Analysis
-
max time kernel
108s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/10/2024, 20:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe
-
Size
512KB
-
MD5
c5fd44223638958e3d70fa1d7cfccacd
-
SHA1
8b23ed9ff8ecd06834eb0a2610183f0c5946b677
-
SHA256
3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514
-
SHA512
8b56dc02078fe0cfe78bc25f5085534049e27b2c3bd433552dd87882ea24d90af19f05da0326f46bf27c3cbe8ab2aa1d1dc88b0f6c65f429f406c9ecc49806a2
-
SSDEEP
6144:hUhjlMzjee6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMJSZO5f7wj7vK/f:eMzDkY660fIaDZkY660f8jTK/Xhdz
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gndebkii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iklfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkpppmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcpglhpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikocoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kagkebpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gihpcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfmahkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahpahel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deiipp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almjcobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baoopndk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbdobpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkdgecna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlkcbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibebeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igoagpja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdilalko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iogbllfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbbbed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmihn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohphgce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmeohnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ailqfooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egflml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gngfjicn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnoocq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adppdckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onacgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbpfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmdefk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nliqoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iekbmfdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqbdllld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkambhgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdhcinme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfhmhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emggflfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmiknng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpledf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncloha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnnbqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eapcjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohajic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Midqiaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngjlpmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfieec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcedbefd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqcmdjjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmidkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkhpfo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2804 Lpqlemaj.exe 2824 Mkofaj32.exe 2736 Makkcc32.exe 2972 Nllbdp32.exe 796 Ngjlpmnn.exe 2452 Okhefl32.exe 2052 Oighcd32.exe 1740 Pdecoa32.exe 2000 Pnmdbi32.exe 236 Allgoa32.exe 1116 Aeiecfga.exe 1424 Bphooc32.exe 1640 Bomlppdb.exe 2160 Cofofolh.exe 1168 Dijfch32.exe 2328 Diqmcgca.exe 1508 Eiciig32.exe 2112 Ehmpeb32.exe 2940 Ebfqfpop.exe 2456 Ficehj32.exe 1928 Fopnpaba.exe 1812 Flfkoeoh.exe 1796 Fenphjei.exe 892 Gmidlmcd.exe 1792 Gdfiofhn.exe 936 Gkbnap32.exe 2752 Hijhhl32.exe 2852 Hcdifa32.exe 2988 Hfebhmbm.exe 2784 Hkdgecna.exe 3064 Idohdhbo.exe 1300 Ioiidfon.exe 1648 Iickckcl.exe 1048 Imacijjb.exe 872 Jnemfa32.exe 2672 Jbcelp32.exe 1428 Jcfoihhp.exe 584 Jajocl32.exe 3016 Kjepaa32.exe 3004 Kflafbak.exe 2144 Kimjhnnl.exe 1744 Kjpceebh.exe 2408 Ldhgnk32.exe 1768 Lehdhn32.exe 1800 Lophacfl.exe 2300 Lijiaabk.exe 2512 Mehpga32.exe 696 Mhkfnlme.exe 1600 Nklopg32.exe 2740 Nknkeg32.exe 2828 Ncipjieo.exe 2892 Nckmpicl.exe 2612 Nobndj32.exe 2480 Nhkbmo32.exe 1324 Omhkcnfg.exe 2952 Oiokholk.exe 2700 Onldqejb.exe 1500 Okpdjjil.exe 2468 Okbapi32.exe 2208 Pgibdjln.exe 2588 Pglojj32.exe 1452 Padccpal.exe 1536 Plndcmmj.exe 1036 Pnnmeh32.exe -
Loads dropped DLL 64 IoCs
pid Process 3056 3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe 3056 3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe 2804 Lpqlemaj.exe 2804 Lpqlemaj.exe 2824 Mkofaj32.exe 2824 Mkofaj32.exe 2736 Makkcc32.exe 2736 Makkcc32.exe 2972 Nllbdp32.exe 2972 Nllbdp32.exe 796 Ngjlpmnn.exe 796 Ngjlpmnn.exe 2452 Okhefl32.exe 2452 Okhefl32.exe 2052 Oighcd32.exe 2052 Oighcd32.exe 1740 Pdecoa32.exe 1740 Pdecoa32.exe 2000 Pnmdbi32.exe 2000 Pnmdbi32.exe 236 Allgoa32.exe 236 Allgoa32.exe 1116 Aeiecfga.exe 1116 Aeiecfga.exe 1424 Bphooc32.exe 1424 Bphooc32.exe 1640 Bomlppdb.exe 1640 Bomlppdb.exe 2160 Cofofolh.exe 2160 Cofofolh.exe 1168 Dijfch32.exe 1168 Dijfch32.exe 2328 Diqmcgca.exe 2328 Diqmcgca.exe 1508 Eiciig32.exe 1508 Eiciig32.exe 2112 Ehmpeb32.exe 2112 Ehmpeb32.exe 2940 Ebfqfpop.exe 2940 Ebfqfpop.exe 2456 Ficehj32.exe 2456 Ficehj32.exe 1928 Fopnpaba.exe 1928 Fopnpaba.exe 1812 Flfkoeoh.exe 1812 Flfkoeoh.exe 1796 Fenphjei.exe 1796 Fenphjei.exe 892 Gmidlmcd.exe 892 Gmidlmcd.exe 1792 Gdfiofhn.exe 1792 Gdfiofhn.exe 936 Gkbnap32.exe 936 Gkbnap32.exe 2752 Hijhhl32.exe 2752 Hijhhl32.exe 2852 Hcdifa32.exe 2852 Hcdifa32.exe 2988 Hfebhmbm.exe 2988 Hfebhmbm.exe 2784 Hkdgecna.exe 2784 Hkdgecna.exe 3064 Idohdhbo.exe 3064 Idohdhbo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ccdnipal.exe Cgmndokg.exe File created C:\Windows\SysWOW64\Naofga32.dll Nmkklflj.exe File created C:\Windows\SysWOW64\Oloioh32.dll Ojjnioae.exe File created C:\Windows\SysWOW64\Lmpdoffo.exe Llnhgn32.exe File created C:\Windows\SysWOW64\Caajmilh.exe Cdnicemo.exe File created C:\Windows\SysWOW64\Cifqgb32.dll Hcdifa32.exe File created C:\Windows\SysWOW64\Jibpghbk.exe Jmlobg32.exe File opened for modification C:\Windows\SysWOW64\Lcfhpf32.exe Lnipgp32.exe File opened for modification C:\Windows\SysWOW64\Cdnicemo.exe Clbdobpc.exe File created C:\Windows\SysWOW64\Adncoc32.exe Qlbnja32.exe File created C:\Windows\SysWOW64\Ckmbcq32.dll Fhdlbd32.exe File created C:\Windows\SysWOW64\Fgmaphdg.exe Fbpihafp.exe File created C:\Windows\SysWOW64\Dfnalqca.dll Jcodcp32.exe File created C:\Windows\SysWOW64\Gmhmdc32.exe Gdpikmci.exe File opened for modification C:\Windows\SysWOW64\Ppelfbol.exe Pfmgmm32.exe File opened for modification C:\Windows\SysWOW64\Pcqebd32.exe Pcnhmdli.exe File created C:\Windows\SysWOW64\Cfmeqg32.dll Ebekej32.exe File opened for modification C:\Windows\SysWOW64\Gdfmccfm.exe Gjolpkhj.exe File created C:\Windows\SysWOW64\Cpgabh32.dll Najbbepc.exe File opened for modification C:\Windows\SysWOW64\Clclhmin.exe Beggec32.exe File created C:\Windows\SysWOW64\Kejahn32.exe Kkdnke32.exe File created C:\Windows\SysWOW64\Obbbpp32.dll Pojgnf32.exe File created C:\Windows\SysWOW64\Biqghigf.dll Lddjmb32.exe File created C:\Windows\SysWOW64\Qqldpfmh.exe Pchdfb32.exe File created C:\Windows\SysWOW64\Ifceemdj.exe Ilnqhddd.exe File opened for modification C:\Windows\SysWOW64\Bpnibl32.exe Bfieec32.exe File opened for modification C:\Windows\SysWOW64\Ickoimie.exe Hchbcmlh.exe File created C:\Windows\SysWOW64\Occlcg32.exe Ongckp32.exe File created C:\Windows\SysWOW64\Fopjnd32.dll Bipaodah.exe File opened for modification C:\Windows\SysWOW64\Nmeohnil.exe Mcmkoi32.exe File created C:\Windows\SysWOW64\Fbhfcf32.exe Fmknko32.exe File created C:\Windows\SysWOW64\Ogadkajl.exe Oofpgolq.exe File opened for modification C:\Windows\SysWOW64\Dncdqcbl.exe Djeljd32.exe File created C:\Windows\SysWOW64\Hnjdpm32.exe Hdapggln.exe File created C:\Windows\SysWOW64\Kmgekh32.exe Khhpmbeb.exe File created C:\Windows\SysWOW64\Lmlnjcgg.exe Jempcgad.exe File opened for modification C:\Windows\SysWOW64\Bbjoki32.exe Biakbc32.exe File opened for modification C:\Windows\SysWOW64\Nqbdllld.exe Mfhcknpf.exe File opened for modification C:\Windows\SysWOW64\Qibjjgag.exe Qipmdhcj.exe File created C:\Windows\SysWOW64\Gpfeadne.dll Ajmihn32.exe File created C:\Windows\SysWOW64\Mdfldbog.dll Dfpfke32.exe File created C:\Windows\SysWOW64\Cignhbcn.dll Fiakkcma.exe File created C:\Windows\SysWOW64\Eqnillbb.exe Elpqemll.exe File created C:\Windows\SysWOW64\Dlomfh32.dll Hfjglppd.exe File created C:\Windows\SysWOW64\Ocbbbd32.exe Ojjnioae.exe File opened for modification C:\Windows\SysWOW64\Ikocoa32.exe Iklfia32.exe File created C:\Windows\SysWOW64\Bhbodpkg.dll Mgodjico.exe File opened for modification C:\Windows\SysWOW64\Kadhen32.exe Kihcakpa.exe File created C:\Windows\SysWOW64\Bbifhddh.dll Dkhpfo32.exe File opened for modification C:\Windows\SysWOW64\Bigpdjpm.exe Bffgbo32.exe File created C:\Windows\SysWOW64\Aimfcedl.exe Aikine32.exe File created C:\Windows\SysWOW64\Qbamehlq.dll Aimfcedl.exe File created C:\Windows\SysWOW64\Bphkjefo.dll Lpckce32.exe File opened for modification C:\Windows\SysWOW64\Gmipko32.exe Fikgda32.exe File created C:\Windows\SysWOW64\Nkbcgnie.exe Nbfobllj.exe File opened for modification C:\Windows\SysWOW64\Oaeacppk.exe Ofnppgbh.exe File created C:\Windows\SysWOW64\Lceodl32.dll Kjopnh32.exe File created C:\Windows\SysWOW64\Godhgedg.exe Fnelmb32.exe File opened for modification C:\Windows\SysWOW64\Godhgedg.exe Fnelmb32.exe File opened for modification C:\Windows\SysWOW64\Lnipgp32.exe Kngcbpjc.exe File opened for modification C:\Windows\SysWOW64\Allgoa32.exe Pnmdbi32.exe File created C:\Windows\SysWOW64\Cfdccf32.dll Nnkekfkd.exe File opened for modification C:\Windows\SysWOW64\Dijfch32.exe Cofofolh.exe File created C:\Windows\SysWOW64\Aeokba32.exe Qdpohodn.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihkifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfmjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcgmkil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjgbbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlhfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nllbdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcnpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agakog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjcfjoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhfjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahkhgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomlppdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdilalko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmojcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohphgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbedm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbkbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eapcjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kagkebpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hopibdfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiecfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plheil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejfio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikicikap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqfhqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egihcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbhjkij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkcqfifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplhooec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldooi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebekej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqcpfcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchclmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kioiffcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfpif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmaghc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofjem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebicee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpalcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpdkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgoaap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beplcfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbgia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmbfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmeadbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caajmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnbpcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfflfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeilbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjehlldb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abldccka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifobe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknnnoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonfgbhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdqpdja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdifa32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghangih.dll" Gbolce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egmeadbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fefdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lophacfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljfocan.dll" Blgcio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddhcbnnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idepdhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpkmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opknfm32.dll" Lhbhdnio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkkbcpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fblipohc.dll" Dfjcncak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajamfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enhaeldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnldgh32.dll" Ikicikap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbfajl32.dll" Elpqemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaffca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joebccpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iokahhac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omjbihpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kngcbpjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhonegbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agakog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkbnap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijfqfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcgkcccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gekkpqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kadhen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbobaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpnlndkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmbcq32.dll" Fhdlbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkbbqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbndmh32.dll" Jmibmhoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcfbfaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaopfl32.dll" Pemdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjfmb32.dll" Ahdkhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnojjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpcapia.dll" Ohqbbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abldccka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cglfndaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljjjmeie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbifhddh.dll" Dkhpfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enjand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjacd32.dll" Gaibpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifeam32.dll" Bpbadcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dafchi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eclejclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgiffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdphkml.dll" Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabeia32.dll" Mfhcknpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ickoimie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkkfek.dll" Pclolakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmhfjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dncdqcbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghcdpjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfdqpdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khhpmbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oncndnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdefco.dll" Qgiplffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmdefk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlkekilg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgmfjdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdhnnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enepnoji.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2804 3056 3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe 30 PID 3056 wrote to memory of 2804 3056 3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe 30 PID 3056 wrote to memory of 2804 3056 3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe 30 PID 3056 wrote to memory of 2804 3056 3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe 30 PID 2804 wrote to memory of 2824 2804 Lpqlemaj.exe 31 PID 2804 wrote to memory of 2824 2804 Lpqlemaj.exe 31 PID 2804 wrote to memory of 2824 2804 Lpqlemaj.exe 31 PID 2804 wrote to memory of 2824 2804 Lpqlemaj.exe 31 PID 2824 wrote to memory of 2736 2824 Mkofaj32.exe 32 PID 2824 wrote to memory of 2736 2824 Mkofaj32.exe 32 PID 2824 wrote to memory of 2736 2824 Mkofaj32.exe 32 PID 2824 wrote to memory of 2736 2824 Mkofaj32.exe 32 PID 2736 wrote to memory of 2972 2736 Makkcc32.exe 33 PID 2736 wrote to memory of 2972 2736 Makkcc32.exe 33 PID 2736 wrote to memory of 2972 2736 Makkcc32.exe 33 PID 2736 wrote to memory of 2972 2736 Makkcc32.exe 33 PID 2972 wrote to memory of 796 2972 Nllbdp32.exe 34 PID 2972 wrote to memory of 796 2972 Nllbdp32.exe 34 PID 2972 wrote to memory of 796 2972 Nllbdp32.exe 34 PID 2972 wrote to memory of 796 2972 Nllbdp32.exe 34 PID 796 wrote to memory of 2452 796 Ngjlpmnn.exe 35 PID 796 wrote to memory of 2452 796 Ngjlpmnn.exe 35 PID 796 wrote to memory of 2452 796 Ngjlpmnn.exe 35 PID 796 wrote to memory of 2452 796 Ngjlpmnn.exe 35 PID 2452 wrote to memory of 2052 2452 Okhefl32.exe 36 PID 2452 wrote to memory of 2052 2452 Okhefl32.exe 36 PID 2452 wrote to memory of 2052 2452 Okhefl32.exe 36 PID 2452 wrote to memory of 2052 2452 Okhefl32.exe 36 PID 2052 wrote to memory of 1740 2052 Oighcd32.exe 37 PID 2052 wrote to memory of 1740 2052 Oighcd32.exe 37 PID 2052 wrote to memory of 1740 2052 Oighcd32.exe 37 PID 2052 wrote to memory of 1740 2052 Oighcd32.exe 37 PID 1740 wrote to memory of 2000 1740 Pdecoa32.exe 38 PID 1740 wrote to memory of 2000 1740 Pdecoa32.exe 38 PID 1740 wrote to memory of 2000 1740 Pdecoa32.exe 38 PID 1740 wrote to memory of 2000 1740 Pdecoa32.exe 38 PID 2000 wrote to memory of 236 2000 Pnmdbi32.exe 39 PID 2000 wrote to memory of 236 2000 Pnmdbi32.exe 39 PID 2000 wrote to memory of 236 2000 Pnmdbi32.exe 39 PID 2000 wrote to memory of 236 2000 Pnmdbi32.exe 39 PID 236 wrote to memory of 1116 236 Allgoa32.exe 40 PID 236 wrote to memory of 1116 236 Allgoa32.exe 40 PID 236 wrote to memory of 1116 236 Allgoa32.exe 40 PID 236 wrote to memory of 1116 236 Allgoa32.exe 40 PID 1116 wrote to memory of 1424 1116 Aeiecfga.exe 41 PID 1116 wrote to memory of 1424 1116 Aeiecfga.exe 41 PID 1116 wrote to memory of 1424 1116 Aeiecfga.exe 41 PID 1116 wrote to memory of 1424 1116 Aeiecfga.exe 41 PID 1424 wrote to memory of 1640 1424 Bphooc32.exe 42 PID 1424 wrote to memory of 1640 1424 Bphooc32.exe 42 PID 1424 wrote to memory of 1640 1424 Bphooc32.exe 42 PID 1424 wrote to memory of 1640 1424 Bphooc32.exe 42 PID 1640 wrote to memory of 2160 1640 Bomlppdb.exe 43 PID 1640 wrote to memory of 2160 1640 Bomlppdb.exe 43 PID 1640 wrote to memory of 2160 1640 Bomlppdb.exe 43 PID 1640 wrote to memory of 2160 1640 Bomlppdb.exe 43 PID 2160 wrote to memory of 1168 2160 Cofofolh.exe 44 PID 2160 wrote to memory of 1168 2160 Cofofolh.exe 44 PID 2160 wrote to memory of 1168 2160 Cofofolh.exe 44 PID 2160 wrote to memory of 1168 2160 Cofofolh.exe 44 PID 1168 wrote to memory of 2328 1168 Dijfch32.exe 45 PID 1168 wrote to memory of 2328 1168 Dijfch32.exe 45 PID 1168 wrote to memory of 2328 1168 Dijfch32.exe 45 PID 1168 wrote to memory of 2328 1168 Dijfch32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe"C:\Users\Admin\AppData\Local\Temp\3e98a5c9402e1ca3aee83403bb54dc04bd574a93ce744c50778bf79c1e5da514.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Lpqlemaj.exeC:\Windows\system32\Lpqlemaj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Makkcc32.exeC:\Windows\system32\Makkcc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Hfebhmbm.exeC:\Windows\system32\Hfebhmbm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Hkdgecna.exeC:\Windows\system32\Hkdgecna.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe33⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Iickckcl.exeC:\Windows\system32\Iickckcl.exe34⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe35⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe36⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe37⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Jcfoihhp.exeC:\Windows\system32\Jcfoihhp.exe38⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe39⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe40⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe41⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Kimjhnnl.exeC:\Windows\system32\Kimjhnnl.exe42⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe43⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe44⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe45⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe47⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe49⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Nklopg32.exeC:\Windows\system32\Nklopg32.exe50⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe51⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe52⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe53⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe55⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Omhkcnfg.exeC:\Windows\system32\Omhkcnfg.exe56⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe57⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe58⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe59⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe60⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe61⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe63⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Plndcmmj.exeC:\Windows\system32\Plndcmmj.exe64⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe65⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe66⤵PID:2284
-
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe67⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe68⤵
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe69⤵PID:2076
-
C:\Windows\SysWOW64\Aaflgb32.exeC:\Windows\system32\Aaflgb32.exe70⤵PID:2716
-
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe71⤵PID:1284
-
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe72⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe73⤵PID:2712
-
C:\Windows\SysWOW64\Appbcn32.exeC:\Windows\system32\Appbcn32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe75⤵
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe76⤵PID:2788
-
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe77⤵PID:692
-
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe78⤵PID:2128
-
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe79⤵PID:2096
-
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe80⤵PID:1396
-
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe81⤵PID:912
-
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe82⤵PID:2488
-
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe83⤵PID:1964
-
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe86⤵PID:1776
-
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe87⤵PID:2704
-
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe88⤵PID:2748
-
C:\Windows\SysWOW64\Dnfhqi32.exeC:\Windows\system32\Dnfhqi32.exe89⤵PID:2684
-
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe90⤵PID:2928
-
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe91⤵PID:1724
-
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe92⤵PID:2944
-
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe93⤵PID:2432
-
C:\Windows\SysWOW64\Eifobe32.exeC:\Windows\system32\Eifobe32.exe94⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe95⤵PID:1760
-
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe96⤵PID:2556
-
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe97⤵
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe98⤵PID:1348
-
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe99⤵PID:2012
-
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe100⤵PID:2836
-
C:\Windows\SysWOW64\Fpemhb32.exeC:\Windows\system32\Fpemhb32.exe101⤵PID:2876
-
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe102⤵PID:2404
-
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1064 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe104⤵PID:628
-
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe105⤵PID:1936
-
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe106⤵PID:2440
-
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe107⤵PID:2224
-
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe109⤵PID:2156
-
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe110⤵PID:1128
-
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe111⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Ijfqfj32.exeC:\Windows\system32\Ijfqfj32.exe112⤵
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe113⤵PID:2796
-
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe114⤵PID:2816
-
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe117⤵PID:636
-
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe118⤵PID:1264
-
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe119⤵PID:2496
-
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe120⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe121⤵
- Modifies registry class
PID:332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-