Analysis
-
max time kernel
76s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 21:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe
-
Size
89KB
-
MD5
cc296f62d4dbb25b4f581ade621d5fda
-
SHA1
197d364f1f73941accf8624f6507aa807be8e071
-
SHA256
603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c
-
SHA512
6cdd81f3f6ecb4c71771649c489874a59ffbf7ef0f45e23c67ba756f3731f44a3a49bce1fee5fe330b3aa01803e2af82902ae982bbe10fed60aa5d10f81004be
-
SSDEEP
1536:V4r2fQQ+QsSSY3z+T6e8ohXMDjG0RQSjD68a+VMKKTRVGFtUhQfR1WRaROR8R:V4aoQ+RczM6e8ohXMDK0edr4MKy3G7Ug
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clbdobpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekqqea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibafhmph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmdcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgppep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekicjlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhbbkahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggjhfpqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkqeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioonfaed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqjcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcikllja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbeeliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qoimmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oimaih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paihgboc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkjgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdipnedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbkgfgam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aofhejdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abnmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcfmacce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fefdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiccbfoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbqei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odhjmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcdjmao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpqnpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eehbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbbmaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpigeblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbmdphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agpamd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajkjphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnkmnpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkjqkhkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofiegggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaobcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aillbbdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpehn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiclop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjbelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkqlodpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Diofenki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bciaqnje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfanlpff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkflpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omdbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggjmhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbilclhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didiclbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhqnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmdpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olqkapoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aedghf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmoqlmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fklohgie.exe -
Executes dropped EXE 64 IoCs
pid Process 2388 Clheeh32.exe 2724 Ccamabgg.exe 2736 Dfbfcn32.exe 2972 Dkookd32.exe 2692 Dghlfe32.exe 3056 Dkfdlclg.exe 1672 Eqejjj32.exe 2064 Efbbba32.exe 1236 Ebkpma32.exe 592 Eiheok32.exe 2932 Filnjk32.exe 908 Fecool32.exe 1716 Fmqpinlf.exe 2352 Gigano32.exe 3012 Gpfbfh32.exe 3020 Gkbplepn.exe 1008 Hdmajkdl.exe 1292 Hobfgcdb.exe 1528 Hcdkagga.exe 2016 Hnjonpgg.exe 316 Hjqpcq32.exe 1388 Ianambhc.exe 1300 Ingogcke.exe 2000 Idcdjmao.exe 2372 Jqjdon32.exe 2684 Jqmadn32.exe 1596 Jcmjfiab.exe 2696 Jjjohbgl.exe 2600 Knldaf32.exe 2568 Lmmaoq32.exe 1732 Licbca32.exe 1400 Laacmc32.exe 2440 Meolcb32.exe 2072 Mojmbg32.exe 1040 Mgebfi32.exe 1816 Majfcb32.exe 2948 Miekhd32.exe 1140 Ngikaijm.exe 2132 Npbpjn32.exe 2176 Nliqoofa.exe 2392 Neaehelb.exe 3024 Noiiaj32.exe 1852 Nkpjfkhf.exe 1948 Ohdkop32.exe 1328 Ooncljom.exe 932 Opoocb32.exe 1260 Okecak32.exe 2504 Oqaliabh.exe 1496 Ojjqbg32.exe 112 Ognakk32.exe 1464 Onhihepp.exe 2812 Oceaql32.exe 1604 Pcgnfl32.exe 2740 Pcikllja.exe 2592 Pncllifp.exe 952 Pgkqeo32.exe 2556 Pgnmjokn.exe 2896 Peandcih.exe 2624 Qahnid32.exe 2056 Qjacai32.exe 1780 Afhcgjkq.exe 3000 Apphpp32.exe 3068 Algida32.exe 1392 Aflmbj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2260 603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe 2260 603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe 2388 Clheeh32.exe 2388 Clheeh32.exe 2724 Ccamabgg.exe 2724 Ccamabgg.exe 2736 Dfbfcn32.exe 2736 Dfbfcn32.exe 2972 Dkookd32.exe 2972 Dkookd32.exe 2692 Dghlfe32.exe 2692 Dghlfe32.exe 3056 Dkfdlclg.exe 3056 Dkfdlclg.exe 1672 Eqejjj32.exe 1672 Eqejjj32.exe 2064 Efbbba32.exe 2064 Efbbba32.exe 1236 Ebkpma32.exe 1236 Ebkpma32.exe 592 Eiheok32.exe 592 Eiheok32.exe 2932 Filnjk32.exe 2932 Filnjk32.exe 908 Fecool32.exe 908 Fecool32.exe 1716 Fmqpinlf.exe 1716 Fmqpinlf.exe 2352 Gigano32.exe 2352 Gigano32.exe 3012 Gpfbfh32.exe 3012 Gpfbfh32.exe 3020 Gkbplepn.exe 3020 Gkbplepn.exe 1008 Hdmajkdl.exe 1008 Hdmajkdl.exe 1292 Hobfgcdb.exe 1292 Hobfgcdb.exe 1528 Hcdkagga.exe 1528 Hcdkagga.exe 2016 Hnjonpgg.exe 2016 Hnjonpgg.exe 316 Hjqpcq32.exe 316 Hjqpcq32.exe 1388 Ianambhc.exe 1388 Ianambhc.exe 1300 Ingogcke.exe 1300 Ingogcke.exe 2000 Idcdjmao.exe 2000 Idcdjmao.exe 2372 Jqjdon32.exe 2372 Jqjdon32.exe 2684 Jqmadn32.exe 2684 Jqmadn32.exe 1596 Jcmjfiab.exe 1596 Jcmjfiab.exe 2696 Jjjohbgl.exe 2696 Jjjohbgl.exe 2600 Knldaf32.exe 2600 Knldaf32.exe 2568 Lmmaoq32.exe 2568 Lmmaoq32.exe 1732 Licbca32.exe 1732 Licbca32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dfigiloo.dll Lenmnb32.exe File created C:\Windows\SysWOW64\Lapcee32.dll Beqogc32.exe File created C:\Windows\SysWOW64\Pjlcdo32.dll Alemjfpc.exe File opened for modification C:\Windows\SysWOW64\Gihdblpi.exe Ggjhfpqf.exe File opened for modification C:\Windows\SysWOW64\Qiclcp32.exe Qbidffao.exe File created C:\Windows\SysWOW64\Knnlcdmm.dll Bnfbilgo.exe File created C:\Windows\SysWOW64\Aoppkj32.dll Linanl32.exe File created C:\Windows\SysWOW64\Glmgdfdh.dll Pjdlkeln.exe File opened for modification C:\Windows\SysWOW64\Ijddokdo.exe Idjlbqmb.exe File created C:\Windows\SysWOW64\Npojanqo.dll Nfoinj32.exe File opened for modification C:\Windows\SysWOW64\Cojlfckj.exe Cgogbano.exe File created C:\Windows\SysWOW64\Pcknjb32.dll Dnikno32.exe File created C:\Windows\SysWOW64\Ngmbfl32.exe Nqcjiaah.exe File opened for modification C:\Windows\SysWOW64\Hepdml32.exe Hpckee32.exe File created C:\Windows\SysWOW64\Akngopbd.dll Mkodfeem.exe File created C:\Windows\SysWOW64\Cjohmc32.dll Kheloh32.exe File created C:\Windows\SysWOW64\Cbabac32.dll Hiccbfoa.exe File created C:\Windows\SysWOW64\Kikkdlge.dll Fgbpmh32.exe File created C:\Windows\SysWOW64\Appccjdl.dll Qoipflcf.exe File opened for modification C:\Windows\SysWOW64\Dmkeoekf.exe Dimlhgep.exe File created C:\Windows\SysWOW64\Nkpjfkhf.exe Noiiaj32.exe File opened for modification C:\Windows\SysWOW64\Epmdljal.exe Eiclop32.exe File opened for modification C:\Windows\SysWOW64\Fiiono32.exe Fanjil32.exe File opened for modification C:\Windows\SysWOW64\Pipqgq32.exe Omipbpfl.exe File created C:\Windows\SysWOW64\Dehdpnok.exe Dlppgihj.exe File created C:\Windows\SysWOW64\Idaimfjf.exe Ilfeidmk.exe File created C:\Windows\SysWOW64\Ofdhpj32.dll Bopbeopi.exe File opened for modification C:\Windows\SysWOW64\Ajkokgia.exe Aeofcpjj.exe File created C:\Windows\SysWOW64\Plbbmjhf.exe Pcjmdd32.exe File opened for modification C:\Windows\SysWOW64\Lkgpmj32.exe Lpbkpa32.exe File created C:\Windows\SysWOW64\Moqkgmol.exe Lfhgng32.exe File opened for modification C:\Windows\SysWOW64\Ogncddpg.exe Okhboc32.exe File created C:\Windows\SysWOW64\Ldhaaefi.exe Lhaqld32.exe File created C:\Windows\SysWOW64\Lnjnocob.dll Mcokhaho.exe File created C:\Windows\SysWOW64\Lpiaqqlg.exe Lgqmhk32.exe File created C:\Windows\SysWOW64\Iiaiih32.dll Gihdblpi.exe File created C:\Windows\SysWOW64\Lcompj32.dll Bjgoff32.exe File created C:\Windows\SysWOW64\Lmmaoq32.exe Knldaf32.exe File created C:\Windows\SysWOW64\Lglnblmj.dll Hldldq32.exe File created C:\Windows\SysWOW64\Aqkloo32.dll Ekohac32.exe File created C:\Windows\SysWOW64\Ecpmgk32.dll Iianjl32.exe File created C:\Windows\SysWOW64\Pdedejnm.dll Hdmajkdl.exe File created C:\Windows\SysWOW64\Aaaohfjo.exe Akgfll32.exe File opened for modification C:\Windows\SysWOW64\Jopogefh.exe Jphepidb.exe File created C:\Windows\SysWOW64\Beqogc32.exe Bhmonoli.exe File created C:\Windows\SysWOW64\Cdflhppk.exe Coidpiac.exe File created C:\Windows\SysWOW64\Cocpjf32.exe Cbmoeeod.exe File opened for modification C:\Windows\SysWOW64\Mdjnge32.exe Ldhaaefi.exe File opened for modification C:\Windows\SysWOW64\Olkebejb.exe Obbpio32.exe File created C:\Windows\SysWOW64\Kmfpjb32.exe Jdnkamhm.exe File opened for modification C:\Windows\SysWOW64\Pfabbmeh.exe Odcffafd.exe File opened for modification C:\Windows\SysWOW64\Noiiaj32.exe Neaehelb.exe File opened for modification C:\Windows\SysWOW64\Mkodfeem.exe Mnkdlagc.exe File created C:\Windows\SysWOW64\Qjnoacdc.exe Pinchq32.exe File opened for modification C:\Windows\SysWOW64\Phdiglap.exe Odbcnh32.exe File opened for modification C:\Windows\SysWOW64\Aofhejdh.exe Ahlphpmk.exe File opened for modification C:\Windows\SysWOW64\Hidjml32.exe Gdgadeee.exe File opened for modification C:\Windows\SysWOW64\Aaegha32.exe Ajkokgia.exe File created C:\Windows\SysWOW64\Hdpqhc32.exe Hldldq32.exe File opened for modification C:\Windows\SysWOW64\Ohginhma.exe Ohdmhhod.exe File created C:\Windows\SysWOW64\Idligq32.exe Ijddokdo.exe File created C:\Windows\SysWOW64\Mkodfeem.exe Mnkdlagc.exe File opened for modification C:\Windows\SysWOW64\Lnhmqc32.exe Lepihndm.exe File opened for modification C:\Windows\SysWOW64\Idjjih32.exe Ilneef32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4324 4296 WerFault.exe 868 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggohlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdneohbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnkamhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jopogefh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apphpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfclic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgcfmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olqkapoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceehijb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljnbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohglfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdlpklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahlgkgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbegmqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iachom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddijbeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkookd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgnfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omddohbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjllqke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgedlbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmolll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihinkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iffggo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfoho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefnmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnomjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbplepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmdljal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odcffafd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckciqdol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpadek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliqoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmjmodm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqkked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goemjbna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplnpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoenlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfcei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllcke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgppep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfllc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojmigpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpabgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqepolio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnmae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeikpij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifeenfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbpnbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefnjdgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkimgflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faanibeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhnkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaifoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoipflcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbfpafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpliec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephihbnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqqpd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmbpaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Henipenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemike32.dll" Lmdamojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjfpp32.dll" Pmophe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogncddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmnkn32.dll" Mjkpjkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olfkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elhokg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmahq32.dll" Nmggnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cefpmiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdpmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmmjof.dll" Olcoaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kloggici.dll" Cipaqqli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlaqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjbqei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oabdol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgjngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjdkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgaljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiajh32.dll" Dnecag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dccgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efqian32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aopcnbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbclgajm.dll" Eiapjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijodiedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdnnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alpmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpdnalq.dll" Filnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qiclcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fliefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogihfj32.dll" Mkgllndq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobcmk32.dll" Ncnplogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cibpoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aahdmanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlepoq32.dll" Eopbooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfnoed32.dll" Ldhaaefi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Peqidn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhnkdjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihnhkla.dll" Bkmijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dciekjhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjeckk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnaaj32.dll" Ilohnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jckiolgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbqpe32.dll" Odcffafd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmjcemh.dll" Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oceaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdbfpafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paekkd32.dll" Qhqklcof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikinnhd.dll" Ghhoej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohjglee.dll" Lgaoqdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmahbhei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjbelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjhajo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mphhbblp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgfnlejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npbpjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkpjfkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbghmegj.dll" Ohdkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijdggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnkggjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okmceiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Haafepbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goemjbna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlajdpoc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2388 2260 603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe 29 PID 2260 wrote to memory of 2388 2260 603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe 29 PID 2260 wrote to memory of 2388 2260 603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe 29 PID 2260 wrote to memory of 2388 2260 603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe 29 PID 2388 wrote to memory of 2724 2388 Clheeh32.exe 30 PID 2388 wrote to memory of 2724 2388 Clheeh32.exe 30 PID 2388 wrote to memory of 2724 2388 Clheeh32.exe 30 PID 2388 wrote to memory of 2724 2388 Clheeh32.exe 30 PID 2724 wrote to memory of 2736 2724 Ccamabgg.exe 31 PID 2724 wrote to memory of 2736 2724 Ccamabgg.exe 31 PID 2724 wrote to memory of 2736 2724 Ccamabgg.exe 31 PID 2724 wrote to memory of 2736 2724 Ccamabgg.exe 31 PID 2736 wrote to memory of 2972 2736 Dfbfcn32.exe 32 PID 2736 wrote to memory of 2972 2736 Dfbfcn32.exe 32 PID 2736 wrote to memory of 2972 2736 Dfbfcn32.exe 32 PID 2736 wrote to memory of 2972 2736 Dfbfcn32.exe 32 PID 2972 wrote to memory of 2692 2972 Dkookd32.exe 33 PID 2972 wrote to memory of 2692 2972 Dkookd32.exe 33 PID 2972 wrote to memory of 2692 2972 Dkookd32.exe 33 PID 2972 wrote to memory of 2692 2972 Dkookd32.exe 33 PID 2692 wrote to memory of 3056 2692 Dghlfe32.exe 34 PID 2692 wrote to memory of 3056 2692 Dghlfe32.exe 34 PID 2692 wrote to memory of 3056 2692 Dghlfe32.exe 34 PID 2692 wrote to memory of 3056 2692 Dghlfe32.exe 34 PID 3056 wrote to memory of 1672 3056 Dkfdlclg.exe 35 PID 3056 wrote to memory of 1672 3056 Dkfdlclg.exe 35 PID 3056 wrote to memory of 1672 3056 Dkfdlclg.exe 35 PID 3056 wrote to memory of 1672 3056 Dkfdlclg.exe 35 PID 1672 wrote to memory of 2064 1672 Eqejjj32.exe 36 PID 1672 wrote to memory of 2064 1672 Eqejjj32.exe 36 PID 1672 wrote to memory of 2064 1672 Eqejjj32.exe 36 PID 1672 wrote to memory of 2064 1672 Eqejjj32.exe 36 PID 2064 wrote to memory of 1236 2064 Efbbba32.exe 37 PID 2064 wrote to memory of 1236 2064 Efbbba32.exe 37 PID 2064 wrote to memory of 1236 2064 Efbbba32.exe 37 PID 2064 wrote to memory of 1236 2064 Efbbba32.exe 37 PID 1236 wrote to memory of 592 1236 Ebkpma32.exe 38 PID 1236 wrote to memory of 592 1236 Ebkpma32.exe 38 PID 1236 wrote to memory of 592 1236 Ebkpma32.exe 38 PID 1236 wrote to memory of 592 1236 Ebkpma32.exe 38 PID 592 wrote to memory of 2932 592 Eiheok32.exe 39 PID 592 wrote to memory of 2932 592 Eiheok32.exe 39 PID 592 wrote to memory of 2932 592 Eiheok32.exe 39 PID 592 wrote to memory of 2932 592 Eiheok32.exe 39 PID 2932 wrote to memory of 908 2932 Filnjk32.exe 40 PID 2932 wrote to memory of 908 2932 Filnjk32.exe 40 PID 2932 wrote to memory of 908 2932 Filnjk32.exe 40 PID 2932 wrote to memory of 908 2932 Filnjk32.exe 40 PID 908 wrote to memory of 1716 908 Fecool32.exe 41 PID 908 wrote to memory of 1716 908 Fecool32.exe 41 PID 908 wrote to memory of 1716 908 Fecool32.exe 41 PID 908 wrote to memory of 1716 908 Fecool32.exe 41 PID 1716 wrote to memory of 2352 1716 Fmqpinlf.exe 42 PID 1716 wrote to memory of 2352 1716 Fmqpinlf.exe 42 PID 1716 wrote to memory of 2352 1716 Fmqpinlf.exe 42 PID 1716 wrote to memory of 2352 1716 Fmqpinlf.exe 42 PID 2352 wrote to memory of 3012 2352 Gigano32.exe 43 PID 2352 wrote to memory of 3012 2352 Gigano32.exe 43 PID 2352 wrote to memory of 3012 2352 Gigano32.exe 43 PID 2352 wrote to memory of 3012 2352 Gigano32.exe 43 PID 3012 wrote to memory of 3020 3012 Gpfbfh32.exe 44 PID 3012 wrote to memory of 3020 3012 Gpfbfh32.exe 44 PID 3012 wrote to memory of 3020 3012 Gpfbfh32.exe 44 PID 3012 wrote to memory of 3020 3012 Gpfbfh32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe"C:\Users\Admin\AppData\Local\Temp\603a909d1e45719d1ee51658c7a425ac99626425f385e74a3a820ab336c5314c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Clheeh32.exeC:\Windows\system32\Clheeh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Ccamabgg.exeC:\Windows\system32\Ccamabgg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Dfbfcn32.exeC:\Windows\system32\Dfbfcn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Dkookd32.exeC:\Windows\system32\Dkookd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dghlfe32.exeC:\Windows\system32\Dghlfe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Eqejjj32.exeC:\Windows\system32\Eqejjj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Efbbba32.exeC:\Windows\system32\Efbbba32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ebkpma32.exeC:\Windows\system32\Ebkpma32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Eiheok32.exeC:\Windows\system32\Eiheok32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Filnjk32.exeC:\Windows\system32\Filnjk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Fecool32.exeC:\Windows\system32\Fecool32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Fmqpinlf.exeC:\Windows\system32\Fmqpinlf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Gigano32.exeC:\Windows\system32\Gigano32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Gkbplepn.exeC:\Windows\system32\Gkbplepn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Hcdkagga.exeC:\Windows\system32\Hcdkagga.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Hjqpcq32.exeC:\Windows\system32\Hjqpcq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Ingogcke.exeC:\Windows\system32\Ingogcke.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Idcdjmao.exeC:\Windows\system32\Idcdjmao.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe33⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Meolcb32.exeC:\Windows\system32\Meolcb32.exe34⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe35⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe36⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Majfcb32.exeC:\Windows\system32\Majfcb32.exe37⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Miekhd32.exeC:\Windows\system32\Miekhd32.exe38⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Nkpjfkhf.exeC:\Windows\system32\Nkpjfkhf.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe46⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe47⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe48⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe49⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Ojjqbg32.exeC:\Windows\system32\Ojjqbg32.exe50⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe51⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe52⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Oceaql32.exeC:\Windows\system32\Oceaql32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe54⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Pncllifp.exeC:\Windows\system32\Pncllifp.exe56⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe58⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe59⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe60⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe61⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Afhcgjkq.exeC:\Windows\system32\Afhcgjkq.exe62⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Apphpp32.exeC:\Windows\system32\Apphpp32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe64⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe65⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe66⤵PID:1664
-
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe67⤵PID:2548
-
C:\Windows\SysWOW64\Aedghf32.exeC:\Windows\system32\Aedghf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe69⤵PID:872
-
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe70⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Bhglpqeo.exeC:\Windows\system32\Bhglpqeo.exe71⤵PID:2052
-
C:\Windows\SysWOW64\Bmdehgcf.exeC:\Windows\system32\Bmdehgcf.exe72⤵PID:2288
-
C:\Windows\SysWOW64\Bmfamg32.exeC:\Windows\system32\Bmfamg32.exe73⤵PID:1652
-
C:\Windows\SysWOW64\Bkjbgk32.exeC:\Windows\system32\Bkjbgk32.exe74⤵PID:2784
-
C:\Windows\SysWOW64\Bdbfpafn.exeC:\Windows\system32\Bdbfpafn.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Cpigeblb.exeC:\Windows\system32\Cpigeblb.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Cefpmiji.exeC:\Windows\system32\Cefpmiji.exe77⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe78⤵PID:2552
-
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Cdnicemo.exeC:\Windows\system32\Cdnicemo.exe80⤵PID:2416
-
C:\Windows\SysWOW64\Cocnanmd.exeC:\Windows\system32\Cocnanmd.exe81⤵PID:1860
-
C:\Windows\SysWOW64\Chkbjc32.exeC:\Windows\system32\Chkbjc32.exe82⤵PID:684
-
C:\Windows\SysWOW64\Dpggnfap.exeC:\Windows\system32\Dpggnfap.exe83⤵PID:1752
-
C:\Windows\SysWOW64\Dhnoocab.exeC:\Windows\system32\Dhnoocab.exe84⤵PID:1316
-
C:\Windows\SysWOW64\Dnkggjpj.exeC:\Windows\system32\Dnkggjpj.exe85⤵
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Dgclpp32.exeC:\Windows\system32\Dgclpp32.exe86⤵PID:2112
-
C:\Windows\SysWOW64\Dcjleq32.exeC:\Windows\system32\Dcjleq32.exe87⤵PID:2860
-
C:\Windows\SysWOW64\Ekqqea32.exeC:\Windows\system32\Ekqqea32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Eqpfchka.exeC:\Windows\system32\Eqpfchka.exe89⤵PID:2012
-
C:\Windows\SysWOW64\Ffmnloih.exeC:\Windows\system32\Ffmnloih.exe90⤵PID:880
-
C:\Windows\SysWOW64\Fjkgampo.exeC:\Windows\system32\Fjkgampo.exe91⤵PID:2672
-
C:\Windows\SysWOW64\Fqdong32.exeC:\Windows\system32\Fqdong32.exe92⤵PID:2272
-
C:\Windows\SysWOW64\Ffahgn32.exeC:\Windows\system32\Ffahgn32.exe93⤵PID:2712
-
C:\Windows\SysWOW64\Fmkpchmp.exeC:\Windows\system32\Fmkpchmp.exe94⤵PID:2228
-
C:\Windows\SysWOW64\Fefdhj32.exeC:\Windows\system32\Fefdhj32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Fpliec32.exeC:\Windows\system32\Fpliec32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Fidmniqa.exeC:\Windows\system32\Fidmniqa.exe97⤵PID:2872
-
C:\Windows\SysWOW64\Fpnekc32.exeC:\Windows\system32\Fpnekc32.exe98⤵PID:2128
-
C:\Windows\SysWOW64\Gapbbk32.exeC:\Windows\system32\Gapbbk32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Gncblo32.exeC:\Windows\system32\Gncblo32.exe100⤵PID:2472
-
C:\Windows\SysWOW64\Glgcec32.exeC:\Windows\system32\Glgcec32.exe101⤵PID:2076
-
C:\Windows\SysWOW64\Gepgni32.exeC:\Windows\system32\Gepgni32.exe102⤵PID:1560
-
C:\Windows\SysWOW64\Gjmpfp32.exeC:\Windows\system32\Gjmpfp32.exe103⤵PID:2964
-
C:\Windows\SysWOW64\Gmklbk32.exeC:\Windows\system32\Gmklbk32.exe104⤵PID:2292
-
C:\Windows\SysWOW64\Ghqqpd32.exeC:\Windows\system32\Ghqqpd32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Gibmglep.exeC:\Windows\system32\Gibmglep.exe106⤵PID:1160
-
C:\Windows\SysWOW64\Gdgadeee.exeC:\Windows\system32\Gdgadeee.exe107⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Hidjml32.exeC:\Windows\system32\Hidjml32.exe108⤵PID:2880
-
C:\Windows\SysWOW64\Hpnbjfjj.exeC:\Windows\system32\Hpnbjfjj.exe109⤵PID:1032
-
C:\Windows\SysWOW64\Hbokkagk.exeC:\Windows\system32\Hbokkagk.exe110⤵PID:2888
-
C:\Windows\SysWOW64\Hmdohj32.exeC:\Windows\system32\Hmdohj32.exe111⤵PID:2668
-
C:\Windows\SysWOW64\Hpckee32.exeC:\Windows\system32\Hpckee32.exe112⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Hepdml32.exeC:\Windows\system32\Hepdml32.exe113⤵PID:2060
-
C:\Windows\SysWOW64\Hafdbmjp.exeC:\Windows\system32\Hafdbmjp.exe114⤵PID:2400
-
C:\Windows\SysWOW64\Hlliof32.exeC:\Windows\system32\Hlliof32.exe115⤵PID:2868
-
C:\Windows\SysWOW64\Iedmhlqf.exeC:\Windows\system32\Iedmhlqf.exe116⤵PID:2204
-
C:\Windows\SysWOW64\Ilneef32.exeC:\Windows\system32\Ilneef32.exe117⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Idjjih32.exeC:\Windows\system32\Idjjih32.exe118⤵PID:296
-
C:\Windows\SysWOW64\Ioonfaed.exeC:\Windows\system32\Ioonfaed.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Igjckcbo.exeC:\Windows\system32\Igjckcbo.exe120⤵PID:2856
-
C:\Windows\SysWOW64\Iapghlbe.exeC:\Windows\system32\Iapghlbe.exe121⤵PID:2700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-