Analysis
-
max time kernel
111s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 00:59
Behavioral task
behavioral1
Sample
8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe
Resource
win10v2004-20241007-en
General
-
Target
8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe
-
Size
240KB
-
MD5
b4995982eb673bc67834f67d1cb88a20
-
SHA1
0008b3756ac75fde296c0546819946afc77a2e1a
-
SHA256
8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256
-
SHA512
6e6d1132175625af17208c7ee140fecfae4f8555f2f41fd5c5663aff3819890097cf6ec159b60d2805c1fbcd842098e31ea7a1782a4be77588f3033068dc4069
-
SSDEEP
6144:SqhxjjobGoDGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEA:7fSGyXu1jGG1wsGeBgRTGA
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Iclbpj32.exeBgddam32.exeFjegog32.exeKbmfgk32.exeOhipla32.exeQboikm32.exeDocopbaf.exeEhjqgjmp.exeLncfcgeb.exeKhnapkjg.exePadjmfdg.exeCngcll32.exeIakgefqe.exeAclpaali.exeFiebnjbg.exeKbmome32.exeBheaiekc.exeHoqjqhjf.exeFkkhpadq.exeHcdifa32.exeHdefnjkj.exeIdicbbpi.exeBhkeohhn.exeLnkege32.exeMjfphf32.exeGlfgnh32.exeIlnomp32.exeKhghgchk.exeOlkifaen.exeDghjkpck.exeGgiofa32.exeHgfooe32.exePafdjmkq.exeEcfnmh32.exeJnbpqb32.exeHcgmfgfd.exeJfmkbebl.exeCbblda32.exeBfabnl32.exeQpamoa32.exeGmpcgace.exeLgqkbb32.exeJpbalb32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iclbpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgddam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmfgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohipla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qboikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Docopbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjqgjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncfcgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padjmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cngcll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iakgefqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiebnjbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bheaiekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoqjqhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkkhpadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdifa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdefnjkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idicbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkeohhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkege32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glfgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnomp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khghgchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkifaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dghjkpck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggiofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pafdjmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfnmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfmkbebl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpamoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmpcgace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkkhpadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpbalb32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Bcmfmlen.exeCpdgbm32.exeCfnoogbo.exeCiohqa32.exeCpiqmlfm.exeCiaefa32.exeCfeepelg.exeCopjdhib.exeDhiomn32.exeDdpobo32.exeDmhdkdlg.exeDklddhka.exeDddimn32.exeDpkibo32.exeDkqnoh32.exeEdibhmml.exeEppcmncq.exeEelkeeah.exeElfcbo32.exeEoepnk32.exeEeohkeoe.exeEijdkcgn.exeEogmcjef.exeEddeladm.exeEknmhk32.exeFgdnnl32.exeFolfoj32.exeFkbgckgd.exeFjegog32.exeFgigil32.exeFqalaa32.exeFjjpjgjj.exeFlhmfbim.exeFjlmpfhg.exeFmkilb32.exeGbhbdi32.exeGcgnnlle.exeGbjojh32.exeGmpcgace.exeGifclb32.exeGkephn32.exeGbohehoj.exeGiipab32.exeGjjmijme.exeGbadjg32.exeHjlioj32.exeHnheohcl.exeHmkeke32.exeHcdnhoac.exeHgpjhn32.exeHjofdi32.exeHnjbeh32.exeHpkompgg.exeHfegij32.exeHidcef32.exeHmoofdea.exeHpnkbpdd.exeHblgnkdh.exeHjcppidk.exeHldlga32.exeHcldhnkk.exeHboddk32.exeHihlqeib.exeHmdhad32.exepid process 2352 Bcmfmlen.exe 3020 Cpdgbm32.exe 768 Cfnoogbo.exe 2692 Ciohqa32.exe 2936 Cpiqmlfm.exe 2920 Ciaefa32.exe 2720 Cfeepelg.exe 2600 Copjdhib.exe 528 Dhiomn32.exe 316 Ddpobo32.exe 1848 Dmhdkdlg.exe 1728 Dklddhka.exe 2388 Dddimn32.exe 1368 Dpkibo32.exe 1212 Dkqnoh32.exe 2428 Edibhmml.exe 1292 Eppcmncq.exe 2284 Eelkeeah.exe 600 Elfcbo32.exe 2148 Eoepnk32.exe 2504 Eeohkeoe.exe 2908 Eijdkcgn.exe 1048 Eogmcjef.exe 800 Eddeladm.exe 376 Eknmhk32.exe 2196 Fgdnnl32.exe 2136 Folfoj32.exe 2176 Fkbgckgd.exe 2768 Fjegog32.exe 2156 Fgigil32.exe 2832 Fqalaa32.exe 2712 Fjjpjgjj.exe 2752 Flhmfbim.exe 2704 Fjlmpfhg.exe 3008 Fmkilb32.exe 1388 Gbhbdi32.exe 2916 Gcgnnlle.exe 2400 Gbjojh32.exe 840 Gmpcgace.exe 2000 Gifclb32.exe 1760 Gkephn32.exe 2424 Gbohehoj.exe 2860 Giipab32.exe 1740 Gjjmijme.exe 1800 Gbadjg32.exe 920 Hjlioj32.exe 1612 Hnheohcl.exe 2676 Hmkeke32.exe 2356 Hcdnhoac.exe 2052 Hgpjhn32.exe 2988 Hjofdi32.exe 264 Hnjbeh32.exe 3052 Hpkompgg.exe 2808 Hfegij32.exe 2816 Hidcef32.exe 2592 Hmoofdea.exe 1616 Hpnkbpdd.exe 1944 Hblgnkdh.exe 2324 Hjcppidk.exe 2372 Hldlga32.exe 1184 Hcldhnkk.exe 2640 Hboddk32.exe 2444 Hihlqeib.exe 1124 Hmdhad32.exe -
Loads dropped DLL 64 IoCs
Processes:
8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exeBcmfmlen.exeCpdgbm32.exeCfnoogbo.exeCiohqa32.exeCpiqmlfm.exeCiaefa32.exeCfeepelg.exeCopjdhib.exeDhiomn32.exeDdpobo32.exeDmhdkdlg.exeDklddhka.exeDddimn32.exeDpkibo32.exeDkqnoh32.exeEdibhmml.exeEppcmncq.exeEelkeeah.exeElfcbo32.exeEoepnk32.exeEeohkeoe.exeEijdkcgn.exeEogmcjef.exeEddeladm.exeEknmhk32.exeFgdnnl32.exeFolfoj32.exeFkbgckgd.exeFjegog32.exeFgigil32.exeFqalaa32.exepid process 2960 8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe 2960 8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe 2352 Bcmfmlen.exe 2352 Bcmfmlen.exe 3020 Cpdgbm32.exe 3020 Cpdgbm32.exe 768 Cfnoogbo.exe 768 Cfnoogbo.exe 2692 Ciohqa32.exe 2692 Ciohqa32.exe 2936 Cpiqmlfm.exe 2936 Cpiqmlfm.exe 2920 Ciaefa32.exe 2920 Ciaefa32.exe 2720 Cfeepelg.exe 2720 Cfeepelg.exe 2600 Copjdhib.exe 2600 Copjdhib.exe 528 Dhiomn32.exe 528 Dhiomn32.exe 316 Ddpobo32.exe 316 Ddpobo32.exe 1848 Dmhdkdlg.exe 1848 Dmhdkdlg.exe 1728 Dklddhka.exe 1728 Dklddhka.exe 2388 Dddimn32.exe 2388 Dddimn32.exe 1368 Dpkibo32.exe 1368 Dpkibo32.exe 1212 Dkqnoh32.exe 1212 Dkqnoh32.exe 2428 Edibhmml.exe 2428 Edibhmml.exe 1292 Eppcmncq.exe 1292 Eppcmncq.exe 2284 Eelkeeah.exe 2284 Eelkeeah.exe 600 Elfcbo32.exe 600 Elfcbo32.exe 2148 Eoepnk32.exe 2148 Eoepnk32.exe 2504 Eeohkeoe.exe 2504 Eeohkeoe.exe 2908 Eijdkcgn.exe 2908 Eijdkcgn.exe 1048 Eogmcjef.exe 1048 Eogmcjef.exe 800 Eddeladm.exe 800 Eddeladm.exe 376 Eknmhk32.exe 376 Eknmhk32.exe 2196 Fgdnnl32.exe 2196 Fgdnnl32.exe 2136 Folfoj32.exe 2136 Folfoj32.exe 2176 Fkbgckgd.exe 2176 Fkbgckgd.exe 2768 Fjegog32.exe 2768 Fjegog32.exe 2156 Fgigil32.exe 2156 Fgigil32.exe 2832 Fqalaa32.exe 2832 Fqalaa32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Adlcfjgh.exeKmkihbho.exePbigmn32.exeFdkmeiei.exeGgapbcne.exeHcjilgdb.exeMjkibehc.exeHnjbeh32.exeEddeladm.exeLonpma32.exeAkcomepg.exeCfkloq32.exeBbjpil32.exeDddimn32.exeAfffenbp.exeCfanmogq.exeBpjldc32.exeBjmeiq32.exeInhdgdmk.exeCdchneko.exeQemldifo.exeGmpcgace.exeKaompi32.exeMikjpiim.exeCbblda32.exeLhhkapeh.exeKjeglh32.exeFbkjap32.exeLhnkffeo.exeFefqdl32.exeGockgdeh.exeKkjpggkn.exeOplelf32.exeCnimiblo.exeDemaoj32.exeNqpdcc32.exeBdaojbjf.exeEhlmljkm.exeHdecea32.exeLfbdci32.exeNnnbni32.exeDbdham32.exeFgdnnl32.exeJfliim32.exeBgoime32.exeJfdhmk32.exeGoldfelp.exedescription ioc process File created C:\Windows\SysWOW64\Adndofcl.dll File created C:\Windows\SysWOW64\Agjobffl.exe Adlcfjgh.exe File created C:\Windows\SysWOW64\Pihbeaea.dll Kmkihbho.exe File created C:\Windows\SysWOW64\Oqkpmaif.exe File created C:\Windows\SysWOW64\Ipippm32.dll File created C:\Windows\SysWOW64\Pehcij32.exe Pbigmn32.exe File created C:\Windows\SysWOW64\Fkefbcmf.exe Fdkmeiei.exe File opened for modification C:\Windows\SysWOW64\Giolnomh.exe Ggapbcne.exe File created C:\Windows\SysWOW64\Iddiakkl.dll Hcjilgdb.exe File opened for modification C:\Windows\SysWOW64\Mlieoqgg.exe Mjkibehc.exe File created C:\Windows\SysWOW64\Hpkompgg.exe Hnjbeh32.exe File created C:\Windows\SysWOW64\Nklopg32.exe File created C:\Windows\SysWOW64\Djidckbd.dll Eddeladm.exe File created C:\Windows\SysWOW64\Oepoia32.dll Lonpma32.exe File created C:\Windows\SysWOW64\Aebfidim.dll Akcomepg.exe File created C:\Windows\SysWOW64\Lmajfk32.dll Cfkloq32.exe File created C:\Windows\SysWOW64\Bdhleh32.exe Bbjpil32.exe File opened for modification C:\Windows\SysWOW64\Dpkibo32.exe Dddimn32.exe File created C:\Windows\SysWOW64\Alqnah32.exe Afffenbp.exe File created C:\Windows\SysWOW64\Cjljnn32.exe Cfanmogq.exe File created C:\Windows\SysWOW64\Mfpqebhl.dll Bpjldc32.exe File opened for modification C:\Windows\SysWOW64\Bmlael32.exe Bjmeiq32.exe File opened for modification C:\Windows\SysWOW64\Ifolhann.exe Inhdgdmk.exe File opened for modification C:\Windows\SysWOW64\Cgadja32.exe Cdchneko.exe File created C:\Windows\SysWOW64\Hailie32.dll Qemldifo.exe File created C:\Windows\SysWOW64\Gifclb32.exe Gmpcgace.exe File opened for modification C:\Windows\SysWOW64\Kdnild32.exe Kaompi32.exe File created C:\Windows\SysWOW64\Mqbbagjo.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Ejnbekph.dll File created C:\Windows\SysWOW64\Nldeka32.dll File created C:\Windows\SysWOW64\Cileqlmg.exe Cbblda32.exe File created C:\Windows\SysWOW64\Lgkkmm32.exe Lhhkapeh.exe File created C:\Windows\SysWOW64\Mkehop32.dll Kjeglh32.exe File opened for modification C:\Windows\SysWOW64\Fiebnjbg.exe Fbkjap32.exe File opened for modification C:\Windows\SysWOW64\Ecjgio32.exe File opened for modification C:\Windows\SysWOW64\Lgqkbb32.exe Lhnkffeo.exe File opened for modification C:\Windows\SysWOW64\Fdiqpigl.exe Fefqdl32.exe File created C:\Windows\SysWOW64\Hffhec32.dll Gockgdeh.exe File opened for modification C:\Windows\SysWOW64\Kadica32.exe Kkjpggkn.exe File opened for modification C:\Windows\SysWOW64\Jcckibfg.exe File created C:\Windows\SysWOW64\Qkekbn32.dll File created C:\Windows\SysWOW64\Hmijajbd.exe File opened for modification C:\Windows\SysWOW64\Pfkkeq32.exe File created C:\Windows\SysWOW64\Kmdlca32.dll Oplelf32.exe File created C:\Windows\SysWOW64\Cbdiia32.exe Cnimiblo.exe File opened for modification C:\Windows\SysWOW64\Dihmpinj.exe Demaoj32.exe File created C:\Windows\SysWOW64\Nigldq32.exe Nqpdcc32.exe File opened for modification C:\Windows\SysWOW64\Bccoeo32.exe Bdaojbjf.exe File created C:\Windows\SysWOW64\Nacgfd32.dll File created C:\Windows\SysWOW64\Gkhaooec.exe File created C:\Windows\SysWOW64\Deafohkc.dll File created C:\Windows\SysWOW64\Ihpfbd32.dll File created C:\Windows\SysWOW64\Fbflbd32.dll File created C:\Windows\SysWOW64\Einjdb32.exe Ehlmljkm.exe File created C:\Windows\SysWOW64\Hehiqh32.dll Hdecea32.exe File created C:\Windows\SysWOW64\Nplnekmg.dll Lfbdci32.exe File created C:\Windows\SysWOW64\Nqmnjd32.exe Nnnbni32.exe File created C:\Windows\SysWOW64\Decdmi32.exe Dbdham32.exe File created C:\Windows\SysWOW64\Lofkoamf.exe File created C:\Windows\SysWOW64\Folfoj32.exe Fgdnnl32.exe File created C:\Windows\SysWOW64\Olfcfe32.dll Jfliim32.exe File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe Bgoime32.exe File created C:\Windows\SysWOW64\Ofkggbgh.dll Jfdhmk32.exe File created C:\Windows\SysWOW64\Adnjbnhn.dll Goldfelp.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Oplelf32.exeJokqnhpa.exeFlcojeak.exeJioopgef.exePhnpagdp.exeAklabp32.exeCjjnhnbl.exeHqochjnk.exeEdoefl32.exeNdcapd32.exeDnefhpma.exeKkjpggkn.exeQeppdo32.exeJjjdhc32.exeObmpgjbb.exeGdhfdffl.exeJjnjqb32.exeJjpgfbom.exeIiqldc32.exeBfoeil32.exeGqdgom32.exePaiaplin.exeColpld32.exeIcifjk32.exePndalkgf.exeBllcnega.exeFbpclofe.exeGmpcgace.exeInhanl32.exeIakgefqe.exeIhglhp32.exeJkchmo32.exeLlpfjomf.exeIkjhki32.exeLmpcca32.exePjmnfk32.exeJeaahk32.exeLmalgq32.exeEknpadcn.exeJnbpqb32.exePnbojmmp.exeAkcomepg.exeObbdml32.exeBfabnl32.exeGmhkin32.exeGncnmane.exePadjmfdg.exeFjegog32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokqnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcojeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jioopgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnpagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqochjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edoefl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjpggkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeppdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmpgjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhfdffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpgfbom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiqldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoeil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiaplin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pndalkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllcnega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpclofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakgefqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkchmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmnfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeaahk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmalgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknpadcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcomepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncnmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padjmfdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe -
Modifies registry class 64 IoCs
Processes:
Hihlqeib.exeIcplje32.exeHldlga32.exePmmneg32.exeLafahdcc.exeHdefnjkj.exeOmioekbo.exeAokckm32.exeMopdpg32.exeIfgicg32.exePdhpdq32.exePfhhflmg.exeOjomdoof.exeMciabmlo.exeEnpban32.exePmhejhao.exeFefqdl32.exePjahakgb.exeDbdham32.exeEhlmljkm.exePhehko32.exeDghjkpck.exeOplgeoea.exeFjnignob.exeHcdifa32.exeCglalbbi.exeLhimji32.exeMcckcbgp.exeOhfcfb32.exeBmlael32.exeMploiq32.exeGgdcbi32.exeMnblhddb.exeEfmckpko.exeQejpoi32.exeFijbco32.exeNhepoaif.exeLonibk32.exeNgdjaofc.exeLaahme32.exePiicpk32.exePgcmbcih.exeOielnd32.exeAojabdlf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hihlqeib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icplje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmepgp32.dll" Hldlga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmmneg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lafahdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdefnjkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpccle32.dll" Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mopdpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfeflj32.dll" Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdhpdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfhhflmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mciabmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbnlbf32.dll" Enpban32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eneegl32.dll" Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fefqdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjahakgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbdham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehlmljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phehko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dghjkpck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oplgeoea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjnignob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcdifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cglalbbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhimji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbobb32.dll" Mcckcbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mploiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necdin32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqhifni.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galfie32.dll" Mnblhddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgkinbcp.dll" Efmckpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljfocan.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqnkoqm.dll" Nhepoaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahdkab32.dll" Lonibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngdjaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laahme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpidd32.dll" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahojng32.dll" Oielnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aojabdlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exeBcmfmlen.exeCpdgbm32.exeCfnoogbo.exeCiohqa32.exeCpiqmlfm.exeCiaefa32.exeCfeepelg.exeCopjdhib.exeDhiomn32.exeDdpobo32.exeDmhdkdlg.exeDklddhka.exeDddimn32.exeDpkibo32.exeDkqnoh32.exedescription pid process target process PID 2960 wrote to memory of 2352 2960 8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe Bcmfmlen.exe PID 2960 wrote to memory of 2352 2960 8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe Bcmfmlen.exe PID 2960 wrote to memory of 2352 2960 8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe Bcmfmlen.exe PID 2960 wrote to memory of 2352 2960 8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe Bcmfmlen.exe PID 2352 wrote to memory of 3020 2352 Bcmfmlen.exe Cpdgbm32.exe PID 2352 wrote to memory of 3020 2352 Bcmfmlen.exe Cpdgbm32.exe PID 2352 wrote to memory of 3020 2352 Bcmfmlen.exe Cpdgbm32.exe PID 2352 wrote to memory of 3020 2352 Bcmfmlen.exe Cpdgbm32.exe PID 3020 wrote to memory of 768 3020 Cpdgbm32.exe Cfnoogbo.exe PID 3020 wrote to memory of 768 3020 Cpdgbm32.exe Cfnoogbo.exe PID 3020 wrote to memory of 768 3020 Cpdgbm32.exe Cfnoogbo.exe PID 3020 wrote to memory of 768 3020 Cpdgbm32.exe Cfnoogbo.exe PID 768 wrote to memory of 2692 768 Cfnoogbo.exe Ciohqa32.exe PID 768 wrote to memory of 2692 768 Cfnoogbo.exe Ciohqa32.exe PID 768 wrote to memory of 2692 768 Cfnoogbo.exe Ciohqa32.exe PID 768 wrote to memory of 2692 768 Cfnoogbo.exe Ciohqa32.exe PID 2692 wrote to memory of 2936 2692 Ciohqa32.exe Cpiqmlfm.exe PID 2692 wrote to memory of 2936 2692 Ciohqa32.exe Cpiqmlfm.exe PID 2692 wrote to memory of 2936 2692 Ciohqa32.exe Cpiqmlfm.exe PID 2692 wrote to memory of 2936 2692 Ciohqa32.exe Cpiqmlfm.exe PID 2936 wrote to memory of 2920 2936 Cpiqmlfm.exe Ciaefa32.exe PID 2936 wrote to memory of 2920 2936 Cpiqmlfm.exe Ciaefa32.exe PID 2936 wrote to memory of 2920 2936 Cpiqmlfm.exe Ciaefa32.exe PID 2936 wrote to memory of 2920 2936 Cpiqmlfm.exe Ciaefa32.exe PID 2920 wrote to memory of 2720 2920 Ciaefa32.exe Cfeepelg.exe PID 2920 wrote to memory of 2720 2920 Ciaefa32.exe Cfeepelg.exe PID 2920 wrote to memory of 2720 2920 Ciaefa32.exe Cfeepelg.exe PID 2920 wrote to memory of 2720 2920 Ciaefa32.exe Cfeepelg.exe PID 2720 wrote to memory of 2600 2720 Cfeepelg.exe Copjdhib.exe PID 2720 wrote to memory of 2600 2720 Cfeepelg.exe Copjdhib.exe PID 2720 wrote to memory of 2600 2720 Cfeepelg.exe Copjdhib.exe PID 2720 wrote to memory of 2600 2720 Cfeepelg.exe Copjdhib.exe PID 2600 wrote to memory of 528 2600 Copjdhib.exe Dhiomn32.exe PID 2600 wrote to memory of 528 2600 Copjdhib.exe Dhiomn32.exe PID 2600 wrote to memory of 528 2600 Copjdhib.exe Dhiomn32.exe PID 2600 wrote to memory of 528 2600 Copjdhib.exe Dhiomn32.exe PID 528 wrote to memory of 316 528 Dhiomn32.exe Ddpobo32.exe PID 528 wrote to memory of 316 528 Dhiomn32.exe Ddpobo32.exe PID 528 wrote to memory of 316 528 Dhiomn32.exe Ddpobo32.exe PID 528 wrote to memory of 316 528 Dhiomn32.exe Ddpobo32.exe PID 316 wrote to memory of 1848 316 Ddpobo32.exe Dmhdkdlg.exe PID 316 wrote to memory of 1848 316 Ddpobo32.exe Dmhdkdlg.exe PID 316 wrote to memory of 1848 316 Ddpobo32.exe Dmhdkdlg.exe PID 316 wrote to memory of 1848 316 Ddpobo32.exe Dmhdkdlg.exe PID 1848 wrote to memory of 1728 1848 Dmhdkdlg.exe Dklddhka.exe PID 1848 wrote to memory of 1728 1848 Dmhdkdlg.exe Dklddhka.exe PID 1848 wrote to memory of 1728 1848 Dmhdkdlg.exe Dklddhka.exe PID 1848 wrote to memory of 1728 1848 Dmhdkdlg.exe Dklddhka.exe PID 1728 wrote to memory of 2388 1728 Dklddhka.exe Dddimn32.exe PID 1728 wrote to memory of 2388 1728 Dklddhka.exe Dddimn32.exe PID 1728 wrote to memory of 2388 1728 Dklddhka.exe Dddimn32.exe PID 1728 wrote to memory of 2388 1728 Dklddhka.exe Dddimn32.exe PID 2388 wrote to memory of 1368 2388 Dddimn32.exe Dpkibo32.exe PID 2388 wrote to memory of 1368 2388 Dddimn32.exe Dpkibo32.exe PID 2388 wrote to memory of 1368 2388 Dddimn32.exe Dpkibo32.exe PID 2388 wrote to memory of 1368 2388 Dddimn32.exe Dpkibo32.exe PID 1368 wrote to memory of 1212 1368 Dpkibo32.exe Dkqnoh32.exe PID 1368 wrote to memory of 1212 1368 Dpkibo32.exe Dkqnoh32.exe PID 1368 wrote to memory of 1212 1368 Dpkibo32.exe Dkqnoh32.exe PID 1368 wrote to memory of 1212 1368 Dpkibo32.exe Dkqnoh32.exe PID 1212 wrote to memory of 2428 1212 Dkqnoh32.exe Edibhmml.exe PID 1212 wrote to memory of 2428 1212 Dkqnoh32.exe Edibhmml.exe PID 1212 wrote to memory of 2428 1212 Dkqnoh32.exe Edibhmml.exe PID 1212 wrote to memory of 2428 1212 Dkqnoh32.exe Edibhmml.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe"C:\Users\Admin\AppData\Local\Temp\8c92d0cb47983b34095986aa21bba6586bb3df0d7553d1700682a762568ae256N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe33⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe34⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe35⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe36⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe37⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe38⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe39⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe41⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe42⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe43⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe44⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe45⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe46⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe47⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe48⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe49⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe50⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe51⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe52⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe54⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe55⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe56⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe57⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe58⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe59⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe60⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe62⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe63⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe65⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe66⤵PID:1732
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe67⤵PID:1332
-
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe68⤵PID:2212
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe69⤵PID:2304
-
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe71⤵PID:2972
-
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe72⤵PID:1700
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe73⤵PID:2912
-
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe74⤵PID:2672
-
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe75⤵PID:2728
-
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe76⤵PID:2836
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe78⤵PID:1484
-
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe81⤵PID:1424
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe82⤵PID:2208
-
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe83⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe84⤵PID:1880
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe85⤵PID:1548
-
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe87⤵PID:1628
-
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe88⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe89⤵PID:2288
-
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe90⤵PID:2792
-
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe91⤵PID:2644
-
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe92⤵PID:2828
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe93⤵PID:1996
-
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe94⤵PID:2020
-
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe95⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe96⤵PID:2896
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe97⤵PID:1720
-
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe98⤵PID:592
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe99⤵PID:2516
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe100⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe101⤵PID:2144
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2804 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe103⤵PID:2268
-
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe104⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe105⤵PID:1176
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe106⤵PID:2096
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe107⤵PID:2012
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe108⤵PID:1772
-
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe109⤵PID:1932
-
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe110⤵PID:620
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe111⤵PID:1980
-
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe112⤵PID:968
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe113⤵PID:308
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe114⤵PID:2744
-
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe115⤵PID:2588
-
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe116⤵PID:2632
-
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe117⤵PID:2008
-
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe118⤵PID:2384
-
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe119⤵PID:1060
-
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe120⤵PID:2236
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe121⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe122⤵PID:1180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-