Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 10:56
Static task
static1
Behavioral task
behavioral1
Sample
0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe
Resource
win10v2004-20241007-en
General
-
Target
0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe
-
Size
96KB
-
MD5
b5b60ae5c62d31756ead44ecf2c737b0
-
SHA1
161ac207a2a7b5d1f9bde622555efe6a52e6e0db
-
SHA256
0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434
-
SHA512
98e5681247f3602a161fa3c79a7dec665d176c734777281893458b9b644531b20a5d18215c5898fda198b1266158f94fe794e5c28518fac265637e9f322733ae
-
SSDEEP
1536:rTV8YYqvVJoG0D/6ffsqaomp7DaysTfIK+7RQ+ikR5R45WtqV9R2R462izMg3R7o:/VkqvnXHBaayqIK+7e+XHrtG9MW3+3lo
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecbjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndoelpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dadcppbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjkcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gibmep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kccian32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqjfpbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpalfabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbfobllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffpkob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fghngimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcchgini.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iockhigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaddid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mganfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjddnjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdaid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iboghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iagaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jofdll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odckfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omjbihpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnflnfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikmibjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqdjceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npffaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odoakckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjihci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjaddii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edelakoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geddoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gapoob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibidc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfdfdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khglkqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejohdbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fghngimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpcblkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbifmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noplmlok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglbmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efkbdbai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilhlan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpalfabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meeopdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ninjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgglifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbheif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifhgcgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqcqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfdbcing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbpibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opebpdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmgodc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmngn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdnloph.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2644 Cikbjpqd.exe 2820 Cgobcd32.exe 2816 Cpgglifo.exe 2968 Cedpdpdf.exe 2860 Clnhajlc.exe 2756 Dchpnd32.exe 2260 Defljp32.exe 2388 Dkcebg32.exe 2448 Ddliklgk.exe 2988 Dkeahf32.exe 2760 Dekeeonn.exe 1748 Dglbmg32.exe 2052 Dnfjiali.exe 1860 Dhlogjko.exe 2204 Dadcppbp.exe 336 Dcepgh32.exe 2512 Ejohdbok.exe 1288 Edelakoq.exe 732 Enmqjq32.exe 988 Eoomai32.exe 800 Egeecf32.exe 2456 Eqnillbb.exe 2580 Efkbdbai.exe 1528 Ehinpnpm.exe 1244 Edpoeoea.exe 1796 Ffpkob32.exe 2896 Fhngkm32.exe 2936 Fkldgi32.exe 3008 Fnkpcd32.exe 2744 Fdgefn32.exe 1700 Fcjeakfd.exe 2276 Fnoiocfj.exe 1036 Fqnfkoen.exe 2444 Fclbgj32.exe 1964 Fghngimj.exe 1012 Fpcblkje.exe 2548 Ffmkhe32.exe 3040 Fjhgidjk.exe 1624 Gjkcod32.exe 1388 Gllpflng.exe 1780 Gcchgini.exe 1684 Geddoa32.exe 2352 Gmlmpo32.exe 1692 Gbheif32.exe 1580 Gfdaid32.exe 1652 Gibmep32.exe 1516 Gplebjbk.exe 1152 Geinjapb.exe 2600 Ghgjflof.exe 2904 Glcfgk32.exe 2168 Gnabcf32.exe 2852 Gapoob32.exe 2864 Gdnkkmej.exe 1736 Hhjgll32.exe 2056 Hndoifdp.exe 1344 Hmgodc32.exe 1084 Hengep32.exe 3044 Hdqhambg.exe 3012 Hnflnfbm.exe 2128 Hmiljb32.exe 2216 Hpghfn32.exe 2248 Hhopgkin.exe 876 Hipmoc32.exe 2656 Hmkiobge.exe -
Loads dropped DLL 64 IoCs
pid Process 2296 0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe 2296 0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe 2644 Cikbjpqd.exe 2644 Cikbjpqd.exe 2820 Cgobcd32.exe 2820 Cgobcd32.exe 2816 Cpgglifo.exe 2816 Cpgglifo.exe 2968 Cedpdpdf.exe 2968 Cedpdpdf.exe 2860 Clnhajlc.exe 2860 Clnhajlc.exe 2756 Dchpnd32.exe 2756 Dchpnd32.exe 2260 Defljp32.exe 2260 Defljp32.exe 2388 Dkcebg32.exe 2388 Dkcebg32.exe 2448 Ddliklgk.exe 2448 Ddliklgk.exe 2988 Dkeahf32.exe 2988 Dkeahf32.exe 2760 Dekeeonn.exe 2760 Dekeeonn.exe 1748 Dglbmg32.exe 1748 Dglbmg32.exe 2052 Dnfjiali.exe 2052 Dnfjiali.exe 1860 Dhlogjko.exe 1860 Dhlogjko.exe 2204 Dadcppbp.exe 2204 Dadcppbp.exe 336 Dcepgh32.exe 336 Dcepgh32.exe 2512 Ejohdbok.exe 2512 Ejohdbok.exe 1288 Edelakoq.exe 1288 Edelakoq.exe 732 Enmqjq32.exe 732 Enmqjq32.exe 988 Eoomai32.exe 988 Eoomai32.exe 800 Egeecf32.exe 800 Egeecf32.exe 2456 Eqnillbb.exe 2456 Eqnillbb.exe 2580 Efkbdbai.exe 2580 Efkbdbai.exe 1528 Ehinpnpm.exe 1528 Ehinpnpm.exe 1708 Emggflfc.exe 1708 Emggflfc.exe 1796 Ffpkob32.exe 1796 Ffpkob32.exe 2896 Fhngkm32.exe 2896 Fhngkm32.exe 2936 Fkldgi32.exe 2936 Fkldgi32.exe 3008 Fnkpcd32.exe 3008 Fnkpcd32.exe 2744 Fdgefn32.exe 2744 Fdgefn32.exe 1700 Fcjeakfd.exe 1700 Fcjeakfd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Njbnon32.dll Kqqdjceh.exe File opened for modification C:\Windows\SysWOW64\Kjnanhhc.exe Kccian32.exe File created C:\Windows\SysWOW64\Moeodd32.dll Lfdbcing.exe File created C:\Windows\SysWOW64\Hlkmcjlp.dll Nfmahkhh.exe File created C:\Windows\SysWOW64\Nomphm32.exe Nlocka32.exe File created C:\Windows\SysWOW64\Pljhmo32.dll Gplebjbk.exe File created C:\Windows\SysWOW64\Heijidbn.exe Hdhnal32.exe File created C:\Windows\SysWOW64\Glfiinip.dll Majcoepi.exe File created C:\Windows\SysWOW64\Mfihml32.exe Mcjlap32.exe File created C:\Windows\SysWOW64\Onlooh32.exe Oeegnj32.exe File opened for modification C:\Windows\SysWOW64\Geinjapb.exe Gplebjbk.exe File opened for modification C:\Windows\SysWOW64\Heijidbn.exe Hdhnal32.exe File created C:\Windows\SysWOW64\Lqnmhm32.dll Kmjaddii.exe File opened for modification C:\Windows\SysWOW64\Hdhnal32.exe Hibidc32.exe File opened for modification C:\Windows\SysWOW64\Jlekja32.exe Jkdoci32.exe File created C:\Windows\SysWOW64\Pfgmna32.dll Mbpibm32.exe File created C:\Windows\SysWOW64\Madikm32.dll Nbdbml32.exe File created C:\Windows\SysWOW64\Odckfb32.exe Ollcee32.exe File created C:\Windows\SysWOW64\Hdeall32.exe Hmkiobge.exe File opened for modification C:\Windows\SysWOW64\Jgmlmj32.exe Jofdll32.exe File created C:\Windows\SysWOW64\Gigpekfk.dll Kcamln32.exe File opened for modification C:\Windows\SysWOW64\Okijhmcm.exe Ogmngn32.exe File opened for modification C:\Windows\SysWOW64\Gibmep32.exe Gfdaid32.exe File created C:\Windows\SysWOW64\Knmmkb32.dll Hmgodc32.exe File created C:\Windows\SysWOW64\Lmcdkbao.exe Lelljepm.exe File created C:\Windows\SysWOW64\Majcoepi.exe Mnkfcjqe.exe File created C:\Windows\SysWOW64\Eoomai32.exe Enmqjq32.exe File created C:\Windows\SysWOW64\Fdgefn32.exe Fnkpcd32.exe File opened for modification C:\Windows\SysWOW64\Odckfb32.exe Ollcee32.exe File created C:\Windows\SysWOW64\Olalpdbc.exe Oegdcj32.exe File created C:\Windows\SysWOW64\Bnjgld32.dll Iboghh32.exe File opened for modification C:\Windows\SysWOW64\Kkaolm32.exe Kdgfpbaf.exe File opened for modification C:\Windows\SysWOW64\Kqqdjceh.exe Koogbk32.exe File opened for modification C:\Windows\SysWOW64\Opebpdad.exe Oacbdg32.exe File created C:\Windows\SysWOW64\Hjjheeoc.dll Gibmep32.exe File opened for modification C:\Windows\SysWOW64\Ifhgcgjq.exe Ioaobjin.exe File created C:\Windows\SysWOW64\Gjkcod32.exe Fjhgidjk.exe File created C:\Windows\SysWOW64\Iaddid32.exe Ibadnhmb.exe File created C:\Windows\SysWOW64\Iockhigl.exe Ihjcko32.exe File opened for modification C:\Windows\SysWOW64\Kfdfdf32.exe Jojnglco.exe File created C:\Windows\SysWOW64\Edljdb32.dll Nlapaapg.exe File created C:\Windows\SysWOW64\Gllpflng.exe Gjkcod32.exe File created C:\Windows\SysWOW64\Mgmjbn32.dll Ifhgcgjq.exe File created C:\Windows\SysWOW64\Ngkaaolf.exe Ndmeecmb.exe File created C:\Windows\SysWOW64\Dadcppbp.exe Dhlogjko.exe File created C:\Windows\SysWOW64\Ifhgcgjq.exe Ioaobjin.exe File created C:\Windows\SysWOW64\Gfdaid32.exe Gbheif32.exe File created C:\Windows\SysWOW64\Khglkqfj.exe Kqqdjceh.exe File created C:\Windows\SysWOW64\Lmlnjcgg.exe Kjnanhhc.exe File opened for modification C:\Windows\SysWOW64\Mnncii32.exe Mffkgl32.exe File created C:\Windows\SysWOW64\Omjbihpn.exe Okkfmmqj.exe File created C:\Windows\SysWOW64\Dkcebg32.exe Defljp32.exe File opened for modification C:\Windows\SysWOW64\Gjkcod32.exe Fjhgidjk.exe File created C:\Windows\SysWOW64\Mbpibm32.exe Mpalfabn.exe File created C:\Windows\SysWOW64\Hnfgbfba.dll Npffaq32.exe File opened for modification C:\Windows\SysWOW64\Jcocgkbp.exe Jlekja32.exe File opened for modification C:\Windows\SysWOW64\Kqcqpc32.exe Kjihci32.exe File opened for modification C:\Windows\SysWOW64\Onlooh32.exe Oeegnj32.exe File opened for modification C:\Windows\SysWOW64\Dglbmg32.exe Dekeeonn.exe File opened for modification C:\Windows\SysWOW64\Iiipeb32.exe Iboghh32.exe File created C:\Windows\SysWOW64\Mjmnmk32.exe Milaecdp.exe File created C:\Windows\SysWOW64\Mmcpjfcj.exe Mjddnjdf.exe File opened for modification C:\Windows\SysWOW64\Innbde32.exe Ikoehj32.exe File opened for modification C:\Windows\SysWOW64\Jhniebne.exe Jgmlmj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3884 3860 WerFault.exe 227 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndoifdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofdll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepach32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeahf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpoeoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkldgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heijidbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcocgkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oegdcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlogjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadcppbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikmibjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjfpbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcpjfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilndfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobiclmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defljp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmkhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbheif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqqdjceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelljepm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpalfabn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfjiali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmqjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoomai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hengep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlekja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkcgapjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmpnjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlocka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojnglco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgobcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejohdbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnoiocfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdqhambg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnflnfbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibidc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakjjcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikbjpqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edelakoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioaobjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhlan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjceb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkfmmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekeeonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkehhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlnjcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbgbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeegnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geinjapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majcoepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkebkjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmffa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milaecdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnncii32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifph32.dll" Ihjcko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkaolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kqqdjceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ninjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafeln32.dll" Ogbgbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghcl32.dll" Cedpdpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkika32.dll" Eqnillbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpghfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndoelpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnhfi32.dll" Nphbfplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iioloaac.dll" Hmiljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lijepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfmahkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enmqjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbcjjnl.dll" Jndhddaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kqcqpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndmeecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfoejcg.dll" Dadcppbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkldgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feglnpia.dll" Mffkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndoelpid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegobiom.dll" Ndjhpcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcjeakfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgckc32.dll" Iiipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mecbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfkebkjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opjlkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcepgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kccian32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcjlap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdhnal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hainad32.dll" Ihcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahdheo32.dll" Lcffgnnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkdoci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlmffa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnabcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpjqhld.dll" Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honblmaq.dll" Mmemoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nphbfplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kghoan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjihci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbdfni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmoqm32.dll" Hfdmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgdad32.dll" Jojnglco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nanhihno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kccian32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opjlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlhmkbhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndjhpcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejohdbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdjceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhmbnh32.dll" Koogbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iiipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcflp32.dll" Jcocgkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmlnjcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbmpnjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lokfgk32.dll" Fkldgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpcblkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmkiobge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfdhdkf.dll" Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhlidkdc.dll" Kdjceb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2644 2296 0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe 30 PID 2296 wrote to memory of 2644 2296 0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe 30 PID 2296 wrote to memory of 2644 2296 0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe 30 PID 2296 wrote to memory of 2644 2296 0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe 30 PID 2644 wrote to memory of 2820 2644 Cikbjpqd.exe 31 PID 2644 wrote to memory of 2820 2644 Cikbjpqd.exe 31 PID 2644 wrote to memory of 2820 2644 Cikbjpqd.exe 31 PID 2644 wrote to memory of 2820 2644 Cikbjpqd.exe 31 PID 2820 wrote to memory of 2816 2820 Cgobcd32.exe 32 PID 2820 wrote to memory of 2816 2820 Cgobcd32.exe 32 PID 2820 wrote to memory of 2816 2820 Cgobcd32.exe 32 PID 2820 wrote to memory of 2816 2820 Cgobcd32.exe 32 PID 2816 wrote to memory of 2968 2816 Cpgglifo.exe 33 PID 2816 wrote to memory of 2968 2816 Cpgglifo.exe 33 PID 2816 wrote to memory of 2968 2816 Cpgglifo.exe 33 PID 2816 wrote to memory of 2968 2816 Cpgglifo.exe 33 PID 2968 wrote to memory of 2860 2968 Cedpdpdf.exe 34 PID 2968 wrote to memory of 2860 2968 Cedpdpdf.exe 34 PID 2968 wrote to memory of 2860 2968 Cedpdpdf.exe 34 PID 2968 wrote to memory of 2860 2968 Cedpdpdf.exe 34 PID 2860 wrote to memory of 2756 2860 Clnhajlc.exe 35 PID 2860 wrote to memory of 2756 2860 Clnhajlc.exe 35 PID 2860 wrote to memory of 2756 2860 Clnhajlc.exe 35 PID 2860 wrote to memory of 2756 2860 Clnhajlc.exe 35 PID 2756 wrote to memory of 2260 2756 Dchpnd32.exe 36 PID 2756 wrote to memory of 2260 2756 Dchpnd32.exe 36 PID 2756 wrote to memory of 2260 2756 Dchpnd32.exe 36 PID 2756 wrote to memory of 2260 2756 Dchpnd32.exe 36 PID 2260 wrote to memory of 2388 2260 Defljp32.exe 37 PID 2260 wrote to memory of 2388 2260 Defljp32.exe 37 PID 2260 wrote to memory of 2388 2260 Defljp32.exe 37 PID 2260 wrote to memory of 2388 2260 Defljp32.exe 37 PID 2388 wrote to memory of 2448 2388 Dkcebg32.exe 38 PID 2388 wrote to memory of 2448 2388 Dkcebg32.exe 38 PID 2388 wrote to memory of 2448 2388 Dkcebg32.exe 38 PID 2388 wrote to memory of 2448 2388 Dkcebg32.exe 38 PID 2448 wrote to memory of 2988 2448 Ddliklgk.exe 39 PID 2448 wrote to memory of 2988 2448 Ddliklgk.exe 39 PID 2448 wrote to memory of 2988 2448 Ddliklgk.exe 39 PID 2448 wrote to memory of 2988 2448 Ddliklgk.exe 39 PID 2988 wrote to memory of 2760 2988 Dkeahf32.exe 40 PID 2988 wrote to memory of 2760 2988 Dkeahf32.exe 40 PID 2988 wrote to memory of 2760 2988 Dkeahf32.exe 40 PID 2988 wrote to memory of 2760 2988 Dkeahf32.exe 40 PID 2760 wrote to memory of 1748 2760 Dekeeonn.exe 41 PID 2760 wrote to memory of 1748 2760 Dekeeonn.exe 41 PID 2760 wrote to memory of 1748 2760 Dekeeonn.exe 41 PID 2760 wrote to memory of 1748 2760 Dekeeonn.exe 41 PID 1748 wrote to memory of 2052 1748 Dglbmg32.exe 42 PID 1748 wrote to memory of 2052 1748 Dglbmg32.exe 42 PID 1748 wrote to memory of 2052 1748 Dglbmg32.exe 42 PID 1748 wrote to memory of 2052 1748 Dglbmg32.exe 42 PID 2052 wrote to memory of 1860 2052 Dnfjiali.exe 43 PID 2052 wrote to memory of 1860 2052 Dnfjiali.exe 43 PID 2052 wrote to memory of 1860 2052 Dnfjiali.exe 43 PID 2052 wrote to memory of 1860 2052 Dnfjiali.exe 43 PID 1860 wrote to memory of 2204 1860 Dhlogjko.exe 44 PID 1860 wrote to memory of 2204 1860 Dhlogjko.exe 44 PID 1860 wrote to memory of 2204 1860 Dhlogjko.exe 44 PID 1860 wrote to memory of 2204 1860 Dhlogjko.exe 44 PID 2204 wrote to memory of 336 2204 Dadcppbp.exe 45 PID 2204 wrote to memory of 336 2204 Dadcppbp.exe 45 PID 2204 wrote to memory of 336 2204 Dadcppbp.exe 45 PID 2204 wrote to memory of 336 2204 Dadcppbp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe"C:\Users\Admin\AppData\Local\Temp\0729dc02ac52139d380e979db881edb1d4ffaa36d2c5cf53b9cd301386360434N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Cikbjpqd.exeC:\Windows\system32\Cikbjpqd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Cgobcd32.exeC:\Windows\system32\Cgobcd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Cpgglifo.exeC:\Windows\system32\Cpgglifo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Cedpdpdf.exeC:\Windows\system32\Cedpdpdf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Ddliklgk.exeC:\Windows\system32\Ddliklgk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Dglbmg32.exeC:\Windows\system32\Dglbmg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Dnfjiali.exeC:\Windows\system32\Dnfjiali.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Ejohdbok.exeC:\Windows\system32\Ejohdbok.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Edelakoq.exeC:\Windows\system32\Edelakoq.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Enmqjq32.exeC:\Windows\system32\Enmqjq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:732 -
C:\Windows\SysWOW64\Eoomai32.exeC:\Windows\system32\Eoomai32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:988 -
C:\Windows\SysWOW64\Egeecf32.exeC:\Windows\system32\Egeecf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Emggflfc.exeC:\Windows\system32\Emggflfc.exe27⤵
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Fkldgi32.exeC:\Windows\system32\Fkldgi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Fnoiocfj.exeC:\Windows\system32\Fnoiocfj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Fqnfkoen.exeC:\Windows\system32\Fqnfkoen.exe35⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe36⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Fghngimj.exeC:\Windows\system32\Fghngimj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Fjhgidjk.exeC:\Windows\system32\Fjhgidjk.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Gjkcod32.exeC:\Windows\system32\Gjkcod32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Gllpflng.exeC:\Windows\system32\Gllpflng.exe42⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Gmlmpo32.exeC:\Windows\system32\Gmlmpo32.exe45⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Gibmep32.exeC:\Windows\system32\Gibmep32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Ghgjflof.exeC:\Windows\system32\Ghgjflof.exe51⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe52⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe55⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Hhjgll32.exeC:\Windows\system32\Hhjgll32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Hmgodc32.exeC:\Windows\system32\Hmgodc32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Hnflnfbm.exeC:\Windows\system32\Hnflnfbm.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Hmiljb32.exeC:\Windows\system32\Hmiljb32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe64⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe65⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe67⤵PID:632
-
C:\Windows\SysWOW64\Hfdmhh32.exeC:\Windows\system32\Hfdmhh32.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Hdhnal32.exeC:\Windows\system32\Hdhnal32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe71⤵
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Hidfjckg.exeC:\Windows\system32\Hidfjckg.exe72⤵PID:3020
-
C:\Windows\SysWOW64\Hlcbfnjk.exeC:\Windows\system32\Hlcbfnjk.exe73⤵PID:2696
-
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Ihjcko32.exeC:\Windows\system32\Ihjcko32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe79⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe81⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Iaddid32.exeC:\Windows\system32\Iaddid32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe83⤵PID:2172
-
C:\Windows\SysWOW64\Ikmibjkm.exeC:\Windows\system32\Ikmibjkm.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe86⤵PID:1156
-
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe87⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Innbde32.exeC:\Windows\system32\Innbde32.exe88⤵PID:2880
-
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe89⤵PID:2712
-
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe92⤵
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe93⤵PID:3028
-
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Jlekja32.exeC:\Windows\system32\Jlekja32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Jcocgkbp.exeC:\Windows\system32\Jcocgkbp.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe97⤵PID:1328
-
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe98⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Jofdll32.exeC:\Windows\system32\Jofdll32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe100⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe101⤵PID:2888
-
C:\Windows\SysWOW64\Jljeeqfn.exeC:\Windows\system32\Jljeeqfn.exe102⤵PID:1808
-
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe103⤵PID:2240
-
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe104⤵PID:1832
-
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe105⤵PID:1504
-
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Kfdfdf32.exeC:\Windows\system32\Kfdfdf32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe108⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Kkaolm32.exeC:\Windows\system32\Kkaolm32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Kbkgig32.exeC:\Windows\system32\Kbkgig32.exe110⤵PID:1712
-
C:\Windows\SysWOW64\Kdjceb32.exeC:\Windows\system32\Kdjceb32.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Kghoan32.exeC:\Windows\system32\Kghoan32.exe112⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Kqcqpc32.exeC:\Windows\system32\Kqcqpc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Kcamln32.exeC:\Windows\system32\Kcamln32.exe118⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe119⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Kccian32.exeC:\Windows\system32\Kccian32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Kjnanhhc.exeC:\Windows\system32\Kjnanhhc.exe122⤵
- Drops file in System32 directory
PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-