Analysis
-
max time kernel
51s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 12:45
Static task
static1
Behavioral task
behavioral1
Sample
ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe
Resource
win10v2004-20241007-en
General
-
Target
ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe
-
Size
89KB
-
MD5
9412967d7de4074e3df723684885601e
-
SHA1
998b9e2d9d762b0cfaa9806531ad95849f8e6314
-
SHA256
197f05069881ab4790655a53dd2aaf15007d2390c7b8739f85bc76efe8f1153c
-
SHA512
2da448a0488c1cc2bf27face39fa5c19e1719bf12c6ad184b1003d4d22d94d59e6b208ecac29437ea560938f3f7128111c7505d51de92eb222fa389388814677
-
SSDEEP
1536:IUvLvToQSqdJrY2puaSctttrretgAvwVZSPMuuOORQ7R+KRFR3RzR1URJrCiuiNy:IUvLvT7SqdJrYTaSmrr6gPSuOOe7jb5/
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgckjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcghof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbdgqimc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfcqgpfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnleiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dphfbiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bekmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chnbcpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgkleabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgolf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbmlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbogfcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpqain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjglkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dogpdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piqpkpml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acfdnihk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fibcoalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olkifaen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpibn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlkmkpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihpdoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ledibnco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpgjepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hipmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oibmpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfddp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qemldifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debplg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjdopeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnejbmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghmkjedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcgnnlle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alihaioe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Conkepdq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eniclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eniclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajmijmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2972 Bilmcf32.exe 2964 Bbdallnd.exe 2936 Bfpnmj32.exe 2720 Bhdgjb32.exe 2712 Behgcf32.exe 584 Bjdplm32.exe 2872 Baadng32.exe 2200 Cfnmfn32.exe 1384 Cdanpb32.exe 1244 Cgpjlnhh.exe 1888 Clooiddm.exe 1816 Conkepdq.exe 2556 Cophko32.exe 1912 Dobdqo32.exe 2304 Dacnbjml.exe 372 Dognlnlf.exe 1892 Dknoaoaj.exe 900 Dnlkmkpn.exe 1520 Dlahng32.exe 2548 Egglkp32.exe 1644 Elcdcgcc.exe 1508 Egiiapci.exe 2144 Ejgemkbm.exe 2820 Ejjbbkpj.exe 2956 Elhnof32.exe 2696 Eknkpbdf.exe 2700 Edfpih32.exe 2444 Ehakigbo.exe 1036 Fjeefofk.exe 1948 Fcmiod32.exe 2708 Fjgalndh.exe 760 Femeig32.exe 2568 Fnejbmko.exe 2428 Fpffje32.exe 780 Fjlkgn32.exe 756 Fmjgcipg.exe 1348 Fafcdh32.exe 2288 Fcdopc32.exe 2512 Giahhj32.exe 2504 Glpdde32.exe 1400 Gcglec32.exe 1556 Gfehan32.exe 688 Gicdnj32.exe 2188 Gpnmjd32.exe 2608 Gnpmfqap.exe 1720 Gejebk32.exe 2772 Gppipc32.exe 1608 Gbnflo32.exe 2792 Gihniioc.exe 2716 Glgjednf.exe 2176 Gacbmk32.exe 480 Gdboig32.exe 808 Ghmkjedk.exe 2904 Gjlgfaco.exe 2476 Heakcjcd.exe 2068 Hfbhkb32.exe 1820 Hmmphlpp.exe 1516 Hpkldg32.exe 1032 Hhbdee32.exe 2256 Hicqmmfc.exe 2532 Hpmiig32.exe 2300 Hdiejfej.exe 984 Hjcmgp32.exe 944 Hldjnhce.exe -
Loads dropped DLL 64 IoCs
pid Process 2816 ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe 2816 ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe 2972 Bilmcf32.exe 2972 Bilmcf32.exe 2964 Bbdallnd.exe 2964 Bbdallnd.exe 2936 Bfpnmj32.exe 2936 Bfpnmj32.exe 2720 Bhdgjb32.exe 2720 Bhdgjb32.exe 2712 Behgcf32.exe 2712 Behgcf32.exe 584 Bjdplm32.exe 584 Bjdplm32.exe 2872 Baadng32.exe 2872 Baadng32.exe 2200 Cfnmfn32.exe 2200 Cfnmfn32.exe 1384 Cdanpb32.exe 1384 Cdanpb32.exe 1244 Cgpjlnhh.exe 1244 Cgpjlnhh.exe 1888 Clooiddm.exe 1888 Clooiddm.exe 1816 Conkepdq.exe 1816 Conkepdq.exe 2556 Cophko32.exe 2556 Cophko32.exe 1912 Dobdqo32.exe 1912 Dobdqo32.exe 2304 Dacnbjml.exe 2304 Dacnbjml.exe 372 Dognlnlf.exe 372 Dognlnlf.exe 1892 Dknoaoaj.exe 1892 Dknoaoaj.exe 900 Dnlkmkpn.exe 900 Dnlkmkpn.exe 1520 Dlahng32.exe 1520 Dlahng32.exe 2548 Egglkp32.exe 2548 Egglkp32.exe 1644 Elcdcgcc.exe 1644 Elcdcgcc.exe 1508 Egiiapci.exe 1508 Egiiapci.exe 2144 Ejgemkbm.exe 2144 Ejgemkbm.exe 2820 Ejjbbkpj.exe 2820 Ejjbbkpj.exe 2956 Elhnof32.exe 2956 Elhnof32.exe 2696 Eknkpbdf.exe 2696 Eknkpbdf.exe 2700 Edfpih32.exe 2700 Edfpih32.exe 2444 Ehakigbo.exe 2444 Ehakigbo.exe 1036 Fjeefofk.exe 1036 Fjeefofk.exe 1948 Fcmiod32.exe 1948 Fcmiod32.exe 2708 Fjgalndh.exe 2708 Fjgalndh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kikpibof.dll Befmfpbi.exe File created C:\Windows\SysWOW64\Pmpbdm32.exe Pgfjhcge.exe File created C:\Windows\SysWOW64\Iogoec32.exe Heokmmgb.exe File created C:\Windows\SysWOW64\Ppdlmc32.dll Ldoimh32.exe File created C:\Windows\SysWOW64\Ekomolag.dll Pnjofo32.exe File opened for modification C:\Windows\SysWOW64\Cgidfcdk.exe Process not Found File created C:\Windows\SysWOW64\Dijdkh32.dll Process not Found File created C:\Windows\SysWOW64\Ljacemio.dll Bjdplm32.exe File created C:\Windows\SysWOW64\Chnbcpmn.exe Chnbcpmn.exe File created C:\Windows\SysWOW64\Eihhlp32.dll Ommfga32.exe File created C:\Windows\SysWOW64\Iphhqinm.dll Bbmapj32.exe File created C:\Windows\SysWOW64\Aihfap32.exe Ackmih32.exe File created C:\Windows\SysWOW64\Phbeeddm.dll Hlgimqhf.exe File opened for modification C:\Windows\SysWOW64\Qejpoi32.exe Paocnkph.exe File opened for modification C:\Windows\SysWOW64\Bbhccm32.exe Process not Found File created C:\Windows\SysWOW64\Jibnop32.exe Process not Found File created C:\Windows\SysWOW64\Hhioeeeo.dll Dcfpel32.exe File created C:\Windows\SysWOW64\Bfomkg32.dll Iabhah32.exe File opened for modification C:\Windows\SysWOW64\Cbppnbhm.exe Bkegah32.exe File created C:\Windows\SysWOW64\Qnhhline.dll Hjlbdc32.exe File opened for modification C:\Windows\SysWOW64\Kofcbl32.exe Klhgfq32.exe File opened for modification C:\Windows\SysWOW64\Efhqmadd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Njpgpbpf.exe Nhakcfab.exe File created C:\Windows\SysWOW64\Fkhabhbn.dll Bnihdemo.exe File opened for modification C:\Windows\SysWOW64\Iphecepe.exe Imiigiab.exe File created C:\Windows\SysWOW64\Bjoaognb.dll Ggagmjbq.exe File opened for modification C:\Windows\SysWOW64\Liminmmk.exe Lbcpac32.exe File created C:\Windows\SysWOW64\Qdnpmb32.dll Ifampo32.exe File created C:\Windows\SysWOW64\Knhjjj32.exe Kkjnnn32.exe File created C:\Windows\SysWOW64\Mfnnbf32.dll Fcphnm32.exe File created C:\Windows\SysWOW64\Bnjdhe32.dll Bigkel32.exe File created C:\Windows\SysWOW64\Onejdijo.dll Ddiibc32.exe File created C:\Windows\SysWOW64\Idfaqoma.dll Iigpli32.exe File created C:\Windows\SysWOW64\Pnbojmmp.exe Pghfnc32.exe File created C:\Windows\SysWOW64\Ckmcef32.dll Qlgkki32.exe File created C:\Windows\SysWOW64\Dfefmpeo.dll Bchfhfeh.exe File created C:\Windows\SysWOW64\Jngafd32.dll Fcbecl32.exe File created C:\Windows\SysWOW64\Jpgjgboe.exe Jmhnkfpa.exe File created C:\Windows\SysWOW64\Pdddkijo.dll Aoohekal.exe File created C:\Windows\SysWOW64\Bgllgedi.exe Adnpkjde.exe File created C:\Windows\SysWOW64\Eapfagno.exe Ekfndmfb.exe File opened for modification C:\Windows\SysWOW64\Ibejdjln.exe Ijnbcmkk.exe File created C:\Windows\SysWOW64\Fccglehn.exe Process not Found File created C:\Windows\SysWOW64\Jgjkfi32.exe Process not Found File created C:\Windows\SysWOW64\Npjlhcmd.exe Nmkplgnq.exe File created C:\Windows\SysWOW64\Cmpppdfa.dll Kokmmkcm.exe File created C:\Windows\SysWOW64\Oajndh32.exe Opialpld.exe File created C:\Windows\SysWOW64\Bmmhbd32.dll Qnebjc32.exe File created C:\Windows\SysWOW64\Dgnjacmq.dll Akqpom32.exe File created C:\Windows\SysWOW64\Bpqain32.exe Bmbemb32.exe File created C:\Windows\SysWOW64\Qpebakpc.dll Cfhiplmp.exe File opened for modification C:\Windows\SysWOW64\Mkndhabp.exe Lddlkg32.exe File created C:\Windows\SysWOW64\Ghcmae32.dll Process not Found File created C:\Windows\SysWOW64\Jkbaci32.exe Jhdegn32.exe File opened for modification C:\Windows\SysWOW64\Bfoeil32.exe Process not Found File created C:\Windows\SysWOW64\Oniefifl.dll Bjoofhgc.exe File opened for modification C:\Windows\SysWOW64\Cojhejbh.exe Cllkin32.exe File created C:\Windows\SysWOW64\Gfkkpmko.exe Gcmoda32.exe File opened for modification C:\Windows\SysWOW64\Mloiec32.exe Mfeaiime.exe File opened for modification C:\Windows\SysWOW64\Jglgpdcc.exe Ipbocjlg.exe File created C:\Windows\SysWOW64\Lpfhgcpi.dll Nocpkf32.exe File created C:\Windows\SysWOW64\Nmldop32.dll Neqnqofm.exe File created C:\Windows\SysWOW64\Eaphjp32.exe Eoblnd32.exe File opened for modification C:\Windows\SysWOW64\Jhlmmfef.exe Jenpajfb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3144 4372 Process not Found 1227 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpmfqap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioooiack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmedlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plijimee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmbqegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdecea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heokmmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfebambf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpgdhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepfgdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cophko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgpmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibipmiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhmofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfehan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcahoqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehmdgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caidaeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phqmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddaemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addfkeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqnhadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjmcpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plolgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikifegp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opihgfop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaapcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgodl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibcba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eniclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbphh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacfidem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medeaaej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogqaehak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejmfqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbkipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjcic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhjjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblpfepo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddiibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knekla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpobo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ledibnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegime32.dll" Ohojmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmhahkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jniefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fadndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfncnjoi.dll" Gmeeepjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknodfcm.dll" Olkifaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjmglpp.dll" Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gplaplgi.dll" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbjeinje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npijoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pqkobqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmffciep.dll" Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodahqi.dll" Ohiffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnbbqbd.dll" Hihjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leghmkmk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehakigbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodcmd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majdmi32.dll" Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mflgih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mabphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkapd32.dll" Jbhcim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehlmljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkcfefdg.dll" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elqaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imlmlm32.dll" Nenakoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eijdkcgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lddlkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khohkamc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmepkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfmmcec.dll" Fdekgjno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" Bbdallnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjmho32.dll" Heokmmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcale32.dll" Pmdmmalf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Felajbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpncfcch.dll" Helngnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbeeddm.dll" Hlgimqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfplhjm.dll" Jpigma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pafbadcm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2972 2816 ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe 30 PID 2816 wrote to memory of 2972 2816 ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe 30 PID 2816 wrote to memory of 2972 2816 ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe 30 PID 2816 wrote to memory of 2972 2816 ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe 30 PID 2972 wrote to memory of 2964 2972 Bilmcf32.exe 31 PID 2972 wrote to memory of 2964 2972 Bilmcf32.exe 31 PID 2972 wrote to memory of 2964 2972 Bilmcf32.exe 31 PID 2972 wrote to memory of 2964 2972 Bilmcf32.exe 31 PID 2964 wrote to memory of 2936 2964 Bbdallnd.exe 32 PID 2964 wrote to memory of 2936 2964 Bbdallnd.exe 32 PID 2964 wrote to memory of 2936 2964 Bbdallnd.exe 32 PID 2964 wrote to memory of 2936 2964 Bbdallnd.exe 32 PID 2936 wrote to memory of 2720 2936 Bfpnmj32.exe 33 PID 2936 wrote to memory of 2720 2936 Bfpnmj32.exe 33 PID 2936 wrote to memory of 2720 2936 Bfpnmj32.exe 33 PID 2936 wrote to memory of 2720 2936 Bfpnmj32.exe 33 PID 2720 wrote to memory of 2712 2720 Bhdgjb32.exe 34 PID 2720 wrote to memory of 2712 2720 Bhdgjb32.exe 34 PID 2720 wrote to memory of 2712 2720 Bhdgjb32.exe 34 PID 2720 wrote to memory of 2712 2720 Bhdgjb32.exe 34 PID 2712 wrote to memory of 584 2712 Behgcf32.exe 35 PID 2712 wrote to memory of 584 2712 Behgcf32.exe 35 PID 2712 wrote to memory of 584 2712 Behgcf32.exe 35 PID 2712 wrote to memory of 584 2712 Behgcf32.exe 35 PID 584 wrote to memory of 2872 584 Bjdplm32.exe 36 PID 584 wrote to memory of 2872 584 Bjdplm32.exe 36 PID 584 wrote to memory of 2872 584 Bjdplm32.exe 36 PID 584 wrote to memory of 2872 584 Bjdplm32.exe 36 PID 2872 wrote to memory of 2200 2872 Baadng32.exe 37 PID 2872 wrote to memory of 2200 2872 Baadng32.exe 37 PID 2872 wrote to memory of 2200 2872 Baadng32.exe 37 PID 2872 wrote to memory of 2200 2872 Baadng32.exe 37 PID 2200 wrote to memory of 1384 2200 Cfnmfn32.exe 38 PID 2200 wrote to memory of 1384 2200 Cfnmfn32.exe 38 PID 2200 wrote to memory of 1384 2200 Cfnmfn32.exe 38 PID 2200 wrote to memory of 1384 2200 Cfnmfn32.exe 38 PID 1384 wrote to memory of 1244 1384 Cdanpb32.exe 39 PID 1384 wrote to memory of 1244 1384 Cdanpb32.exe 39 PID 1384 wrote to memory of 1244 1384 Cdanpb32.exe 39 PID 1384 wrote to memory of 1244 1384 Cdanpb32.exe 39 PID 1244 wrote to memory of 1888 1244 Cgpjlnhh.exe 40 PID 1244 wrote to memory of 1888 1244 Cgpjlnhh.exe 40 PID 1244 wrote to memory of 1888 1244 Cgpjlnhh.exe 40 PID 1244 wrote to memory of 1888 1244 Cgpjlnhh.exe 40 PID 1888 wrote to memory of 1816 1888 Clooiddm.exe 41 PID 1888 wrote to memory of 1816 1888 Clooiddm.exe 41 PID 1888 wrote to memory of 1816 1888 Clooiddm.exe 41 PID 1888 wrote to memory of 1816 1888 Clooiddm.exe 41 PID 1816 wrote to memory of 2556 1816 Conkepdq.exe 42 PID 1816 wrote to memory of 2556 1816 Conkepdq.exe 42 PID 1816 wrote to memory of 2556 1816 Conkepdq.exe 42 PID 1816 wrote to memory of 2556 1816 Conkepdq.exe 42 PID 2556 wrote to memory of 1912 2556 Cophko32.exe 43 PID 2556 wrote to memory of 1912 2556 Cophko32.exe 43 PID 2556 wrote to memory of 1912 2556 Cophko32.exe 43 PID 2556 wrote to memory of 1912 2556 Cophko32.exe 43 PID 1912 wrote to memory of 2304 1912 Dobdqo32.exe 44 PID 1912 wrote to memory of 2304 1912 Dobdqo32.exe 44 PID 1912 wrote to memory of 2304 1912 Dobdqo32.exe 44 PID 1912 wrote to memory of 2304 1912 Dobdqo32.exe 44 PID 2304 wrote to memory of 372 2304 Dacnbjml.exe 45 PID 2304 wrote to memory of 372 2304 Dacnbjml.exe 45 PID 2304 wrote to memory of 372 2304 Dacnbjml.exe 45 PID 2304 wrote to memory of 372 2304 Dacnbjml.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe"C:\Users\Admin\AppData\Local\Temp\ff194e4b816d34718db1bb76b4c08489632e10ce616468ea017ac0dfff89cf8dN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:372 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe33⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe35⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe36⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe37⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe38⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe39⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe40⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe41⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe42⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe44⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe45⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe47⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe48⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe49⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe50⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe51⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe52⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe53⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe55⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe56⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe57⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe58⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe59⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe60⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe61⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe62⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe63⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe64⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe65⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe66⤵PID:2604
-
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe67⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe68⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe69⤵PID:2592
-
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe70⤵PID:2016
-
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe72⤵PID:2976
-
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe73⤵PID:2156
-
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe75⤵PID:536
-
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe76⤵PID:836
-
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe77⤵PID:1676
-
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe78⤵PID:2220
-
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe79⤵PID:2032
-
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe80⤵PID:664
-
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe81⤵PID:400
-
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe82⤵PID:2452
-
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe83⤵PID:1060
-
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe84⤵PID:2624
-
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe85⤵PID:1864
-
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe86⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe87⤵PID:2004
-
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe88⤵PID:1724
-
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe89⤵PID:2752
-
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe90⤵PID:2980
-
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe91⤵PID:2724
-
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe92⤵PID:696
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe94⤵PID:2448
-
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe95⤵PID:2764
-
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe96⤵PID:1920
-
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe97⤵PID:1852
-
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe98⤵PID:2500
-
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe99⤵PID:1040
-
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe100⤵PID:2196
-
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe101⤵PID:1544
-
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe102⤵PID:2324
-
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe103⤵PID:2388
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe104⤵PID:1860
-
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe106⤵PID:2392
-
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe107⤵PID:1364
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe108⤵PID:3068
-
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe109⤵PID:316
-
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe110⤵PID:1960
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe112⤵PID:1808
-
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe113⤵PID:1064
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe114⤵PID:1764
-
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe115⤵PID:3052
-
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe116⤵PID:2912
-
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe117⤵PID:1572
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe118⤵PID:2940
-
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe119⤵PID:2064
-
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe121⤵PID:1908
-
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe122⤵PID:1344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-