Analysis
-
max time kernel
27s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-10-2024 22:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe
-
Size
74KB
-
MD5
60261c90b969554c920ba94d7fba8f0b
-
SHA1
1918966193ea8287aa495e84b821b312cdaaef13
-
SHA256
67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624
-
SHA512
ffa8cb44503d961a417b9c1fa7f7e93e8e15f7581ff55e07efb44f0c38b428e59a9630ad9c42510fc97eae55719d16c82912b3e01c712bf6c2a4278514cdc2ce
-
SSDEEP
1536:bUt7lMsefv3AbP8jfUfyBBz7vV+B3wx4lmUWrHTgmlKnBDZyaH:bUtFefv3/UfyBdvV+B3wx4lrWrHTgrT5
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Engnno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mddidnqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnbjfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjocoedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmgkoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfcabeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnngeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpjlpclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meiedg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micnbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eclejclg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcqkafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iomaaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mihkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jofhqiec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjfghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppelfbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnpbbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgqcam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Minldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enajgllm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfhmhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liohhbno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglhghgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caomgjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcofqphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiiogoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Engnno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdkagga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifljcanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jodkkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blcokf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjeblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqdioaqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqbbig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogfagmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cidhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fimgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icnngeof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mddidnqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbcjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afdjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdfejn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclejclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdbloobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nglhghgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkglenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqdend32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljjkgfig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liohhbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oggkklnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgnmjokn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lifoia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moecghdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigjch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghndjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiichkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boiagp32.exe -
Executes dropped EXE 64 IoCs
pid Process 2476 Hojbbiae.exe 2848 Iolohhpc.exe 2952 Ibmhjc32.exe 2884 Idnako32.exe 2636 Imifpagp.exe 3024 Imkbeqem.exe 512 Jjocoedg.exe 2212 Jidppaio.exe 2200 Jbmdig32.exe 2528 Jennjblp.exe 1736 Jccjln32.exe 836 Kgqcam32.exe 2180 Kakdpb32.exe 2268 Kfhmhi32.exe 2444 Kpcngnob.exe 2512 Likbpceb.exe 2724 Lojhmjag.exe 1936 Lakqoe32.exe 1540 Lanmde32.exe 1748 Lmdnjf32.exe 636 Mmgkoe32.exe 2816 Mpegka32.exe 3056 Minldf32.exe 2624 Mchmblji.exe 2988 Mheekb32.exe 1576 Meiedg32.exe 2796 Nhjofbdk.exe 2780 Ogfagmck.exe 2920 Ooaflp32.exe 2660 Okhgaqfj.exe 2656 Ofmknifp.exe 2040 Oeeeeehe.exe 2208 Okomappb.exe 2272 Pcjbfbmm.exe 2888 Pejnpe32.exe 2036 Pjfghl32.exe 2568 Paqoef32.exe 1124 Pfmgmm32.exe 2216 Ppelfbol.exe 2472 Pccelqeb.exe 1920 Qnmfmoaa.exe 2148 Qnpbbn32.exe 2996 Alcclb32.exe 1536 Aelgdhei.exe 1592 Amglij32.exe 1968 Amiioj32.exe 2580 Afamgpga.exe 268 Aagadh32.exe 2944 Afdjmo32.exe 564 Aibfik32.exe 2768 Bdhjfc32.exe 2892 Blcokf32.exe 2812 Belcck32.exe 884 Bpahad32.exe 1688 Bhlmef32.exe 1712 Bcbabodk.exe 2676 Boiagp32.exe 1168 Coknmp32.exe 2964 Cgfcabeh.exe 1792 Cghpgbce.exe 2456 Clehoiam.exe 608 Cjiiim32.exe 2908 Choejien.exe 1816 Djnbdlla.exe -
Loads dropped DLL 64 IoCs
pid Process 2428 67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe 2428 67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe 2476 Hojbbiae.exe 2476 Hojbbiae.exe 2848 Iolohhpc.exe 2848 Iolohhpc.exe 2952 Ibmhjc32.exe 2952 Ibmhjc32.exe 2884 Idnako32.exe 2884 Idnako32.exe 2636 Imifpagp.exe 2636 Imifpagp.exe 3024 Imkbeqem.exe 3024 Imkbeqem.exe 512 Jjocoedg.exe 512 Jjocoedg.exe 2212 Jidppaio.exe 2212 Jidppaio.exe 2200 Jbmdig32.exe 2200 Jbmdig32.exe 2528 Jennjblp.exe 2528 Jennjblp.exe 1736 Jccjln32.exe 1736 Jccjln32.exe 836 Kgqcam32.exe 836 Kgqcam32.exe 2180 Kakdpb32.exe 2180 Kakdpb32.exe 2268 Kfhmhi32.exe 2268 Kfhmhi32.exe 2444 Kpcngnob.exe 2444 Kpcngnob.exe 2512 Likbpceb.exe 2512 Likbpceb.exe 2724 Lojhmjag.exe 2724 Lojhmjag.exe 1936 Lakqoe32.exe 1936 Lakqoe32.exe 1540 Lanmde32.exe 1540 Lanmde32.exe 1748 Lmdnjf32.exe 1748 Lmdnjf32.exe 636 Mmgkoe32.exe 636 Mmgkoe32.exe 2816 Mpegka32.exe 2816 Mpegka32.exe 3056 Minldf32.exe 3056 Minldf32.exe 2624 Mchmblji.exe 2624 Mchmblji.exe 2988 Mheekb32.exe 2988 Mheekb32.exe 1576 Meiedg32.exe 1576 Meiedg32.exe 2796 Nhjofbdk.exe 2796 Nhjofbdk.exe 2780 Ogfagmck.exe 2780 Ogfagmck.exe 2920 Ooaflp32.exe 2920 Ooaflp32.exe 2660 Okhgaqfj.exe 2660 Okhgaqfj.exe 2656 Ofmknifp.exe 2656 Ofmknifp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jeelld32.dll Okhgaqfj.exe File created C:\Windows\SysWOW64\Fjpggb32.exe Fbebcp32.exe File created C:\Windows\SysWOW64\Gchfgkcp.dll Caomgjnk.exe File created C:\Windows\SysWOW64\Dgqokp32.exe Coejfn32.exe File created C:\Windows\SysWOW64\Dnoqbi32.exe Dlpdifda.exe File created C:\Windows\SysWOW64\Gdpkdf32.exe Gjhfkqdm.exe File opened for modification C:\Windows\SysWOW64\Ibmhjc32.exe Iolohhpc.exe File created C:\Windows\SysWOW64\Jocfagpi.dll Afdjmo32.exe File opened for modification C:\Windows\SysWOW64\Engnno32.exe Ddoiei32.exe File created C:\Windows\SysWOW64\Fbpihafp.exe Eiheok32.exe File created C:\Windows\SysWOW64\Micnbe32.exe Mdfejn32.exe File opened for modification C:\Windows\SysWOW64\Pkglenej.exe Pfjdmggb.exe File created C:\Windows\SysWOW64\Pqdend32.exe Pkglenej.exe File created C:\Windows\SysWOW64\Ogfagmck.exe Nhjofbdk.exe File created C:\Windows\SysWOW64\Aagadh32.exe Afamgpga.exe File created C:\Windows\SysWOW64\Afdjmo32.exe Aagadh32.exe File created C:\Windows\SysWOW64\Cadincif.dll Bcbabodk.exe File created C:\Windows\SysWOW64\Dkfdlclg.exe Ddlloi32.exe File opened for modification C:\Windows\SysWOW64\Coejfn32.exe Ckgapo32.exe File opened for modification C:\Windows\SysWOW64\Iedmhlqf.exe Hhqmogam.exe File created C:\Windows\SysWOW64\Lanmde32.exe Lakqoe32.exe File created C:\Windows\SysWOW64\Meiedg32.exe Mheekb32.exe File opened for modification C:\Windows\SysWOW64\Hcdkagga.exe Hpcbol32.exe File opened for modification C:\Windows\SysWOW64\Dlpdifda.exe Dgqokp32.exe File opened for modification C:\Windows\SysWOW64\Iomaaa32.exe Iedmhlqf.exe File opened for modification C:\Windows\SysWOW64\Lakqoe32.exe Lojhmjag.exe File opened for modification C:\Windows\SysWOW64\Pjfghl32.exe Pejnpe32.exe File created C:\Windows\SysWOW64\Cgfcabeh.exe Coknmp32.exe File opened for modification C:\Windows\SysWOW64\Ofcnmh32.exe Onhihepp.exe File created C:\Windows\SysWOW64\Pfjdmggb.exe Pmbpda32.exe File created C:\Windows\SysWOW64\Cjpkoohi.dll Dlgjie32.exe File opened for modification C:\Windows\SysWOW64\Hljljflh.exe Hpckee32.exe File created C:\Windows\SysWOW64\Joagkd32.exe Jcjffc32.exe File created C:\Windows\SysWOW64\Mckghggc.dll Iolohhpc.exe File created C:\Windows\SysWOW64\Agnopk32.dll Ebccal32.exe File created C:\Windows\SysWOW64\Cjiiim32.exe Clehoiam.exe File created C:\Windows\SysWOW64\Digohmek.dll Egaoldnf.exe File created C:\Windows\SysWOW64\Caomgjnk.exe Cidhcg32.exe File created C:\Windows\SysWOW64\Fcddlail.dll Icadpd32.exe File created C:\Windows\SysWOW64\Phplhddp.dll Boiagp32.exe File opened for modification C:\Windows\SysWOW64\Kakdpb32.exe Kgqcam32.exe File created C:\Windows\SysWOW64\Apgnpo32.exe Qklfqm32.exe File created C:\Windows\SysWOW64\Cidhcg32.exe Colgpo32.exe File created C:\Windows\SysWOW64\Ffmnloih.exe Enajgllm.exe File opened for modification C:\Windows\SysWOW64\Ffmnloih.exe Enajgllm.exe File created C:\Windows\SysWOW64\Fdhlphff.exe Fjpggb32.exe File opened for modification C:\Windows\SysWOW64\Ihopjl32.exe Ibehna32.exe File opened for modification C:\Windows\SysWOW64\Kgibeklf.exe Kaojiqej.exe File opened for modification C:\Windows\SysWOW64\Cgfcabeh.exe Coknmp32.exe File opened for modification C:\Windows\SysWOW64\Ljjkgfig.exe Kcpcjl32.exe File created C:\Windows\SysWOW64\Mhlmnmjc.dll Lopjlh32.exe File created C:\Windows\SysWOW64\Kicednho.exe Kpkali32.exe File created C:\Windows\SysWOW64\Ifljcanj.exe Icnngeof.exe File opened for modification C:\Windows\SysWOW64\Liohhbno.exe Ljjkgfig.exe File created C:\Windows\SysWOW64\Oqdioaqf.exe Okgpfjbo.exe File created C:\Windows\SysWOW64\Ajaimb32.dll Gaghcjhd.exe File opened for modification C:\Windows\SysWOW64\Hhqmogam.exe Hafdbmjp.exe File created C:\Windows\SysWOW64\Jcjffc32.exe Jfffmo32.exe File created C:\Windows\SysWOW64\Afamgpga.exe Amiioj32.exe File opened for modification C:\Windows\SysWOW64\Cghpgbce.exe Cgfcabeh.exe File created C:\Windows\SysWOW64\Hhkbfhbc.dll Mclbkjcf.exe File opened for modification C:\Windows\SysWOW64\Ckgapo32.exe Caomgjnk.exe File created C:\Windows\SysWOW64\Ekndpa32.exe Ebccal32.exe File created C:\Windows\SysWOW64\Eqklhh32.exe Ekndpa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3804 3792 WerFault.exe 248 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmknifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqcam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbeqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpbbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmccnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojbbiae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihfmdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmnloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljljflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfffmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdkagga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojmbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimgmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfcabeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebccal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmgmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejnpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enajgllm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgcof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiiogoac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchmblji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjcigcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmcbio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqdioaqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdend32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiffbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakdpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhghgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioonfaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmhej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micnbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coejfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjlpclc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpckee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojhmjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihopjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcngnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbebcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaoldnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijadk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faefim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhqmogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpgmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipedihgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibfik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnpcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnngeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knldaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjdmggb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgiffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgcdjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijeinphf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoklgbo.dll" Gigjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnfoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imifpagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coknmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgfcabeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnlhbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofnnj32.dll" Ekndpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fipdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggpoami.dll" Jhbfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eedcdcoc.dll" Okgpfjbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjfghl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aagadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angohn32.dll" Jjcigcmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljjkgfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcicdkij.dll" Nmccnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkeem32.dll" Ndhooaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amglij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkdpp32.dll" Ffmnloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcibnmm.dll" Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjcmj32.dll" Idjjih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iiiogoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnncp32.dll" Kgqcam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kakdpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcpcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mclbkjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djflcfqi.dll" Fbpihafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihopjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcamh32.dll" Jmcbio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcdmekne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djeoml32.dll" Eclejclg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mchmblji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alcclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdhjfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jofhqiec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ognakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfffmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmgkoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjiiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibehna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apcngn32.dll" Djfagjai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liohhbno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moecghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oggkklnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojhdmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejcaanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opeeam32.dll" Ilfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knldaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhbnjpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Colgpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Minldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddoiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbfdlcj.dll" Kmeknakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckgapo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcjbfbmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dheljhof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbpihafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhcfhci.dll" Pmbpda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpnbjfjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eclejclg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfcqkafl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2476 2428 67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe 29 PID 2428 wrote to memory of 2476 2428 67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe 29 PID 2428 wrote to memory of 2476 2428 67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe 29 PID 2428 wrote to memory of 2476 2428 67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe 29 PID 2476 wrote to memory of 2848 2476 Hojbbiae.exe 30 PID 2476 wrote to memory of 2848 2476 Hojbbiae.exe 30 PID 2476 wrote to memory of 2848 2476 Hojbbiae.exe 30 PID 2476 wrote to memory of 2848 2476 Hojbbiae.exe 30 PID 2848 wrote to memory of 2952 2848 Iolohhpc.exe 31 PID 2848 wrote to memory of 2952 2848 Iolohhpc.exe 31 PID 2848 wrote to memory of 2952 2848 Iolohhpc.exe 31 PID 2848 wrote to memory of 2952 2848 Iolohhpc.exe 31 PID 2952 wrote to memory of 2884 2952 Ibmhjc32.exe 32 PID 2952 wrote to memory of 2884 2952 Ibmhjc32.exe 32 PID 2952 wrote to memory of 2884 2952 Ibmhjc32.exe 32 PID 2952 wrote to memory of 2884 2952 Ibmhjc32.exe 32 PID 2884 wrote to memory of 2636 2884 Idnako32.exe 33 PID 2884 wrote to memory of 2636 2884 Idnako32.exe 33 PID 2884 wrote to memory of 2636 2884 Idnako32.exe 33 PID 2884 wrote to memory of 2636 2884 Idnako32.exe 33 PID 2636 wrote to memory of 3024 2636 Imifpagp.exe 34 PID 2636 wrote to memory of 3024 2636 Imifpagp.exe 34 PID 2636 wrote to memory of 3024 2636 Imifpagp.exe 34 PID 2636 wrote to memory of 3024 2636 Imifpagp.exe 34 PID 3024 wrote to memory of 512 3024 Imkbeqem.exe 35 PID 3024 wrote to memory of 512 3024 Imkbeqem.exe 35 PID 3024 wrote to memory of 512 3024 Imkbeqem.exe 35 PID 3024 wrote to memory of 512 3024 Imkbeqem.exe 35 PID 512 wrote to memory of 2212 512 Jjocoedg.exe 36 PID 512 wrote to memory of 2212 512 Jjocoedg.exe 36 PID 512 wrote to memory of 2212 512 Jjocoedg.exe 36 PID 512 wrote to memory of 2212 512 Jjocoedg.exe 36 PID 2212 wrote to memory of 2200 2212 Jidppaio.exe 37 PID 2212 wrote to memory of 2200 2212 Jidppaio.exe 37 PID 2212 wrote to memory of 2200 2212 Jidppaio.exe 37 PID 2212 wrote to memory of 2200 2212 Jidppaio.exe 37 PID 2200 wrote to memory of 2528 2200 Jbmdig32.exe 38 PID 2200 wrote to memory of 2528 2200 Jbmdig32.exe 38 PID 2200 wrote to memory of 2528 2200 Jbmdig32.exe 38 PID 2200 wrote to memory of 2528 2200 Jbmdig32.exe 38 PID 2528 wrote to memory of 1736 2528 Jennjblp.exe 39 PID 2528 wrote to memory of 1736 2528 Jennjblp.exe 39 PID 2528 wrote to memory of 1736 2528 Jennjblp.exe 39 PID 2528 wrote to memory of 1736 2528 Jennjblp.exe 39 PID 1736 wrote to memory of 836 1736 Jccjln32.exe 40 PID 1736 wrote to memory of 836 1736 Jccjln32.exe 40 PID 1736 wrote to memory of 836 1736 Jccjln32.exe 40 PID 1736 wrote to memory of 836 1736 Jccjln32.exe 40 PID 836 wrote to memory of 2180 836 Kgqcam32.exe 41 PID 836 wrote to memory of 2180 836 Kgqcam32.exe 41 PID 836 wrote to memory of 2180 836 Kgqcam32.exe 41 PID 836 wrote to memory of 2180 836 Kgqcam32.exe 41 PID 2180 wrote to memory of 2268 2180 Kakdpb32.exe 42 PID 2180 wrote to memory of 2268 2180 Kakdpb32.exe 42 PID 2180 wrote to memory of 2268 2180 Kakdpb32.exe 42 PID 2180 wrote to memory of 2268 2180 Kakdpb32.exe 42 PID 2268 wrote to memory of 2444 2268 Kfhmhi32.exe 43 PID 2268 wrote to memory of 2444 2268 Kfhmhi32.exe 43 PID 2268 wrote to memory of 2444 2268 Kfhmhi32.exe 43 PID 2268 wrote to memory of 2444 2268 Kfhmhi32.exe 43 PID 2444 wrote to memory of 2512 2444 Kpcngnob.exe 44 PID 2444 wrote to memory of 2512 2444 Kpcngnob.exe 44 PID 2444 wrote to memory of 2512 2444 Kpcngnob.exe 44 PID 2444 wrote to memory of 2512 2444 Kpcngnob.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe"C:\Users\Admin\AppData\Local\Temp\67a0a58026e0e5f24e8a398a19ab1f9972c42e4b6ee4d940bf2b4c221ee73624.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Iolohhpc.exeC:\Windows\system32\Iolohhpc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ibmhjc32.exeC:\Windows\system32\Ibmhjc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Idnako32.exeC:\Windows\system32\Idnako32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Imifpagp.exeC:\Windows\system32\Imifpagp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Imkbeqem.exeC:\Windows\system32\Imkbeqem.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Jjocoedg.exeC:\Windows\system32\Jjocoedg.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Jidppaio.exeC:\Windows\system32\Jidppaio.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Jennjblp.exeC:\Windows\system32\Jennjblp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Kgqcam32.exeC:\Windows\system32\Kgqcam32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Kakdpb32.exeC:\Windows\system32\Kakdpb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Kfhmhi32.exeC:\Windows\system32\Kfhmhi32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Kpcngnob.exeC:\Windows\system32\Kpcngnob.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Likbpceb.exeC:\Windows\system32\Likbpceb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Lojhmjag.exeC:\Windows\system32\Lojhmjag.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Lakqoe32.exeC:\Windows\system32\Lakqoe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Lanmde32.exeC:\Windows\system32\Lanmde32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Lmdnjf32.exeC:\Windows\system32\Lmdnjf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Mmgkoe32.exeC:\Windows\system32\Mmgkoe32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Mpegka32.exeC:\Windows\system32\Mpegka32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Minldf32.exeC:\Windows\system32\Minldf32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Mchmblji.exeC:\Windows\system32\Mchmblji.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Mheekb32.exeC:\Windows\system32\Mheekb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Meiedg32.exeC:\Windows\system32\Meiedg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Nhjofbdk.exeC:\Windows\system32\Nhjofbdk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Ogfagmck.exeC:\Windows\system32\Ogfagmck.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe33⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Okomappb.exeC:\Windows\system32\Okomappb.exe34⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Pcjbfbmm.exeC:\Windows\system32\Pcjbfbmm.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Pejnpe32.exeC:\Windows\system32\Pejnpe32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Pjfghl32.exeC:\Windows\system32\Pjfghl32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe38⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\Ppelfbol.exeC:\Windows\system32\Ppelfbol.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Pccelqeb.exeC:\Windows\system32\Pccelqeb.exe41⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Qnmfmoaa.exeC:\Windows\system32\Qnmfmoaa.exe42⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Alcclb32.exeC:\Windows\system32\Alcclb32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe45⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Amglij32.exeC:\Windows\system32\Amglij32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Amiioj32.exeC:\Windows\system32\Amiioj32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Afamgpga.exeC:\Windows\system32\Afamgpga.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Aibfik32.exeC:\Windows\system32\Aibfik32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Bdhjfc32.exeC:\Windows\system32\Bdhjfc32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe54⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe55⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Bhlmef32.exeC:\Windows\system32\Bhlmef32.exe56⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Bcbabodk.exeC:\Windows\system32\Bcbabodk.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Coknmp32.exeC:\Windows\system32\Coknmp32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Cgfcabeh.exeC:\Windows\system32\Cgfcabeh.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Cghpgbce.exeC:\Windows\system32\Cghpgbce.exe61⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Cjiiim32.exeC:\Windows\system32\Cjiiim32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Choejien.exeC:\Windows\system32\Choejien.exe64⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Djnbdlla.exeC:\Windows\system32\Djnbdlla.exe65⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Dcffmb32.exeC:\Windows\system32\Dcffmb32.exe66⤵PID:1360
-
C:\Windows\SysWOW64\Ddgcdjip.exeC:\Windows\system32\Ddgcdjip.exe67⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Dnpgmp32.exeC:\Windows\system32\Dnpgmp32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Dheljhof.exeC:\Windows\system32\Dheljhof.exe69⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Dbnpcn32.exeC:\Windows\system32\Dbnpcn32.exe70⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Ddlloi32.exeC:\Windows\system32\Ddlloi32.exe71⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe72⤵PID:2924
-
C:\Windows\SysWOW64\Ddoiei32.exeC:\Windows\system32\Ddoiei32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Engnno32.exeC:\Windows\system32\Engnno32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Egaoldnf.exeC:\Windows\system32\Egaoldnf.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Eickdlcd.exeC:\Windows\system32\Eickdlcd.exe76⤵PID:2328
-
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe77⤵PID:804
-
C:\Windows\SysWOW64\Efihcpqk.exeC:\Windows\system32\Efihcpqk.exe78⤵PID:2060
-
C:\Windows\SysWOW64\Eiheok32.exeC:\Windows\system32\Eiheok32.exe79⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Fbpihafp.exeC:\Windows\system32\Fbpihafp.exe80⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Faefim32.exeC:\Windows\system32\Faefim32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Fbebcp32.exeC:\Windows\system32\Fbebcp32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe85⤵PID:1064
-
C:\Windows\SysWOW64\Fdkheh32.exeC:\Windows\system32\Fdkheh32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe87⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Hcdkagga.exeC:\Windows\system32\Hcdkagga.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe89⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Hnllcoed.exeC:\Windows\system32\Hnllcoed.exe90⤵PID:1916
-
C:\Windows\SysWOW64\Ihfmdm32.exeC:\Windows\system32\Ihfmdm32.exe91⤵
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Iopeagip.exeC:\Windows\system32\Iopeagip.exe92⤵PID:2044
-
C:\Windows\SysWOW64\Ijeinphf.exeC:\Windows\system32\Ijeinphf.exe93⤵
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Ifljcanj.exeC:\Windows\system32\Ifljcanj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Ilfbpk32.exeC:\Windows\system32\Ilfbpk32.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Ihmcelkk.exeC:\Windows\system32\Ihmcelkk.exe97⤵PID:2192
-
C:\Windows\SysWOW64\Iogkaf32.exeC:\Windows\system32\Iogkaf32.exe98⤵PID:672
-
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Jnlhbb32.exeC:\Windows\system32\Jnlhbb32.exe101⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Jfijmdbh.exeC:\Windows\system32\Jfijmdbh.exe103⤵PID:2100
-
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Jbbgge32.exeC:\Windows\system32\Jbbgge32.exe107⤵PID:2496
-
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe109⤵PID:1108
-
C:\Windows\SysWOW64\Kkmhej32.exeC:\Windows\system32\Kkmhej32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe112⤵PID:2748
-
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe113⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe114⤵PID:2236
-
C:\Windows\SysWOW64\Kjeblf32.exeC:\Windows\system32\Kjeblf32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe116⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe117⤵PID:2468
-
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe118⤵
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Ljjkgfig.exeC:\Windows\system32\Ljjkgfig.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-