Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:54
Static task
static1
Behavioral task
behavioral1
Sample
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe
Resource
win10v2004-20241007-en
General
-
Target
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe
-
Size
98KB
-
MD5
ef7299fde3e41422c6fe5470efd39a20
-
SHA1
29b2719c89fa58cc0c8a17550a3e5224ddec6942
-
SHA256
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53
-
SHA512
67f81e25432f08543bf656458c23daa3ed6f12f47b3c92f838362a4f033020e3382b180c395e7f7512eaad21448037dd9b967f48cbe7a32058ae3dd71e32a3d2
-
SSDEEP
3072:LxZVWGxikyLXa3jyfOeRJESeFKPD375lHzpa1P:1WGVyLK3GGGJESeYr75lHzpaF
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fhmpagkp.exeLhfmdj32.exeNcjginjn.exeCmfclm32.exeNkqkhk32.exeKnhakh32.exeChqogq32.exeNaaqofgj.exeObjpoh32.exeDodjjimm.exeIbfnqmpf.exePgflqkdd.exeBifmqo32.exePefhlaie.exeFmhdkknd.exeCjmpkqqj.exeGphgbafl.exeHhdhon32.exeEfhlhh32.exeHmpjmn32.exeIlccoh32.exeAcokhc32.exeFnlmhc32.exeAhchda32.exeEdjgfcec.exeNklbmllg.exeEkdnei32.exeFlpmagqi.exeGehbjm32.exeDmglcj32.exeKniieo32.exeFfaong32.exeFjohde32.exeJnelok32.exeJcikgacl.exeMlnipg32.exeOpadhb32.exeDdcqedkk.exeFbajbi32.exeAlpbecod.exePfgogh32.exeCoiaiakf.exeKclgmq32.exeAahbbkaq.exeMockmala.exeFphnlcdo.exeFpggamqc.exeFpjcgm32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhmpagkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhfmdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncjginjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knhakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naaqofgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Objpoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodjjimm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgflqkdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmhdkknd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmpkqqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gphgbafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhdhon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhlhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnlmhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahchda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edjgfcec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekdnei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flpmagqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmglcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kniieo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnelok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcikgacl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opadhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcqedkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgogh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coiaiakf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aahbbkaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mockmala.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphnlcdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpjcgm32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Djdmffnn.exeDanecp32.exeDdmaok32.exeDobfld32.exeDaqbip32.exeDdonekbl.exeDkifae32.exeDaconoae.exeDdakjkqi.exeDfpgffpm.exeDogogcpo.exeDaekdooc.exeDgbdlf32.exeDoilmc32.exeEecdjmfi.exeEgdqae32.exeEajeon32.exeEdhakj32.exeEkbihd32.exeEmaedo32.exeEdknqiho.exeEgijmegb.exeEmcbio32.exeEdmjfifl.exeEhiffh32.exeEglgbdep.exeEobocb32.exeEemgplno.exeEdpgli32.exeEoekia32.exeFeocelll.exeFhmpagkp.exeFgppmd32.exeFoghnabl.exeFeapkk32.exeFddqghpd.exeFgbmccpg.exeFedmqk32.exeFhbimf32.exeFgeihcme.exeFnobem32.exeFefjfked.exeFhdfbfdh.exeFonnop32.exeFamjkl32.exeFhgbhfbe.exeFkeodaai.exeGekcaj32.exeGhipne32.exeGochjpho.exeGaadfkgc.exeGdppbfff.exeGgnlobej.exeGnhdkl32.exeGepmlimi.exeGhniielm.exeGohaeo32.exeGafmaj32.exeGddinf32.exeGgcfja32.exeGnmnfkia.exeGkaopp32.exeHnoklk32.exeHffcmh32.exepid process 1720 Djdmffnn.exe 3504 Danecp32.exe 1340 Ddmaok32.exe 2716 Dobfld32.exe 1712 Daqbip32.exe 2708 Ddonekbl.exe 2468 Dkifae32.exe 2004 Daconoae.exe 2880 Ddakjkqi.exe 976 Dfpgffpm.exe 2928 Dogogcpo.exe 880 Daekdooc.exe 1456 Dgbdlf32.exe 4176 Doilmc32.exe 3356 Eecdjmfi.exe 4164 Egdqae32.exe 4352 Eajeon32.exe 5024 Edhakj32.exe 4512 Ekbihd32.exe 3624 Emaedo32.exe 4056 Edknqiho.exe 2904 Egijmegb.exe 532 Emcbio32.exe 4532 Edmjfifl.exe 1908 Ehiffh32.exe 2560 Eglgbdep.exe 2624 Eobocb32.exe 1512 Eemgplno.exe 3908 Edpgli32.exe 5096 Eoekia32.exe 4148 Feocelll.exe 4420 Fhmpagkp.exe 3804 Fgppmd32.exe 2572 Foghnabl.exe 1332 Feapkk32.exe 4196 Fddqghpd.exe 2440 Fgbmccpg.exe 3280 Fedmqk32.exe 2936 Fhbimf32.exe 4396 Fgeihcme.exe 3192 Fnobem32.exe 2032 Fefjfked.exe 2948 Fhdfbfdh.exe 3152 Fonnop32.exe 5108 Famjkl32.exe 1112 Fhgbhfbe.exe 4712 Fkeodaai.exe 5092 Gekcaj32.exe 3020 Ghipne32.exe 5004 Gochjpho.exe 1548 Gaadfkgc.exe 3428 Gdppbfff.exe 1984 Ggnlobej.exe 2328 Gnhdkl32.exe 2044 Gepmlimi.exe 836 Ghniielm.exe 3496 Gohaeo32.exe 5100 Gafmaj32.exe 3648 Gddinf32.exe 3112 Ggcfja32.exe 2084 Gnmnfkia.exe 4624 Gkaopp32.exe 1996 Hnoklk32.exe 540 Hffcmh32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hnhghcki.exePmoiqneg.exeLbchba32.exeOpadhb32.exeJjjghcfp.exeIbobdqid.exeAlkijdci.exeQmhlgmmm.exeEemgplno.exePlhnda32.exeGphgbafl.exeDjcoai32.exeFihnomjp.exeOileggkb.exeDpgnjo32.exeJcbdgb32.exeNeqopnhb.exeMlmbfqoj.exeEkdnei32.exeFmfgek32.exeIpmbjgpi.exeMlnipg32.exeBcbohigp.exeAjpqnneo.exeGkkgpc32.exeEgdqae32.exeHbmcbime.exeDpnbog32.exeKnooej32.exeLqkgbcff.exeQaalblgi.exeJjmcnbdm.exeElnoopdj.exeHiiggoaf.exeEipinkib.exeGigheh32.exeIjfnmc32.exeGmafajfi.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Idbodn32.exe Hnhghcki.exe File opened for modification C:\Windows\SysWOW64\Pefabkej.exe Pmoiqneg.exe File created C:\Windows\SysWOW64\Hclkag32.dll File created C:\Windows\SysWOW64\Ccppmc32.exe File created C:\Windows\SysWOW64\Dinael32.exe File opened for modification C:\Windows\SysWOW64\Lfodbqfa.exe Lbchba32.exe File created C:\Windows\SysWOW64\Ijdgcpaf.dll Opadhb32.exe File opened for modification C:\Windows\SysWOW64\Jbaojpgb.exe Jjjghcfp.exe File opened for modification C:\Windows\SysWOW64\Gbiockdj.exe File opened for modification C:\Windows\SysWOW64\Iqbbpm32.exe Ibobdqid.exe File opened for modification C:\Windows\SysWOW64\Aojefobm.exe Alkijdci.exe File opened for modification C:\Windows\SysWOW64\Giecfejd.exe File created C:\Windows\SysWOW64\Fkpiopih.dll Qmhlgmmm.exe File opened for modification C:\Windows\SysWOW64\Hecjke32.exe File created C:\Windows\SysWOW64\Mflfak32.dll Eemgplno.exe File created C:\Windows\SysWOW64\Pofjpl32.exe Plhnda32.exe File created C:\Windows\SysWOW64\Ghpocngo.exe Gphgbafl.exe File opened for modification C:\Windows\SysWOW64\Dmalne32.exe Djcoai32.exe File opened for modification C:\Windows\SysWOW64\Fmcjpl32.exe Fihnomjp.exe File created C:\Windows\SysWOW64\Bkfmmb32.dll File opened for modification C:\Windows\SysWOW64\Pjaleemj.exe File created C:\Windows\SysWOW64\Ogpepl32.exe Oileggkb.exe File created C:\Windows\SysWOW64\Ebejfk32.exe Dpgnjo32.exe File opened for modification C:\Windows\SysWOW64\Jkimho32.exe Jcbdgb32.exe File created C:\Windows\SysWOW64\Nhokljge.exe Neqopnhb.exe File opened for modification C:\Windows\SysWOW64\Ilibdmgp.exe File created C:\Windows\SysWOW64\Pjjfdfbb.exe File created C:\Windows\SysWOW64\Edihdb32.exe File created C:\Windows\SysWOW64\Fcbnpnme.exe File created C:\Windows\SysWOW64\Mbgjbkfg.exe Mlmbfqoj.exe File created C:\Windows\SysWOW64\Enbjad32.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Fngcmcfe.exe Fmfgek32.exe File created C:\Windows\SysWOW64\Jbblob32.dll File created C:\Windows\SysWOW64\Iggjga32.exe Ipmbjgpi.exe File opened for modification C:\Windows\SysWOW64\Gnblnlhl.exe File created C:\Windows\SysWOW64\Jjkgopfg.dll Mlnipg32.exe File created C:\Windows\SysWOW64\Bjlgdc32.exe Bcbohigp.exe File opened for modification C:\Windows\SysWOW64\Alnmjjdb.exe Ajpqnneo.exe File opened for modification C:\Windows\SysWOW64\Gmiclo32.exe Gkkgpc32.exe File created C:\Windows\SysWOW64\Hicakqhn.dll File created C:\Windows\SysWOW64\Fjhmbihg.exe File created C:\Windows\SysWOW64\Eajeon32.exe Egdqae32.exe File created C:\Windows\SysWOW64\Hdlpneli.exe Hbmcbime.exe File opened for modification C:\Windows\SysWOW64\Dgejpd32.exe Dpnbog32.exe File opened for modification C:\Windows\SysWOW64\Kqmkae32.exe Knooej32.exe File opened for modification C:\Windows\SysWOW64\Jbagbebm.exe File created C:\Windows\SysWOW64\Jekeodnf.dll Lqkgbcff.exe File opened for modification C:\Windows\SysWOW64\Qdphngfl.exe Qaalblgi.exe File created C:\Windows\SysWOW64\Fmcjpl32.exe Fihnomjp.exe File opened for modification C:\Windows\SysWOW64\Jnlkedai.exe File opened for modification C:\Windows\SysWOW64\Qpeahb32.exe File created C:\Windows\SysWOW64\Pkffgpdd.dll File created C:\Windows\SysWOW64\Fcpakn32.exe File created C:\Windows\SysWOW64\Gcnobqph.dll Jjjghcfp.exe File created C:\Windows\SysWOW64\Jdbhkk32.exe Jjmcnbdm.exe File opened for modification C:\Windows\SysWOW64\Ecefqnel.exe Elnoopdj.exe File created C:\Windows\SysWOW64\Oajpfn32.dll Hiiggoaf.exe File opened for modification C:\Windows\SysWOW64\Ipdndloi.exe File opened for modification C:\Windows\SysWOW64\Lhqefjpo.exe File opened for modification C:\Windows\SysWOW64\Ckdkhq32.exe File created C:\Windows\SysWOW64\Emlenj32.exe Eipinkib.exe File opened for modification C:\Windows\SysWOW64\Gdmmbq32.exe Gigheh32.exe File opened for modification C:\Windows\SysWOW64\Inainbcn.exe Ijfnmc32.exe File opened for modification C:\Windows\SysWOW64\Gppcmeem.exe Gmafajfi.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 13816 13732 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Phelcc32.exeOimkbaed.exeJdmgfedl.exeLjhefhha.exeMoobbb32.exeIenekbld.exeDpckjfgg.exeKnflpoqf.exePojcjh32.exeIpmbjgpi.exeGbalopbn.exeHnfamjqg.exeDfamapjo.exeJnlbojee.exeKclgmq32.exeFeoodn32.exeNpedmdab.exeCfldelik.exePlkpcfal.exeHffken32.exeKjhcjq32.exeJnkcogno.exeLldfjh32.exeEdjgfcec.exeNhpbfpka.exeBnkbcj32.exeEdhakj32.exeDjfcaohp.exeGgpbjkpl.exeLjbfpo32.exeQdphngfl.exeImiehfao.exeCidjbmcp.exeFoghnabl.exeHdkidohn.exeDjjebh32.exeAlkijdci.exeDobfld32.exeEciplm32.exeFlinkojm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phelcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimkbaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhefhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moobbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ienekbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpckjfgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knflpoqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojcjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmbjgpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbalopbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfamjqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfamapjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbojee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feoodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npedmdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfldelik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkcogno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjgfcec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpbfpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhakj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfcaohp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpbjkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdphngfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiehfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidjbmcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foghnabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkidohn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eciplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flinkojm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Kqfngd32.exeDblgpl32.exeJdmgfedl.exeFfqhcq32.exeFiodpl32.exeIloidijb.exeHlglidlo.exeFflohaij.exeFhmpagkp.exeAhfdjanb.exeBohibc32.exeKkconn32.exeEhcfaboo.exeIkndgg32.exeNhbolp32.exeJddnfd32.exeLldfjh32.exeFpggamqc.exeGphphj32.exeCcgjopal.exeBcinna32.exeCaghhk32.exeCjomap32.exeGmeakf32.exeOhghgodi.exeFdffbake.exeOodcdb32.exeDmohno32.exeIfomll32.exeIenekbld.exeLbjelc32.exeNchjdo32.exeBjlgdc32.exeKkpbin32.exeChnbbqpn.exeAoabad32.exeOdmbaj32.exeAnaomkdb.exeCohkokgj.exeGpbpbecj.exeJejefqaf.exeIdghpmnp.exeJglklggl.exeKbmoen32.exeHibafp32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhmjl32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfghc32.dll" Dblgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flafeh32.dll" Jdmgfedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiodpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leabba32.dll" Iloidijb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlglidlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjjlc32.dll" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhmpagkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahfdjanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgllff32.dll" Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehcfaboo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikndgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdkgc32.dll" Nhbolp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jddnfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lldfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhji32.dll" Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golneb32.dll" Gphphj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccgjopal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcinna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caghhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjomap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohghgodi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oodcdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifomll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ienekbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbjelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhlkhcm.dll" Nchjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioodgbj.dll" Bjlgdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkpbin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imffkelf.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqpakfgb.dll" Aoabad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balenlhn.dll" Odmbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anaomkdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejldilhc.dll" Jejefqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmqme32.dll" Idghpmnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jglklggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbmoen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exeDjdmffnn.exeDanecp32.exeDdmaok32.exeDobfld32.exeDaqbip32.exeDdonekbl.exeDkifae32.exeDaconoae.exeDdakjkqi.exeDfpgffpm.exeDogogcpo.exeDaekdooc.exeDgbdlf32.exeDoilmc32.exeEecdjmfi.exeEgdqae32.exeEajeon32.exeEdhakj32.exeEkbihd32.exeEmaedo32.exeEdknqiho.exedescription pid process target process PID 2376 wrote to memory of 1720 2376 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Djdmffnn.exe PID 2376 wrote to memory of 1720 2376 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Djdmffnn.exe PID 2376 wrote to memory of 1720 2376 33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe Djdmffnn.exe PID 1720 wrote to memory of 3504 1720 Djdmffnn.exe Danecp32.exe PID 1720 wrote to memory of 3504 1720 Djdmffnn.exe Danecp32.exe PID 1720 wrote to memory of 3504 1720 Djdmffnn.exe Danecp32.exe PID 3504 wrote to memory of 1340 3504 Danecp32.exe Ddmaok32.exe PID 3504 wrote to memory of 1340 3504 Danecp32.exe Ddmaok32.exe PID 3504 wrote to memory of 1340 3504 Danecp32.exe Ddmaok32.exe PID 1340 wrote to memory of 2716 1340 Ddmaok32.exe Dobfld32.exe PID 1340 wrote to memory of 2716 1340 Ddmaok32.exe Dobfld32.exe PID 1340 wrote to memory of 2716 1340 Ddmaok32.exe Dobfld32.exe PID 2716 wrote to memory of 1712 2716 Dobfld32.exe Daqbip32.exe PID 2716 wrote to memory of 1712 2716 Dobfld32.exe Daqbip32.exe PID 2716 wrote to memory of 1712 2716 Dobfld32.exe Daqbip32.exe PID 1712 wrote to memory of 2708 1712 Daqbip32.exe Ddonekbl.exe PID 1712 wrote to memory of 2708 1712 Daqbip32.exe Ddonekbl.exe PID 1712 wrote to memory of 2708 1712 Daqbip32.exe Ddonekbl.exe PID 2708 wrote to memory of 2468 2708 Ddonekbl.exe Dkifae32.exe PID 2708 wrote to memory of 2468 2708 Ddonekbl.exe Dkifae32.exe PID 2708 wrote to memory of 2468 2708 Ddonekbl.exe Dkifae32.exe PID 2468 wrote to memory of 2004 2468 Dkifae32.exe Daconoae.exe PID 2468 wrote to memory of 2004 2468 Dkifae32.exe Daconoae.exe PID 2468 wrote to memory of 2004 2468 Dkifae32.exe Daconoae.exe PID 2004 wrote to memory of 2880 2004 Daconoae.exe Ddakjkqi.exe PID 2004 wrote to memory of 2880 2004 Daconoae.exe Ddakjkqi.exe PID 2004 wrote to memory of 2880 2004 Daconoae.exe Ddakjkqi.exe PID 2880 wrote to memory of 976 2880 Ddakjkqi.exe Dfpgffpm.exe PID 2880 wrote to memory of 976 2880 Ddakjkqi.exe Dfpgffpm.exe PID 2880 wrote to memory of 976 2880 Ddakjkqi.exe Dfpgffpm.exe PID 976 wrote to memory of 2928 976 Dfpgffpm.exe Dogogcpo.exe PID 976 wrote to memory of 2928 976 Dfpgffpm.exe Dogogcpo.exe PID 976 wrote to memory of 2928 976 Dfpgffpm.exe Dogogcpo.exe PID 2928 wrote to memory of 880 2928 Dogogcpo.exe Daekdooc.exe PID 2928 wrote to memory of 880 2928 Dogogcpo.exe Daekdooc.exe PID 2928 wrote to memory of 880 2928 Dogogcpo.exe Daekdooc.exe PID 880 wrote to memory of 1456 880 Daekdooc.exe Dgbdlf32.exe PID 880 wrote to memory of 1456 880 Daekdooc.exe Dgbdlf32.exe PID 880 wrote to memory of 1456 880 Daekdooc.exe Dgbdlf32.exe PID 1456 wrote to memory of 4176 1456 Dgbdlf32.exe Doilmc32.exe PID 1456 wrote to memory of 4176 1456 Dgbdlf32.exe Doilmc32.exe PID 1456 wrote to memory of 4176 1456 Dgbdlf32.exe Doilmc32.exe PID 4176 wrote to memory of 3356 4176 Doilmc32.exe Eecdjmfi.exe PID 4176 wrote to memory of 3356 4176 Doilmc32.exe Eecdjmfi.exe PID 4176 wrote to memory of 3356 4176 Doilmc32.exe Eecdjmfi.exe PID 3356 wrote to memory of 4164 3356 Eecdjmfi.exe Egdqae32.exe PID 3356 wrote to memory of 4164 3356 Eecdjmfi.exe Egdqae32.exe PID 3356 wrote to memory of 4164 3356 Eecdjmfi.exe Egdqae32.exe PID 4164 wrote to memory of 4352 4164 Egdqae32.exe Eajeon32.exe PID 4164 wrote to memory of 4352 4164 Egdqae32.exe Eajeon32.exe PID 4164 wrote to memory of 4352 4164 Egdqae32.exe Eajeon32.exe PID 4352 wrote to memory of 5024 4352 Eajeon32.exe Edhakj32.exe PID 4352 wrote to memory of 5024 4352 Eajeon32.exe Edhakj32.exe PID 4352 wrote to memory of 5024 4352 Eajeon32.exe Edhakj32.exe PID 5024 wrote to memory of 4512 5024 Edhakj32.exe Ekbihd32.exe PID 5024 wrote to memory of 4512 5024 Edhakj32.exe Ekbihd32.exe PID 5024 wrote to memory of 4512 5024 Edhakj32.exe Ekbihd32.exe PID 4512 wrote to memory of 3624 4512 Ekbihd32.exe Emaedo32.exe PID 4512 wrote to memory of 3624 4512 Ekbihd32.exe Emaedo32.exe PID 4512 wrote to memory of 3624 4512 Ekbihd32.exe Emaedo32.exe PID 3624 wrote to memory of 4056 3624 Emaedo32.exe Edknqiho.exe PID 3624 wrote to memory of 4056 3624 Emaedo32.exe Edknqiho.exe PID 3624 wrote to memory of 4056 3624 Emaedo32.exe Edknqiho.exe PID 4056 wrote to memory of 2904 4056 Edknqiho.exe Egijmegb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe"C:\Users\Admin\AppData\Local\Temp\33578c7d45d89c7b8e8bfdeaa30b8e1cb1e9a47772d4d008ffe340481bbd5e53N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe23⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe24⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe25⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe26⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe27⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe28⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe30⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe31⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe32⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe34⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe36⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe37⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe38⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe39⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe40⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe41⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe42⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe43⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe44⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe45⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe46⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe47⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe48⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe49⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe50⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe51⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe52⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe53⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe54⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe55⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe56⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe57⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe58⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe59⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe60⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe61⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe62⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe63⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe64⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe65⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe66⤵PID:1420
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe67⤵
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe68⤵PID:2932
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe69⤵PID:4356
-
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe70⤵PID:3448
-
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe71⤵PID:1208
-
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe72⤵PID:4640
-
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe73⤵
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe74⤵PID:4984
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe75⤵PID:1368
-
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe76⤵PID:1648
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe77⤵PID:2812
-
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe78⤵PID:1088
-
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe79⤵PID:4620
-
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe80⤵PID:2424
-
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe81⤵PID:3920
-
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe82⤵PID:3948
-
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe83⤵PID:4180
-
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe84⤵PID:3612
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe85⤵PID:2304
-
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe86⤵PID:4548
-
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe87⤵PID:1444
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe88⤵PID:3248
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe89⤵PID:428
-
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe90⤵PID:3788
-
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe91⤵PID:4868
-
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe92⤵PID:2636
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe94⤵PID:3900
-
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe95⤵PID:4796
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe96⤵PID:4376
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe97⤵PID:5156
-
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe98⤵PID:5200
-
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe99⤵PID:5244
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe100⤵
- System Location Discovery: System Language Discovery
PID:5288 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe101⤵PID:5332
-
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe102⤵PID:5376
-
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe103⤵PID:5420
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe104⤵PID:5464
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe105⤵PID:5508
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe106⤵PID:5552
-
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe107⤵PID:5592
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe108⤵PID:5636
-
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe109⤵PID:5680
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe110⤵
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe111⤵PID:5768
-
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe112⤵PID:5812
-
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe113⤵PID:5856
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe114⤵PID:5900
-
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe115⤵PID:5948
-
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe116⤵PID:5992
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe117⤵PID:6036
-
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe118⤵PID:6080
-
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe119⤵PID:6120
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe120⤵PID:5192
-
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe121⤵PID:5232
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe122⤵PID:5304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-