Analysis
-
max time kernel
19s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 08:56
Static task
static1
Behavioral task
behavioral1
Sample
0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe
Resource
win10v2004-20241007-en
General
-
Target
0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe
-
Size
324KB
-
MD5
66d635eabfb5bc10d09f577c24ad1ff0
-
SHA1
5dcb904bf3b9b087bdf7dcf1ad909397239180b5
-
SHA256
0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419
-
SHA512
6d4dae0c74ff8a33cf8d69644776802b67ba35d4bf31dd7bad4e87ad43d735a23c9d9a1c3bd6836b96871f8bf650f206c4eee2b1bd8ca7d7279da17fd4f13844
-
SSDEEP
6144:61xIgRoiWrPrFKzd5IF6rfBBcVPINRFYpfZvT6zAWq6JMf3us8ws:6vIgOhrwp5IFy5BcVPINRFYpfZvTmAW9
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knaeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aegkfpah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljgkom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcanq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecbfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqffgapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcfohlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igkjcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jddqgdii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maocekoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlbpme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqhclqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipfkabpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimlqfeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdfgbhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joebccpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kepgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnicoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnlpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgjjndeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdgmbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bphaglgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lodnjboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmcgmkil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhklha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbpfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bodhjdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fihalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmdkfmjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhaaogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ionehnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iciaim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqkjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpapcnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikelhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpakm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogaeieoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfmnkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jopbnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngjoif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maocekoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mebpakbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enpdjfgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbfmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehfafgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncloha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkedjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jghqia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Negeln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bacefpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkblohek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgdfgbhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeoongd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbhhkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbnkp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2696 Bahelebm.exe 2760 Bnofaf32.exe 2580 Cnabffeo.exe 2544 Ckecpjdh.exe 3004 Ccqhdmbc.exe 1600 Cnflae32.exe 1568 Cjmmffgn.exe 2116 Clkicbfa.exe 2872 Coladm32.exe 2232 Dhdfmbjc.exe 2616 Dkeoongd.exe 760 Dboglhna.exe 1672 Dqddmd32.exe 2212 Djmiejji.exe 2916 Djoeki32.exe 2076 Eddjhb32.exe 1868 Ejabqi32.exe 1644 Ejcofica.exe 2928 Embkbdce.exe 2256 Ebockkal.exe 2396 Eiilge32.exe 2472 Eepmlf32.exe 2464 Enhaeldn.exe 2780 Eebibf32.exe 2804 Fpgnoo32.exe 2708 Fbfjkj32.exe 2876 Fjaoplho.exe 2668 Fbhfajia.exe 3000 Fjckelfm.exe 2388 Fmbgageq.exe 2944 Fjfhkl32.exe 2168 Fdnlcakk.exe 2308 Fikelhib.exe 2772 Fabmmejd.exe 2844 Gminbfoh.exe 792 Gpgjnbnl.exe 1816 Gipngg32.exe 1904 Gpjfcali.exe 1776 Gefolhja.exe 664 Glpgibbn.exe 1756 Goocenaa.exe 292 Gampaipe.exe 1196 Ghghnc32.exe 2452 Gkedjo32.exe 2912 Gaplfinb.exe 1188 Gdnibdmf.exe 1560 Gleqdb32.exe 2092 Hmfmkjdf.exe 2552 Hhlaiccm.exe 2556 Hkjnenbp.exe 2496 Hadfah32.exe 808 Hdbbnd32.exe 2340 Hganjo32.exe 2824 Hafbghhj.exe 2208 Hpicbe32.exe 1732 Hkogpn32.exe 1976 Hlpchfdi.exe 2976 Hplphd32.exe 2988 Hgfheodo.exe 1632 Hjddaj32.exe 1864 Hlbpme32.exe 1812 Hclhjpjc.exe 2352 Ijfqfj32.exe 1684 Ipqicdim.exe -
Loads dropped DLL 64 IoCs
pid Process 2372 0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe 2372 0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe 2696 Bahelebm.exe 2696 Bahelebm.exe 2760 Bnofaf32.exe 2760 Bnofaf32.exe 2580 Cnabffeo.exe 2580 Cnabffeo.exe 2544 Ckecpjdh.exe 2544 Ckecpjdh.exe 3004 Ccqhdmbc.exe 3004 Ccqhdmbc.exe 1600 Cnflae32.exe 1600 Cnflae32.exe 1568 Cjmmffgn.exe 1568 Cjmmffgn.exe 2116 Clkicbfa.exe 2116 Clkicbfa.exe 2872 Coladm32.exe 2872 Coladm32.exe 2232 Dhdfmbjc.exe 2232 Dhdfmbjc.exe 2616 Dkeoongd.exe 2616 Dkeoongd.exe 760 Dboglhna.exe 760 Dboglhna.exe 1672 Dqddmd32.exe 1672 Dqddmd32.exe 2212 Djmiejji.exe 2212 Djmiejji.exe 2916 Djoeki32.exe 2916 Djoeki32.exe 2076 Eddjhb32.exe 2076 Eddjhb32.exe 1868 Ejabqi32.exe 1868 Ejabqi32.exe 1644 Ejcofica.exe 1644 Ejcofica.exe 2928 Embkbdce.exe 2928 Embkbdce.exe 2256 Ebockkal.exe 2256 Ebockkal.exe 2396 Eiilge32.exe 2396 Eiilge32.exe 2472 Eepmlf32.exe 2472 Eepmlf32.exe 2464 Enhaeldn.exe 2464 Enhaeldn.exe 2780 Eebibf32.exe 2780 Eebibf32.exe 2804 Fpgnoo32.exe 2804 Fpgnoo32.exe 2708 Fbfjkj32.exe 2708 Fbfjkj32.exe 2876 Fjaoplho.exe 2876 Fjaoplho.exe 2668 Fbhfajia.exe 2668 Fbhfajia.exe 3000 Fjckelfm.exe 3000 Fjckelfm.exe 2388 Fmbgageq.exe 2388 Fmbgageq.exe 2944 Fjfhkl32.exe 2944 Fjfhkl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Abinjdad.exe Alofnj32.exe File opened for modification C:\Windows\SysWOW64\Gdihmo32.exe Gajlac32.exe File created C:\Windows\SysWOW64\Maapjjml.exe Mkggnp32.exe File opened for modification C:\Windows\SysWOW64\Jbhhkn32.exe Jcfgoadd.exe File created C:\Windows\SysWOW64\Mghfdcdi.exe Mdjihgef.exe File created C:\Windows\SysWOW64\Pkojoghl.exe Pchbmigj.exe File created C:\Windows\SysWOW64\Igkjcm32.exe Ihijhpdo.exe File opened for modification C:\Windows\SysWOW64\Icdhnn32.exe Ipfkabpg.exe File created C:\Windows\SysWOW64\Kjhopjqi.exe Kbqgolpf.exe File created C:\Windows\SysWOW64\Olahgd32.dll Djoeki32.exe File created C:\Windows\SysWOW64\Gampaipe.exe Goocenaa.exe File created C:\Windows\SysWOW64\Igcgnbim.exe Ifbkgj32.exe File created C:\Windows\SysWOW64\Kmiplp32.dll Lljkif32.exe File opened for modification C:\Windows\SysWOW64\Gfdhck32.exe Gdflgo32.exe File created C:\Windows\SysWOW64\Mlbkmdah.exe Midnqh32.exe File created C:\Windows\SysWOW64\Nobpmb32.exe Nmacej32.exe File created C:\Windows\SysWOW64\Hlpchfdi.exe Hkogpn32.exe File created C:\Windows\SysWOW64\Johoic32.exe Jinfli32.exe File created C:\Windows\SysWOW64\Jiagedmf.dll Mghfdcdi.exe File opened for modification C:\Windows\SysWOW64\Pfnhkq32.exe Podpoffm.exe File created C:\Windows\SysWOW64\Ldniinja.dll Gfiaojkq.exe File created C:\Windows\SysWOW64\Peqiahfi.dll Dqddmd32.exe File opened for modification C:\Windows\SysWOW64\Ladgkmlj.exe Llhocfnb.exe File created C:\Windows\SysWOW64\Fbpfeh32.exe Fpbihl32.exe File created C:\Windows\SysWOW64\Imcfjg32.exe Iopeoknn.exe File created C:\Windows\SysWOW64\Dcigjjli.dll Alofnj32.exe File opened for modification C:\Windows\SysWOW64\Kggfnoch.exe Kopnma32.exe File created C:\Windows\SysWOW64\Mddibb32.exe Mlmaad32.exe File created C:\Windows\SysWOW64\Bnofaf32.exe Bahelebm.exe File opened for modification C:\Windows\SysWOW64\Gminbfoh.exe Fabmmejd.exe File created C:\Windows\SysWOW64\Hadfah32.exe Hkjnenbp.exe File created C:\Windows\SysWOW64\Cnkbeloa.dll Mpcgbhig.exe File created C:\Windows\SysWOW64\Afpapcnc.exe Acadchoo.exe File created C:\Windows\SysWOW64\Jnbifl32.exe Jghqia32.exe File created C:\Windows\SysWOW64\Inkcem32.exe Ilifndlo.exe File created C:\Windows\SysWOW64\Mpqijqhf.dll Inplqlng.exe File created C:\Windows\SysWOW64\Fgpcof32.dll Jfmnkn32.exe File created C:\Windows\SysWOW64\Cfjjagic.dll Binikb32.exe File created C:\Windows\SysWOW64\Ipabfcdm.exe Imcfjg32.exe File created C:\Windows\SysWOW64\Ckgcql32.dll Iokhcodo.exe File opened for modification C:\Windows\SysWOW64\Maocekoo.exe Mblcin32.exe File opened for modification C:\Windows\SysWOW64\Gpgjnbnl.exe Gminbfoh.exe File created C:\Windows\SysWOW64\Gipngg32.exe Gpgjnbnl.exe File opened for modification C:\Windows\SysWOW64\Kepgmh32.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Aiffeloi.dll Palbgn32.exe File created C:\Windows\SysWOW64\Mieiglio.dll Fichqckn.exe File opened for modification C:\Windows\SysWOW64\Nmjmekan.exe Ngqeha32.exe File opened for modification C:\Windows\SysWOW64\Ohkdfhge.exe Oemhjlha.exe File created C:\Windows\SysWOW64\Kafano32.dll Ijimli32.exe File created C:\Windows\SysWOW64\Bjpjcm32.dll Mcacochk.exe File opened for modification C:\Windows\SysWOW64\Enpdjfgj.exe Egflml32.exe File opened for modification C:\Windows\SysWOW64\Gmcikd32.exe Gfiaojkq.exe File opened for modification C:\Windows\SysWOW64\Jkllnn32.exe Jgppmpjp.exe File created C:\Windows\SysWOW64\Acdlnnal.dll Bfmqigba.exe File created C:\Windows\SysWOW64\Jkbhmg32.dll Gfgdij32.exe File opened for modification C:\Windows\SysWOW64\Hlpmmpam.exe Hdhdlbpk.exe File created C:\Windows\SysWOW64\Ippdloip.dll Djmiejji.exe File created C:\Windows\SysWOW64\Ehameajg.dll Gpjfcali.exe File opened for modification C:\Windows\SysWOW64\Joebccpp.exe Jfmnkn32.exe File opened for modification C:\Windows\SysWOW64\Ldjmidcj.exe Lmpeljkm.exe File created C:\Windows\SysWOW64\Pjibmbqj.dll Pmecbkgj.exe File opened for modification C:\Windows\SysWOW64\Pofldf32.exe Pildgl32.exe File created C:\Windows\SysWOW64\Chehgk32.dll Fqffgapf.exe File created C:\Windows\SysWOW64\Kglgpo32.dll Ffboohnm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5316 5292 WerFault.exe 461 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gminbfoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnibdmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfopnkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negeln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcgeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmnkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncgollm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffmpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhikae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcedj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkjgckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipcbidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdpjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiopaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fladmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmefad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhcbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahelebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoeki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdplfflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfnkji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndgeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnddg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpoih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqffgapf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podpoffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnflae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiilge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kndbko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpodgocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljngoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doijcjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmhhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almihjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdflgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbghdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmpklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afndjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clhecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehfafgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipngg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkcem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpddgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggcofkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejgeogmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbbjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caenkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enenef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okhgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkojoghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkmdah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llebnfpe.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idokma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnkiebib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgfkchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgqofhkp.dll" Jhkclc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Midnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkdehfdg.dll" Doijcjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iadbqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhkclc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kopnma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kimlqfeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlmaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnohgfgb.dll" Nlbgkgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll" Fpgnoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lncgollm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdgaplj.dll" Midnqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oemhjlha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnim32.dll" Laidgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clhecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ladpagin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nipefmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll" Bbikig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjljij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpief32.dll" Jclnnmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhhfgcgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifjfmcm.dll" Jgnchplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiemmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehfhgogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagmjgmm.dll" Iilceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpiei32.dll" Laogfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lodnjboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afpapcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldcdi32.dll" Lbhmok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpgnoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqamla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgdfjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiefad32.dll" Fcdbcloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Midnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdjihgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcqcl32.dll" Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmggp32.dll" Kiemmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkbeloa.dll" Mpcgbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpjfcali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iaaekl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kolhdbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fladmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbpfeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngcanq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejcofica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpqlnhfp.dll" Johoic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfbic32.dll" Qmcclolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll" Qaqlbmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booqgija.dll" Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjkbmim.dll" Kcajceke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfanqcch.dll" Enngdgim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjljij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkleo32.dll" Chofhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjdgpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bacefpbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dleelp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqhclqnc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2696 2372 0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe 30 PID 2372 wrote to memory of 2696 2372 0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe 30 PID 2372 wrote to memory of 2696 2372 0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe 30 PID 2372 wrote to memory of 2696 2372 0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe 30 PID 2696 wrote to memory of 2760 2696 Bahelebm.exe 31 PID 2696 wrote to memory of 2760 2696 Bahelebm.exe 31 PID 2696 wrote to memory of 2760 2696 Bahelebm.exe 31 PID 2696 wrote to memory of 2760 2696 Bahelebm.exe 31 PID 2760 wrote to memory of 2580 2760 Bnofaf32.exe 32 PID 2760 wrote to memory of 2580 2760 Bnofaf32.exe 32 PID 2760 wrote to memory of 2580 2760 Bnofaf32.exe 32 PID 2760 wrote to memory of 2580 2760 Bnofaf32.exe 32 PID 2580 wrote to memory of 2544 2580 Cnabffeo.exe 33 PID 2580 wrote to memory of 2544 2580 Cnabffeo.exe 33 PID 2580 wrote to memory of 2544 2580 Cnabffeo.exe 33 PID 2580 wrote to memory of 2544 2580 Cnabffeo.exe 33 PID 2544 wrote to memory of 3004 2544 Ckecpjdh.exe 34 PID 2544 wrote to memory of 3004 2544 Ckecpjdh.exe 34 PID 2544 wrote to memory of 3004 2544 Ckecpjdh.exe 34 PID 2544 wrote to memory of 3004 2544 Ckecpjdh.exe 34 PID 3004 wrote to memory of 1600 3004 Ccqhdmbc.exe 35 PID 3004 wrote to memory of 1600 3004 Ccqhdmbc.exe 35 PID 3004 wrote to memory of 1600 3004 Ccqhdmbc.exe 35 PID 3004 wrote to memory of 1600 3004 Ccqhdmbc.exe 35 PID 1600 wrote to memory of 1568 1600 Cnflae32.exe 36 PID 1600 wrote to memory of 1568 1600 Cnflae32.exe 36 PID 1600 wrote to memory of 1568 1600 Cnflae32.exe 36 PID 1600 wrote to memory of 1568 1600 Cnflae32.exe 36 PID 1568 wrote to memory of 2116 1568 Cjmmffgn.exe 37 PID 1568 wrote to memory of 2116 1568 Cjmmffgn.exe 37 PID 1568 wrote to memory of 2116 1568 Cjmmffgn.exe 37 PID 1568 wrote to memory of 2116 1568 Cjmmffgn.exe 37 PID 2116 wrote to memory of 2872 2116 Clkicbfa.exe 38 PID 2116 wrote to memory of 2872 2116 Clkicbfa.exe 38 PID 2116 wrote to memory of 2872 2116 Clkicbfa.exe 38 PID 2116 wrote to memory of 2872 2116 Clkicbfa.exe 38 PID 2872 wrote to memory of 2232 2872 Coladm32.exe 39 PID 2872 wrote to memory of 2232 2872 Coladm32.exe 39 PID 2872 wrote to memory of 2232 2872 Coladm32.exe 39 PID 2872 wrote to memory of 2232 2872 Coladm32.exe 39 PID 2232 wrote to memory of 2616 2232 Dhdfmbjc.exe 40 PID 2232 wrote to memory of 2616 2232 Dhdfmbjc.exe 40 PID 2232 wrote to memory of 2616 2232 Dhdfmbjc.exe 40 PID 2232 wrote to memory of 2616 2232 Dhdfmbjc.exe 40 PID 2616 wrote to memory of 760 2616 Dkeoongd.exe 41 PID 2616 wrote to memory of 760 2616 Dkeoongd.exe 41 PID 2616 wrote to memory of 760 2616 Dkeoongd.exe 41 PID 2616 wrote to memory of 760 2616 Dkeoongd.exe 41 PID 760 wrote to memory of 1672 760 Dboglhna.exe 42 PID 760 wrote to memory of 1672 760 Dboglhna.exe 42 PID 760 wrote to memory of 1672 760 Dboglhna.exe 42 PID 760 wrote to memory of 1672 760 Dboglhna.exe 42 PID 1672 wrote to memory of 2212 1672 Dqddmd32.exe 43 PID 1672 wrote to memory of 2212 1672 Dqddmd32.exe 43 PID 1672 wrote to memory of 2212 1672 Dqddmd32.exe 43 PID 1672 wrote to memory of 2212 1672 Dqddmd32.exe 43 PID 2212 wrote to memory of 2916 2212 Djmiejji.exe 44 PID 2212 wrote to memory of 2916 2212 Djmiejji.exe 44 PID 2212 wrote to memory of 2916 2212 Djmiejji.exe 44 PID 2212 wrote to memory of 2916 2212 Djmiejji.exe 44 PID 2916 wrote to memory of 2076 2916 Djoeki32.exe 45 PID 2916 wrote to memory of 2076 2916 Djoeki32.exe 45 PID 2916 wrote to memory of 2076 2916 Djoeki32.exe 45 PID 2916 wrote to memory of 2076 2916 Djoeki32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe"C:\Users\Admin\AppData\Local\Temp\0654e51999070a2f3e84073be0bc98dc21589b0552bdac62035b02ebfdea1419N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ckecpjdh.exeC:\Windows\system32\Ckecpjdh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Ejcofica.exeC:\Windows\system32\Ejcofica.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe33⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe40⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe41⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe43⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe44⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe46⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1188 -
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Hmfmkjdf.exeC:\Windows\system32\Hmfmkjdf.exe49⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe50⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe52⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe53⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe54⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe55⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe56⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe58⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe59⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe60⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe61⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe63⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ijfqfj32.exeC:\Windows\system32\Ijfqfj32.exe64⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe65⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe66⤵
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe67⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe68⤵PID:2440
-
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe69⤵PID:2620
-
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe70⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe71⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe73⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe74⤵PID:2164
-
C:\Windows\SysWOW64\Inmpklpj.exeC:\Windows\system32\Inmpklpj.exe75⤵
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe76⤵PID:264
-
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe77⤵PID:1340
-
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe78⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe79⤵PID:1096
-
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe81⤵PID:2444
-
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe82⤵PID:2468
-
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe85⤵PID:1844
-
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe86⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe87⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Jfagemej.exeC:\Windows\system32\Jfagemej.exe88⤵PID:2584
-
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe89⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe90⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1280 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe92⤵PID:1648
-
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe93⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe94⤵PID:2488
-
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe95⤵
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Kghmhegc.exeC:\Windows\system32\Kghmhegc.exe96⤵PID:2688
-
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe98⤵PID:2568
-
C:\Windows\SysWOW64\Kgjjndeq.exeC:\Windows\system32\Kgjjndeq.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Kndbko32.exeC:\Windows\system32\Kndbko32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Kabngjla.exeC:\Windows\system32\Kabngjla.exe101⤵PID:1228
-
C:\Windows\SysWOW64\Kcajceke.exeC:\Windows\system32\Kcajceke.exe102⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:952 -
C:\Windows\SysWOW64\Kccgheib.exeC:\Windows\system32\Kccgheib.exe105⤵PID:1932
-
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe106⤵PID:2052
-
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe107⤵PID:2060
-
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe108⤵PID:2736
-
C:\Windows\SysWOW64\Lfdpjp32.exeC:\Windows\system32\Lfdpjp32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Laidgi32.exeC:\Windows\system32\Laidgi32.exe110⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Lpldcfmd.exeC:\Windows\system32\Lpldcfmd.exe111⤵PID:3024
-
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Lmpeljkm.exeC:\Windows\system32\Lmpeljkm.exe113⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe114⤵PID:652
-
C:\Windows\SysWOW64\Lekjal32.exeC:\Windows\system32\Lekjal32.exe115⤵PID:1348
-
C:\Windows\SysWOW64\Llebnfpe.exeC:\Windows\system32\Llebnfpe.exe116⤵
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Lodnjboi.exeC:\Windows\system32\Lodnjboi.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Lenffl32.exeC:\Windows\system32\Lenffl32.exe118⤵PID:2448
-
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe119⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe120⤵PID:1916
-
C:\Windows\SysWOW64\Lilomj32.exeC:\Windows\system32\Lilomj32.exe121⤵PID:2864
-
C:\Windows\SysWOW64\Lljkif32.exeC:\Windows\system32\Lljkif32.exe122⤵
- Drops file in System32 directory
PID:320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-