520
-
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe82⤵PID:5564
-
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe83⤵
- System Location Discovery: System Language Discovery
PID:5608 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe84⤵PID:5648
-
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe85⤵PID:5692
-
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5776 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe88⤵PID:5816
-
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe89⤵PID:5860
-
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe90⤵
- Modifies registry class
PID:5900 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe91⤵PID:5940
-
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe93⤵PID:6020
-
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe94⤵PID:6060
-
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe95⤵PID:6100
-
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe96⤵
- System Location Discovery: System Language Discovery
PID:6140 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe97⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe98⤵PID:2288
-
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe100⤵PID:1212
-
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe102⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe104⤵PID:2784
-
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe105⤵PID:3628
-
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe106⤵PID:1464
-
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe107⤵PID:5152
-
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe108⤵
- System Location Discovery: System Language Discovery
PID:5228 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4940 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe110⤵
- System Location Discovery: System Language Discovery
PID:5368 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe111⤵PID:5432
-
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe112⤵PID:5504
-
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe113⤵PID:2252
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe114⤵PID:5640
-
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe115⤵PID:5720
-
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe116⤵PID:5784
-
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe117⤵PID:5856
-
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe118⤵PID:5928
-
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe119⤵PID:6008
-
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe120⤵PID:6056
-
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe121⤵PID:4724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-