Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 04:10
Static task
static1
Behavioral task
behavioral1
Sample
c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe
Resource
win10v2004-20241007-en
General
-
Target
c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe
-
Size
96KB
-
MD5
17b7691c3c3446df797039b7312fb11b
-
SHA1
fee6bf1280f96dc36a09eb7f5004a76c9d855782
-
SHA256
c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443
-
SHA512
041715ee5b853234894b0a25a06acd492abe1d1c9de9edb4dbca609fc967611afe75faf3fd951354a7d9a722e555bfa03005648694d6f1769bea54fa22be73d1
-
SSDEEP
1536:UkpDU2/TkoUt+yhVTQ0AJOJg4DjxvAosVJxpeEYc+duV9jojTIvjrH:UmDU2LkobyhVE0CyjxvA3rxMpbd69jcs
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idohdhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plndcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphooc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icplje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghoijebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boobki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emgdmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmqkml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneaacno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjpdhifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kecjmodq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahedjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhflcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nldahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omhkcnfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfjhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joblkegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiecgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaablcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jihdnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laodmoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmeebpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jecnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjlemlnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kamlhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lolofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhdjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlpbna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcggef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddcimag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmblnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddkgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epeajo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgogealf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kngekdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfchqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blniinac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdkkcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmeebpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngpcohbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammmlcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efffpjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcmnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkilka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbcelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkkgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiokholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpbkhabp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddppmclb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckmpicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpqim32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2804 Amgjnepn.exe 2796 Abdbflnf.exe 2600 Aphcppmo.exe 2584 Aaipghcn.exe 3012 Ahchdb32.exe 2020 Akadpn32.exe 1908 Aeghng32.exe 1140 Ahedjb32.exe 2480 Aanibhoh.exe 2016 Adleoc32.exe 1920 Aoaill32.exe 1888 Bpcfcddp.exe 784 Bkhjamcf.exe 2196 Babbng32.exe 2036 Bccoeo32.exe 3068 Bkkgfm32.exe 1308 Bphooc32.exe 1752 Bcflko32.exe 1804 Bjpdhifk.exe 1500 Blnpddeo.exe 1964 Bfgdmjlp.exe 2496 Bheaiekc.exe 2412 Baneak32.exe 1616 Clciod32.exe 876 Ccmblnif.exe 2724 Cbpbgk32.exe 2620 Chjjde32.exe 2404 Codbqonk.exe 1700 Cgogealf.exe 2552 Cnipak32.exe 2364 Cqglng32.exe 1236 Ckmpkpbl.exe 1592 Cchdpbog.exe 2460 Cgdqpq32.exe 2240 Dgfmep32.exe 1420 Djdjalea.exe 1092 Dcmnja32.exe 2212 Dfkjgm32.exe 2188 Dcokpa32.exe 2000 Dfngll32.exe 1808 Dkjpdcfj.exe 1012 Dcageqgm.exe 1724 Dinpnged.exe 1680 Dkmljcdh.exe 2488 Dphhka32.exe 2140 Dfbqgldn.exe 1444 Diqmcgca.exe 2776 Eloipb32.exe 2828 Ealahi32.exe 2592 Eiciig32.exe 2960 Elaeeb32.exe 1340 Ejdfqogm.exe 1800 Eannmi32.exe 348 Ehhfjcff.exe 1636 Eldbkbop.exe 2468 Enbogmnc.exe 264 Eelgcg32.exe 2320 Ehkcpc32.exe 2484 Efmckpko.exe 920 Endklmlq.exe 1492 Epfhde32.exe 2500 Ehmpeb32.exe 2476 Ejklan32.exe 1572 Emjhmipi.exe -
Loads dropped DLL 64 IoCs
pid Process 2716 c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe 2716 c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe 2804 Amgjnepn.exe 2804 Amgjnepn.exe 2796 Abdbflnf.exe 2796 Abdbflnf.exe 2600 Aphcppmo.exe 2600 Aphcppmo.exe 2584 Aaipghcn.exe 2584 Aaipghcn.exe 3012 Ahchdb32.exe 3012 Ahchdb32.exe 2020 Akadpn32.exe 2020 Akadpn32.exe 1908 Aeghng32.exe 1908 Aeghng32.exe 1140 Ahedjb32.exe 1140 Ahedjb32.exe 2480 Aanibhoh.exe 2480 Aanibhoh.exe 2016 Adleoc32.exe 2016 Adleoc32.exe 1920 Aoaill32.exe 1920 Aoaill32.exe 1888 Bpcfcddp.exe 1888 Bpcfcddp.exe 784 Bkhjamcf.exe 784 Bkhjamcf.exe 2196 Babbng32.exe 2196 Babbng32.exe 2036 Bccoeo32.exe 2036 Bccoeo32.exe 3068 Bkkgfm32.exe 3068 Bkkgfm32.exe 1308 Bphooc32.exe 1308 Bphooc32.exe 1752 Bcflko32.exe 1752 Bcflko32.exe 1804 Bjpdhifk.exe 1804 Bjpdhifk.exe 1500 Blnpddeo.exe 1500 Blnpddeo.exe 1964 Bfgdmjlp.exe 1964 Bfgdmjlp.exe 2496 Bheaiekc.exe 2496 Bheaiekc.exe 2412 Baneak32.exe 2412 Baneak32.exe 1616 Clciod32.exe 1616 Clciod32.exe 876 Ccmblnif.exe 876 Ccmblnif.exe 2724 Cbpbgk32.exe 2724 Cbpbgk32.exe 2620 Chjjde32.exe 2620 Chjjde32.exe 2404 Codbqonk.exe 2404 Codbqonk.exe 1700 Cgogealf.exe 1700 Cgogealf.exe 2552 Cnipak32.exe 2552 Cnipak32.exe 2364 Cqglng32.exe 2364 Cqglng32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Klmbjh32.exe Kiofnm32.exe File opened for modification C:\Windows\SysWOW64\Ndafcmci.exe Macjgadf.exe File opened for modification C:\Windows\SysWOW64\Bcflko32.exe Bphooc32.exe File created C:\Windows\SysWOW64\Kflafbak.exe Kbpefc32.exe File created C:\Windows\SysWOW64\Nfbgoj32.dll Okpdjjil.exe File created C:\Windows\SysWOW64\Bkkgfm32.exe Bccoeo32.exe File opened for modification C:\Windows\SysWOW64\Ldkdckff.exe Lmalgq32.exe File created C:\Windows\SysWOW64\Jnlbgq32.exe Jjpgfbom.exe File opened for modification C:\Windows\SysWOW64\Jcikog32.exe Jajocl32.exe File created C:\Windows\SysWOW64\Kamlhl32.exe Kiecgo32.exe File opened for modification C:\Windows\SysWOW64\Mcidkf32.exe Mpkhoj32.exe File created C:\Windows\SysWOW64\Acpchmhl.dll Djoeki32.exe File opened for modification C:\Windows\SysWOW64\Einebddd.exe Efoifiep.exe File opened for modification C:\Windows\SysWOW64\Gagmbkik.exe Goiafp32.exe File created C:\Windows\SysWOW64\Ejfekbaf.dll Hfebhmbm.exe File created C:\Windows\SysWOW64\Bnlpkh32.dll Jcdadhjb.exe File created C:\Windows\SysWOW64\Fdnoim32.dll Mcggef32.exe File created C:\Windows\SysWOW64\Mkjhmf32.dll Mldeik32.exe File opened for modification C:\Windows\SysWOW64\Dglpdomh.exe Ddmchcnd.exe File opened for modification C:\Windows\SysWOW64\Eldbkbop.exe Ehhfjcff.exe File opened for modification C:\Windows\SysWOW64\Ghoijebj.exe Geqlnjcf.exe File opened for modification C:\Windows\SysWOW64\Hhaanh32.exe Hagianlf.exe File created C:\Windows\SysWOW64\Jidbmpjh.dll Ocpfkh32.exe File created C:\Windows\SysWOW64\Djafaf32.exe Cbjnqh32.exe File created C:\Windows\SysWOW64\Jhpgpkho.dll Epeajo32.exe File created C:\Windows\SysWOW64\Ephdjeol.exe Eaednh32.exe File created C:\Windows\SysWOW64\Bgdkfk32.dll Ggdekbgb.exe File created C:\Windows\SysWOW64\Nnfdgopc.dll Hdhbci32.exe File created C:\Windows\SysWOW64\Meecaa32.exe Mcggef32.exe File created C:\Windows\SysWOW64\Adiaommc.exe Adiaommc.exe File opened for modification C:\Windows\SysWOW64\Akadpn32.exe Ahchdb32.exe File opened for modification C:\Windows\SysWOW64\Ealahi32.exe Eloipb32.exe File created C:\Windows\SysWOW64\Camnge32.exe Boobki32.exe File opened for modification C:\Windows\SysWOW64\Cgnpjkhj.exe Cccdjl32.exe File created C:\Windows\SysWOW64\Dbmkfh32.exe Donojm32.exe File created C:\Windows\SysWOW64\Jpppbp32.dll Jbcelp32.exe File created C:\Windows\SysWOW64\Hcgqbmgm.dll Kijmbnpo.exe File created C:\Windows\SysWOW64\Nelafe32.dll Boobki32.exe File created C:\Windows\SysWOW64\Eoeffhea.dll Hbnpbm32.exe File created C:\Windows\SysWOW64\Aocbokia.exe Aldfcpjn.exe File created C:\Windows\SysWOW64\Bhndnpnp.exe Bikcbc32.exe File created C:\Windows\SysWOW64\Neajod32.dll Lgpfpe32.exe File created C:\Windows\SysWOW64\Jdbnpf32.dll Omfnnnhj.exe File opened for modification C:\Windows\SysWOW64\Ldmaijdc.exe Laodmoep.exe File created C:\Windows\SysWOW64\Mdkiio32.dll Ngbpehpj.exe File created C:\Windows\SysWOW64\Afcdpi32.exe Ahpddmia.exe File created C:\Windows\SysWOW64\Dkbbinig.exe Dlpbna32.exe File opened for modification C:\Windows\SysWOW64\Ehkcpc32.exe Eelgcg32.exe File opened for modification C:\Windows\SysWOW64\Kbenacdm.exe Kpfbegei.exe File created C:\Windows\SysWOW64\Adiaommc.exe Albjnplq.exe File opened for modification C:\Windows\SysWOW64\Djmiejji.exe Dgnminke.exe File opened for modification C:\Windows\SysWOW64\Ifengpdh.exe Icfbkded.exe File created C:\Windows\SysWOW64\Mmmloaog.dll Aeokba32.exe File opened for modification C:\Windows\SysWOW64\Bkkgfm32.exe Bccoeo32.exe File opened for modification C:\Windows\SysWOW64\Dkjpdcfj.exe Dfngll32.exe File created C:\Windows\SysWOW64\Dqhgonnp.dll Flhhed32.exe File opened for modification C:\Windows\SysWOW64\Iblola32.exe Iomcpe32.exe File created C:\Windows\SysWOW64\Ppgcol32.exe Pmhgba32.exe File opened for modification C:\Windows\SysWOW64\Albjnplq.exe Aicmadmm.exe File created C:\Windows\SysWOW64\Ahchdb32.exe Aaipghcn.exe File created C:\Windows\SysWOW64\Adleoc32.exe Aanibhoh.exe File created C:\Windows\SysWOW64\Fedfgejh.exe Fnjnkkbk.exe File created C:\Windows\SysWOW64\Pbjifgcd.exe Ppkmjlca.exe File created C:\Windows\SysWOW64\Glgkjp32.dll Efffpjmk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5368 5344 WerFault.exe 458 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooidei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naegmabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodjjign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijidfpci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfidqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhjamcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcokpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbogmnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnofaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdbflnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchdpbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adblnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhfjcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpbik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijacjnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baclaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ealahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkhjdde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iifghk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmpkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhhed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iianmlfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmqkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddppmclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnahilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmhcigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpcfcddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babbng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfmpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphooc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfbkded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonlkcho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcofica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnodgbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceeqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbnap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcppkbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meecaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnpjkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphcppmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfkihon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lophacfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehpga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Endklmlq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhaanh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igkhjdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmaonc32.dll" Dkeoongd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epcddopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeihnam.dll" Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipklb32.dll" Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcinlc.dll" Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkeoongd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eloipb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imogcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aicmadmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifbaapfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbpefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbinm32.dll" Ppgcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdkkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpchmhl.dll" Djoeki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbphgpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpnoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefqbobh.dll" Qncfphff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgehjlpm.dll" Cgogealf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfbgoj32.dll" Okpdjjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aphcppmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpmmn32.dll" Mcidkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdmmhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plndcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djoeki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpmjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeomnifk.dll" Bcflko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Endklmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlqejic.dll" Qdpohodn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdlbn32.dll" Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnicaj32.dll" Bhndnpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpdhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enmnahnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhiiop32.dll" c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbimkpmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfekbaf.dll" Hfebhmbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igpaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjepaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcokpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejklan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plliem32.dll" Hoimecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfejc32.dll" Ifengpdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmeebpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpdankjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacjlp32.dll" Naegmabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkkgfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anecfgdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofobgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joblkegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeoeclek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdbgnmd.dll" Nfglfdeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbadagln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggiofa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fogdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klalgq32.dll" Lhdcojaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njeelc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2804 2716 c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe 30 PID 2716 wrote to memory of 2804 2716 c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe 30 PID 2716 wrote to memory of 2804 2716 c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe 30 PID 2716 wrote to memory of 2804 2716 c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe 30 PID 2804 wrote to memory of 2796 2804 Amgjnepn.exe 31 PID 2804 wrote to memory of 2796 2804 Amgjnepn.exe 31 PID 2804 wrote to memory of 2796 2804 Amgjnepn.exe 31 PID 2804 wrote to memory of 2796 2804 Amgjnepn.exe 31 PID 2796 wrote to memory of 2600 2796 Abdbflnf.exe 32 PID 2796 wrote to memory of 2600 2796 Abdbflnf.exe 32 PID 2796 wrote to memory of 2600 2796 Abdbflnf.exe 32 PID 2796 wrote to memory of 2600 2796 Abdbflnf.exe 32 PID 2600 wrote to memory of 2584 2600 Aphcppmo.exe 33 PID 2600 wrote to memory of 2584 2600 Aphcppmo.exe 33 PID 2600 wrote to memory of 2584 2600 Aphcppmo.exe 33 PID 2600 wrote to memory of 2584 2600 Aphcppmo.exe 33 PID 2584 wrote to memory of 3012 2584 Aaipghcn.exe 34 PID 2584 wrote to memory of 3012 2584 Aaipghcn.exe 34 PID 2584 wrote to memory of 3012 2584 Aaipghcn.exe 34 PID 2584 wrote to memory of 3012 2584 Aaipghcn.exe 34 PID 3012 wrote to memory of 2020 3012 Ahchdb32.exe 35 PID 3012 wrote to memory of 2020 3012 Ahchdb32.exe 35 PID 3012 wrote to memory of 2020 3012 Ahchdb32.exe 35 PID 3012 wrote to memory of 2020 3012 Ahchdb32.exe 35 PID 2020 wrote to memory of 1908 2020 Akadpn32.exe 36 PID 2020 wrote to memory of 1908 2020 Akadpn32.exe 36 PID 2020 wrote to memory of 1908 2020 Akadpn32.exe 36 PID 2020 wrote to memory of 1908 2020 Akadpn32.exe 36 PID 1908 wrote to memory of 1140 1908 Aeghng32.exe 37 PID 1908 wrote to memory of 1140 1908 Aeghng32.exe 37 PID 1908 wrote to memory of 1140 1908 Aeghng32.exe 37 PID 1908 wrote to memory of 1140 1908 Aeghng32.exe 37 PID 1140 wrote to memory of 2480 1140 Ahedjb32.exe 38 PID 1140 wrote to memory of 2480 1140 Ahedjb32.exe 38 PID 1140 wrote to memory of 2480 1140 Ahedjb32.exe 38 PID 1140 wrote to memory of 2480 1140 Ahedjb32.exe 38 PID 2480 wrote to memory of 2016 2480 Aanibhoh.exe 39 PID 2480 wrote to memory of 2016 2480 Aanibhoh.exe 39 PID 2480 wrote to memory of 2016 2480 Aanibhoh.exe 39 PID 2480 wrote to memory of 2016 2480 Aanibhoh.exe 39 PID 2016 wrote to memory of 1920 2016 Adleoc32.exe 40 PID 2016 wrote to memory of 1920 2016 Adleoc32.exe 40 PID 2016 wrote to memory of 1920 2016 Adleoc32.exe 40 PID 2016 wrote to memory of 1920 2016 Adleoc32.exe 40 PID 1920 wrote to memory of 1888 1920 Aoaill32.exe 41 PID 1920 wrote to memory of 1888 1920 Aoaill32.exe 41 PID 1920 wrote to memory of 1888 1920 Aoaill32.exe 41 PID 1920 wrote to memory of 1888 1920 Aoaill32.exe 41 PID 1888 wrote to memory of 784 1888 Bpcfcddp.exe 42 PID 1888 wrote to memory of 784 1888 Bpcfcddp.exe 42 PID 1888 wrote to memory of 784 1888 Bpcfcddp.exe 42 PID 1888 wrote to memory of 784 1888 Bpcfcddp.exe 42 PID 784 wrote to memory of 2196 784 Bkhjamcf.exe 43 PID 784 wrote to memory of 2196 784 Bkhjamcf.exe 43 PID 784 wrote to memory of 2196 784 Bkhjamcf.exe 43 PID 784 wrote to memory of 2196 784 Bkhjamcf.exe 43 PID 2196 wrote to memory of 2036 2196 Babbng32.exe 44 PID 2196 wrote to memory of 2036 2196 Babbng32.exe 44 PID 2196 wrote to memory of 2036 2196 Babbng32.exe 44 PID 2196 wrote to memory of 2036 2196 Babbng32.exe 44 PID 2036 wrote to memory of 3068 2036 Bccoeo32.exe 45 PID 2036 wrote to memory of 3068 2036 Bccoeo32.exe 45 PID 2036 wrote to memory of 3068 2036 Bccoeo32.exe 45 PID 2036 wrote to memory of 3068 2036 Bccoeo32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe"C:\Users\Admin\AppData\Local\Temp\c58edd6b377078f1f7b9622d0ce563205b9b7c2a144c5bd5428ce3ec814d4443.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe35⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe36⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe37⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe39⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe42⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe43⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe44⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe45⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe47⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe48⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe51⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe53⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Eannmi32.exeC:\Windows\system32\Eannmi32.exe54⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ehhfjcff.exeC:\Windows\system32\Ehhfjcff.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:348 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe56⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe59⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe60⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe62⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe63⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ejklan32.exeC:\Windows\system32\Ejklan32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe65⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Eaednh32.exeC:\Windows\system32\Eaednh32.exe66⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe67⤵PID:2748
-
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe68⤵PID:3008
-
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe69⤵PID:580
-
C:\Windows\SysWOW64\Fpjaodmj.exeC:\Windows\system32\Fpjaodmj.exe70⤵PID:2168
-
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Fbimkpmm.exeC:\Windows\system32\Fbimkpmm.exe72⤵
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe73⤵PID:1688
-
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe74⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe75⤵PID:1708
-
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe76⤵PID:2532
-
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe77⤵PID:1648
-
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe78⤵PID:652
-
C:\Windows\SysWOW64\Fobkfqpo.exeC:\Windows\system32\Fobkfqpo.exe79⤵PID:2452
-
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe80⤵PID:2344
-
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe81⤵PID:1016
-
C:\Windows\SysWOW64\Fkilka32.exeC:\Windows\system32\Fkilka32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe83⤵PID:2652
-
C:\Windows\SysWOW64\Fdapcg32.exeC:\Windows\system32\Fdapcg32.exe84⤵PID:2148
-
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:308 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe86⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Gaeqmk32.exeC:\Windows\system32\Gaeqmk32.exe87⤵PID:1376
-
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ghoijebj.exeC:\Windows\system32\Ghoijebj.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe90⤵PID:2436
-
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe91⤵
- Drops file in System32 directory
PID:588 -
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe92⤵PID:1676
-
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe93⤵PID:2104
-
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe94⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Gibbgmfe.exeC:\Windows\system32\Gibbgmfe.exe95⤵PID:2932
-
C:\Windows\SysWOW64\Gpmjcg32.exeC:\Windows\system32\Gpmjcg32.exe96⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe97⤵PID:2032
-
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe98⤵
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Gpogiglp.exeC:\Windows\system32\Gpogiglp.exe100⤵PID:320
-
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe101⤵PID:2132
-
C:\Windows\SysWOW64\Ggiofa32.exeC:\Windows\system32\Ggiofa32.exe102⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe103⤵PID:2704
-
C:\Windows\SysWOW64\Goddjc32.exeC:\Windows\system32\Goddjc32.exe104⤵PID:2976
-
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe105⤵
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe106⤵PID:2068
-
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe107⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe108⤵PID:2940
-
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe109⤵PID:2204
-
C:\Windows\SysWOW64\Hjlemlnk.exeC:\Windows\system32\Hjlemlnk.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1856 -
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe111⤵PID:1928
-
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe112⤵
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Hagianlf.exeC:\Windows\system32\Hagianlf.exe113⤵
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe114⤵
- Modifies registry class
PID:708 -
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe115⤵PID:2840
-
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe116⤵PID:856
-
C:\Windows\SysWOW64\Hfebhmbm.exeC:\Windows\system32\Hfebhmbm.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe118⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe119⤵PID:1788
-
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe120⤵PID:2084
-
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe121⤵
- System Location Discovery: System Language Discovery
PID:272 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe122⤵PID:964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-