Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 11:11
Static task
static1
Behavioral task
behavioral1
Sample
7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe
Resource
win10v2004-20241007-en
General
-
Target
7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe
-
Size
79KB
-
MD5
1808b72dbf7b1b0275e6cd3178195d60
-
SHA1
442eb766e0f3643b4d41154850b63917a99f134a
-
SHA256
7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613a
-
SHA512
e231aeda6050a53494aed7d532ce9b89efc506961a047bcb3ddc1ceed3ef5fb17192cc71b25a1f2f63343803613dc708a2ea3df565352cedc411c6dd18e84c8b
-
SSDEEP
1536:cdxCJC4Huxxs0koPaTXzINAOY1KaRQiXRbRUs3cO57OWxXPu4b:cfwOxCgikBbaeqlj9puE
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbkqdepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgiked32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhimji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhflcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeagimdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpepj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdgkjopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfknhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpbcek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpfbegei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kekiphge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahchdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnifaajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhcfjnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Achjibcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmdnfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mobomnoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnpebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khldkllj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oodjjign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajamfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cidddj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcohahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqjhcfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iickckcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djfdob32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1256 Clmdmm32.exe 2624 Cfcijf32.exe 3064 Ciaefa32.exe 2824 Cmmagpef.exe 3052 Cehfkb32.exe 2732 Daofpchf.exe 2944 Dldkmlhl.exe 876 Demofaol.exe 1032 Doecog32.exe 3008 Ddblgn32.exe 2140 Dmjqpdje.exe 2912 Dhpemm32.exe 2152 Dmmmfc32.exe 1940 Dgeaoinb.exe 2124 Dkqnoh32.exe 2600 Eclbcj32.exe 1108 Eiekpd32.exe 352 Eldglp32.exe 2144 Eelkeeah.exe 700 Eoepnk32.exe 600 Eeohkeoe.exe 2100 Elipgofb.exe 1892 Eogmcjef.exe 2328 Eddeladm.exe 2536 Enlidg32.exe 1368 Edfbaabj.exe 3060 Fdiogq32.exe 2232 Fnacpffh.exe 2952 Fcnkhmdp.exe 2828 Fgigil32.exe 2736 Fncpef32.exe 2868 Fcphnm32.exe 1956 Fnflke32.exe 1884 Fqdiga32.exe 2516 Fcbecl32.exe 1460 Gjojef32.exe 2928 Gmmfaa32.exe 660 Gkpfmnlb.exe 2020 Gdhkfd32.exe 2252 Gblkoham.exe 1040 Gdkgkcpq.exe 704 Gbohehoj.exe 1480 Gjjmijme.exe 1212 Gbadjg32.exe 2796 Gqdefddb.exe 1904 Ggnmbn32.exe 1880 Hnheohcl.exe 1688 Hmkeke32.exe 1948 Hebnlb32.exe 2372 Hgpjhn32.exe 2488 Hjofdi32.exe 2852 Hmmbqegc.exe 2344 Hcgjmo32.exe 2696 Hgbfnngi.exe 2712 Hjacjifm.exe 2000 Hmoofdea.exe 1984 Hcigco32.exe 2376 Hjcppidk.exe 2024 Hmalldcn.exe 2336 Hpphhp32.exe 2160 Hboddk32.exe 924 Hemqpf32.exe 1704 Hmdhad32.exe 2324 Hlgimqhf.exe -
Loads dropped DLL 64 IoCs
pid Process 2556 7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe 2556 7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe 1256 Clmdmm32.exe 1256 Clmdmm32.exe 2624 Cfcijf32.exe 2624 Cfcijf32.exe 3064 Ciaefa32.exe 3064 Ciaefa32.exe 2824 Cmmagpef.exe 2824 Cmmagpef.exe 3052 Cehfkb32.exe 3052 Cehfkb32.exe 2732 Daofpchf.exe 2732 Daofpchf.exe 2944 Dldkmlhl.exe 2944 Dldkmlhl.exe 876 Demofaol.exe 876 Demofaol.exe 1032 Doecog32.exe 1032 Doecog32.exe 3008 Ddblgn32.exe 3008 Ddblgn32.exe 2140 Dmjqpdje.exe 2140 Dmjqpdje.exe 2912 Dhpemm32.exe 2912 Dhpemm32.exe 2152 Dmmmfc32.exe 2152 Dmmmfc32.exe 1940 Dgeaoinb.exe 1940 Dgeaoinb.exe 2124 Dkqnoh32.exe 2124 Dkqnoh32.exe 2600 Eclbcj32.exe 2600 Eclbcj32.exe 1108 Eiekpd32.exe 1108 Eiekpd32.exe 352 Eldglp32.exe 352 Eldglp32.exe 2144 Eelkeeah.exe 2144 Eelkeeah.exe 700 Eoepnk32.exe 700 Eoepnk32.exe 600 Eeohkeoe.exe 600 Eeohkeoe.exe 2100 Elipgofb.exe 2100 Elipgofb.exe 1892 Eogmcjef.exe 1892 Eogmcjef.exe 2328 Eddeladm.exe 2328 Eddeladm.exe 2536 Enlidg32.exe 2536 Enlidg32.exe 1368 Edfbaabj.exe 1368 Edfbaabj.exe 3060 Fdiogq32.exe 3060 Fdiogq32.exe 2232 Fnacpffh.exe 2232 Fnacpffh.exe 2952 Fcnkhmdp.exe 2952 Fcnkhmdp.exe 2828 Fgigil32.exe 2828 Fgigil32.exe 2736 Fncpef32.exe 2736 Fncpef32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Khielcfh.exe Kekiphge.exe File opened for modification C:\Windows\SysWOW64\Ljfapjbi.exe Loqmba32.exe File opened for modification C:\Windows\SysWOW64\Addfkeid.exe Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Ijcngenj.exe Igebkiof.exe File created C:\Windows\SysWOW64\Jahbmlil.exe Jnifaajh.exe File created C:\Windows\SysWOW64\Hjddaj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jcckibfg.exe Process not Found File created C:\Windows\SysWOW64\Jmfafgbd.exe Jdnmma32.exe File opened for modification C:\Windows\SysWOW64\Dhckfkbh.exe Deenjpcd.exe File created C:\Windows\SysWOW64\Cqdfehii.exe Cnejim32.exe File created C:\Windows\SysWOW64\Ijjkhlkg.dll Meecaa32.exe File opened for modification C:\Windows\SysWOW64\Clkicbfa.exe Cfaqfh32.exe File created C:\Windows\SysWOW64\Gibkmgcj.exe Process not Found File created C:\Windows\SysWOW64\Bfbjdf32.exe Process not Found File created C:\Windows\SysWOW64\Klcdfdcb.dll Mjfnomde.exe File created C:\Windows\SysWOW64\Flcojeak.exe Ffgfancd.exe File created C:\Windows\SysWOW64\Pacmhh32.dll Keeeje32.exe File created C:\Windows\SysWOW64\Bfdenafn.exe Bceibfgj.exe File created C:\Windows\SysWOW64\Lifjic32.dll Ibipmiek.exe File created C:\Windows\SysWOW64\Ndggib32.exe Ncfjajma.exe File created C:\Windows\SysWOW64\Jcidje32.dll Hjcppidk.exe File opened for modification C:\Windows\SysWOW64\Jojkco32.exe Jpgjgboe.exe File created C:\Windows\SysWOW64\Hnbbaj32.dll Process not Found File created C:\Windows\SysWOW64\Biqfpb32.exe Process not Found File created C:\Windows\SysWOW64\Oggfcl32.dll Hmalldcn.exe File created C:\Windows\SysWOW64\Pmecbkgj.exe Process not Found File created C:\Windows\SysWOW64\Mpfbjp32.dll Process not Found File created C:\Windows\SysWOW64\Ikimqk32.dll Process not Found File created C:\Windows\SysWOW64\Agglbp32.exe Apmcefmf.exe File opened for modification C:\Windows\SysWOW64\Mdendpbg.exe Lafahdcc.exe File created C:\Windows\SysWOW64\Jnifaajh.exe Jgpndg32.exe File created C:\Windows\SysWOW64\Mloiec32.exe Mfeaiime.exe File created C:\Windows\SysWOW64\Fcbecl32.exe Fqdiga32.exe File created C:\Windows\SysWOW64\Ihpfgalh.exe Ieajkfmd.exe File opened for modification C:\Windows\SysWOW64\Gjdldd32.exe Gckdgjeb.exe File opened for modification C:\Windows\SysWOW64\Ckbpqe32.exe Cidddj32.exe File created C:\Windows\SysWOW64\Fqdiga32.exe Fnflke32.exe File created C:\Windows\SysWOW64\Poibnekg.dll Mobomnoq.exe File created C:\Windows\SysWOW64\Nidjhoea.dll Fhdmph32.exe File created C:\Windows\SysWOW64\Ibdlbppo.dll Ffbmfo32.exe File created C:\Windows\SysWOW64\Ehlmljkm.exe Epeekmjk.exe File opened for modification C:\Windows\SysWOW64\Bfiabjjm.exe Booiep32.exe File opened for modification C:\Windows\SysWOW64\Ichmgl32.exe Imodkadq.exe File opened for modification C:\Windows\SysWOW64\Naimepkp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Opnbbe32.exe Oidiekdn.exe File created C:\Windows\SysWOW64\Ccmblnif.exe Ckfjjqhd.exe File created C:\Windows\SysWOW64\Gielfcfg.dll Lafahdcc.exe File created C:\Windows\SysWOW64\Eiapeffl.dll Oadkej32.exe File opened for modification C:\Windows\SysWOW64\Ogliemkk.exe Ndnmialh.exe File created C:\Windows\SysWOW64\Hnlalbhe.dll Process not Found File created C:\Windows\SysWOW64\Gjgcdgcc.dll Gdkgkcpq.exe File opened for modification C:\Windows\SysWOW64\Emifeqid.exe Einjdb32.exe File opened for modification C:\Windows\SysWOW64\Laleof32.exe Lkbmbl32.exe File created C:\Windows\SysWOW64\Pfbfhm32.exe Pddjlb32.exe File created C:\Windows\SysWOW64\Djdbeobe.dll Process not Found File created C:\Windows\SysWOW64\Kmfklepl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lklgbadb.exe Lhnkffeo.exe File created C:\Windows\SysWOW64\Egmhoeom.dll Mdadjd32.exe File created C:\Windows\SysWOW64\Enmkijgm.dll Jbjpom32.exe File created C:\Windows\SysWOW64\Alelkg32.dll Daaenlng.exe File created C:\Windows\SysWOW64\Kadica32.exe Koflgf32.exe File created C:\Windows\SysWOW64\Ndicnb32.exe Nomkfk32.exe File opened for modification C:\Windows\SysWOW64\Jgpndg32.exe Jeaahk32.exe File opened for modification C:\Windows\SysWOW64\Pioamlkk.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 6844 6276 Process not Found 1468 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdadjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clmdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flclam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijmbnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcfjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnpjkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdnbbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boogmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiekpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdcfoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeojcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpepj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnmoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpcfcddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdankjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demofaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnmbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehiioaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhoeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgeaoinb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbcmaje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnochnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnnao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnhpglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjaodmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfjhcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbpqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdgcfmb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkoop32.dll" Cdkkcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Objmgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emifeqid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lekghdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oplgeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engeeehn.dll" Cjljnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoegqbp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipalg32.dll" Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcafg32.dll" Appbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jimbkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khohkamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpgnoqb.dll" Bfjkphjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgff32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepoia32.dll" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcjlnpmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjifodii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlhkgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaggm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nidjhoea.dll" Fhdmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpogiglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiicbbm.dll" Deenjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phahme32.dll" Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icaipj32.dll" Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckecpjdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkilka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eickphoo.dll" Gonale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhhiiloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckinbali.dll" Cpbkhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfmcc32.dll" Gbadjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keigbd32.dll" Hgiked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnmcp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dihmpinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qboikm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnpebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmik32.dll" Ijnnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npfjbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdledbi.dll" Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjdcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnnnlokd.dll" Bfgdmjlp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 1256 2556 7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe 30 PID 2556 wrote to memory of 1256 2556 7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe 30 PID 2556 wrote to memory of 1256 2556 7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe 30 PID 2556 wrote to memory of 1256 2556 7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe 30 PID 1256 wrote to memory of 2624 1256 Clmdmm32.exe 31 PID 1256 wrote to memory of 2624 1256 Clmdmm32.exe 31 PID 1256 wrote to memory of 2624 1256 Clmdmm32.exe 31 PID 1256 wrote to memory of 2624 1256 Clmdmm32.exe 31 PID 2624 wrote to memory of 3064 2624 Cfcijf32.exe 32 PID 2624 wrote to memory of 3064 2624 Cfcijf32.exe 32 PID 2624 wrote to memory of 3064 2624 Cfcijf32.exe 32 PID 2624 wrote to memory of 3064 2624 Cfcijf32.exe 32 PID 3064 wrote to memory of 2824 3064 Ciaefa32.exe 33 PID 3064 wrote to memory of 2824 3064 Ciaefa32.exe 33 PID 3064 wrote to memory of 2824 3064 Ciaefa32.exe 33 PID 3064 wrote to memory of 2824 3064 Ciaefa32.exe 33 PID 2824 wrote to memory of 3052 2824 Cmmagpef.exe 34 PID 2824 wrote to memory of 3052 2824 Cmmagpef.exe 34 PID 2824 wrote to memory of 3052 2824 Cmmagpef.exe 34 PID 2824 wrote to memory of 3052 2824 Cmmagpef.exe 34 PID 3052 wrote to memory of 2732 3052 Cehfkb32.exe 35 PID 3052 wrote to memory of 2732 3052 Cehfkb32.exe 35 PID 3052 wrote to memory of 2732 3052 Cehfkb32.exe 35 PID 3052 wrote to memory of 2732 3052 Cehfkb32.exe 35 PID 2732 wrote to memory of 2944 2732 Daofpchf.exe 36 PID 2732 wrote to memory of 2944 2732 Daofpchf.exe 36 PID 2732 wrote to memory of 2944 2732 Daofpchf.exe 36 PID 2732 wrote to memory of 2944 2732 Daofpchf.exe 36 PID 2944 wrote to memory of 876 2944 Dldkmlhl.exe 37 PID 2944 wrote to memory of 876 2944 Dldkmlhl.exe 37 PID 2944 wrote to memory of 876 2944 Dldkmlhl.exe 37 PID 2944 wrote to memory of 876 2944 Dldkmlhl.exe 37 PID 876 wrote to memory of 1032 876 Demofaol.exe 38 PID 876 wrote to memory of 1032 876 Demofaol.exe 38 PID 876 wrote to memory of 1032 876 Demofaol.exe 38 PID 876 wrote to memory of 1032 876 Demofaol.exe 38 PID 1032 wrote to memory of 3008 1032 Doecog32.exe 39 PID 1032 wrote to memory of 3008 1032 Doecog32.exe 39 PID 1032 wrote to memory of 3008 1032 Doecog32.exe 39 PID 1032 wrote to memory of 3008 1032 Doecog32.exe 39 PID 3008 wrote to memory of 2140 3008 Ddblgn32.exe 40 PID 3008 wrote to memory of 2140 3008 Ddblgn32.exe 40 PID 3008 wrote to memory of 2140 3008 Ddblgn32.exe 40 PID 3008 wrote to memory of 2140 3008 Ddblgn32.exe 40 PID 2140 wrote to memory of 2912 2140 Dmjqpdje.exe 41 PID 2140 wrote to memory of 2912 2140 Dmjqpdje.exe 41 PID 2140 wrote to memory of 2912 2140 Dmjqpdje.exe 41 PID 2140 wrote to memory of 2912 2140 Dmjqpdje.exe 41 PID 2912 wrote to memory of 2152 2912 Dhpemm32.exe 42 PID 2912 wrote to memory of 2152 2912 Dhpemm32.exe 42 PID 2912 wrote to memory of 2152 2912 Dhpemm32.exe 42 PID 2912 wrote to memory of 2152 2912 Dhpemm32.exe 42 PID 2152 wrote to memory of 1940 2152 Dmmmfc32.exe 43 PID 2152 wrote to memory of 1940 2152 Dmmmfc32.exe 43 PID 2152 wrote to memory of 1940 2152 Dmmmfc32.exe 43 PID 2152 wrote to memory of 1940 2152 Dmmmfc32.exe 43 PID 1940 wrote to memory of 2124 1940 Dgeaoinb.exe 44 PID 1940 wrote to memory of 2124 1940 Dgeaoinb.exe 44 PID 1940 wrote to memory of 2124 1940 Dgeaoinb.exe 44 PID 1940 wrote to memory of 2124 1940 Dgeaoinb.exe 44 PID 2124 wrote to memory of 2600 2124 Dkqnoh32.exe 45 PID 2124 wrote to memory of 2600 2124 Dkqnoh32.exe 45 PID 2124 wrote to memory of 2600 2124 Dkqnoh32.exe 45 PID 2124 wrote to memory of 2600 2124 Dkqnoh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe"C:\Users\Admin\AppData\Local\Temp\7dde0293152a15abf1369e8c0c0b8c87005d1ed48d6e36c49e934c84a9bd613aN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:352 -
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe33⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe36⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe37⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe38⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe39⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe40⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe41⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe43⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe44⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe46⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe49⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe50⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe51⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe52⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe53⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe54⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe55⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe56⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe57⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe58⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe61⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe62⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe63⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe64⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe66⤵PID:1004
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe67⤵PID:1576
-
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe68⤵PID:2592
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe69⤵PID:1960
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe70⤵PID:2860
-
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe71⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe72⤵PID:1968
-
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe73⤵PID:1232
-
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe74⤵PID:2684
-
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe75⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe76⤵PID:2300
-
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe77⤵PID:2632
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe79⤵PID:1072
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe81⤵PID:1692
-
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe82⤵PID:2080
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe83⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe85⤵PID:2704
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe86⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe87⤵PID:3024
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe88⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe89⤵PID:2764
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe90⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe91⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe92⤵PID:1432
-
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe93⤵PID:1464
-
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe94⤵PID:968
-
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe95⤵PID:2544
-
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe96⤵PID:2576
-
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe97⤵PID:2560
-
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe98⤵PID:2708
-
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe99⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe100⤵PID:2756
-
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe101⤵PID:2236
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe102⤵PID:1900
-
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe103⤵
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe105⤵PID:2464
-
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe106⤵PID:2492
-
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe107⤵PID:800
-
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe108⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe110⤵PID:884
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe111⤵PID:3004
-
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe112⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe113⤵PID:1624
-
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe114⤵PID:1920
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe115⤵PID:2192
-
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe116⤵PID:2368
-
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe117⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe118⤵PID:1796
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe119⤵PID:2284
-
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe120⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe121⤵PID:1204
-
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe122⤵PID:1452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-