Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe
Resource
win10v2004-20241007-en
General
-
Target
26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe
-
Size
280KB
-
MD5
fe52cfcb5f1b15eac6d8a867e2aaaa80
-
SHA1
77135c4673753d5a37fa4879686eb0cc26dd3f44
-
SHA256
26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653
-
SHA512
0abe31ed5f6cd8b499d9f9320ab24ba06169d654f4e239622e90b988bba5548799a4c269b4f14f6298391e1c075396100d0c302de68afcea8df7cf25629b0a00
-
SSDEEP
6144:r2nPRKkV0n9i/GOORjMmRUoooooooooooooooooooooooooy/G3:Cm9i//OVLCooooooooooooooooooooo9
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccnifd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fennoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obgnhkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichmgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opglafab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccmpce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjklenpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhoklnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpcokdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjaeba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joggci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aphjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmgjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmkfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiioin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhonjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnmiag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcknhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apmcefmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaecod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eheglk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhleh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phqmgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikfdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadcipbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdcfoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djlfma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honnki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbagipfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feddombd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhdaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoblnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agihgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpifj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmfgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggggoda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injqmdki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghmmilh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2652 Lbfook32.exe 2464 Lgchgb32.exe 2676 Mcjhmcok.exe 2724 Mqnifg32.exe 2688 Mqpflg32.exe 2744 Mgjnhaco.exe 2636 Mmicfh32.exe 2616 Nfahomfd.exe 2880 Nbhhdnlh.exe 2820 Ngealejo.exe 2316 Nbjeinje.exe 1976 Nlefhcnc.exe 1760 Nenkqi32.exe 2380 Njjcip32.exe 992 Opglafab.exe 1600 Obhdcanc.exe 1768 Objaha32.exe 988 Olbfagca.exe 1856 Oekjjl32.exe 580 Olebgfao.exe 2392 Obokcqhk.exe 2160 Plgolf32.exe 760 Pbagipfi.exe 3040 Pohhna32.exe 2488 Pafdjmkq.exe 2500 Phqmgg32.exe 2656 Pmmeon32.exe 2788 Pkaehb32.exe 2884 Pcljmdmj.exe 1708 Pleofj32.exe 2596 Qgjccb32.exe 2192 Qndkpmkm.exe 2284 Qpbglhjq.exe 1776 Qjklenpa.exe 536 Alihaioe.exe 2372 Aebmjo32.exe 1332 Ahpifj32.exe 2932 Acfmcc32.exe 916 Afdiondb.exe 1156 Aomnhd32.exe 2452 Aakjdo32.exe 776 Alqnah32.exe 1752 Abmgjo32.exe 1660 Aficjnpm.exe 3068 Ahgofi32.exe 900 Abpcooea.exe 1756 Bhjlli32.exe 2268 Bjkhdacm.exe 2888 Bbbpenco.exe 1584 Bdqlajbb.exe 2860 Bjmeiq32.exe 3004 Bqgmfkhg.exe 1932 Bgaebe32.exe 2648 Bjpaop32.exe 1136 Bmnnkl32.exe 2972 Boljgg32.exe 2008 Bgcbhd32.exe 2040 Bjbndpmd.exe 2412 Bieopm32.exe 1620 Bqlfaj32.exe 1576 Boogmgkl.exe 848 Bbmcibjp.exe 1088 Bjdkjpkb.exe 1788 Bmbgfkje.exe -
Loads dropped DLL 64 IoCs
pid Process 2460 26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe 2460 26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe 2652 Lbfook32.exe 2652 Lbfook32.exe 2464 Lgchgb32.exe 2464 Lgchgb32.exe 2676 Mcjhmcok.exe 2676 Mcjhmcok.exe 2724 Mqnifg32.exe 2724 Mqnifg32.exe 2688 Mqpflg32.exe 2688 Mqpflg32.exe 2744 Mgjnhaco.exe 2744 Mgjnhaco.exe 2636 Mmicfh32.exe 2636 Mmicfh32.exe 2616 Nfahomfd.exe 2616 Nfahomfd.exe 2880 Nbhhdnlh.exe 2880 Nbhhdnlh.exe 2820 Ngealejo.exe 2820 Ngealejo.exe 2316 Nbjeinje.exe 2316 Nbjeinje.exe 1976 Nlefhcnc.exe 1976 Nlefhcnc.exe 1760 Nenkqi32.exe 1760 Nenkqi32.exe 2380 Njjcip32.exe 2380 Njjcip32.exe 992 Opglafab.exe 992 Opglafab.exe 1600 Obhdcanc.exe 1600 Obhdcanc.exe 1768 Objaha32.exe 1768 Objaha32.exe 988 Olbfagca.exe 988 Olbfagca.exe 1856 Oekjjl32.exe 1856 Oekjjl32.exe 580 Olebgfao.exe 580 Olebgfao.exe 2392 Obokcqhk.exe 2392 Obokcqhk.exe 2160 Plgolf32.exe 2160 Plgolf32.exe 760 Pbagipfi.exe 760 Pbagipfi.exe 3040 Pohhna32.exe 3040 Pohhna32.exe 2488 Pafdjmkq.exe 2488 Pafdjmkq.exe 2500 Phqmgg32.exe 2500 Phqmgg32.exe 2656 Pmmeon32.exe 2656 Pmmeon32.exe 2788 Pkaehb32.exe 2788 Pkaehb32.exe 2884 Pcljmdmj.exe 2884 Pcljmdmj.exe 1708 Pleofj32.exe 1708 Pleofj32.exe 2596 Qgjccb32.exe 2596 Qgjccb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pgejcl32.dll Hgqlafap.exe File opened for modification C:\Windows\SysWOW64\Ikgkei32.exe Hiioin32.exe File created C:\Windows\SysWOW64\Henjfpgi.dll Mqnifg32.exe File created C:\Windows\SysWOW64\Bdqlajbb.exe Bbbpenco.exe File created C:\Windows\SysWOW64\Gcofmo32.dll Hbnmienj.exe File created C:\Windows\SysWOW64\Ekdledbi.dll Jdhifooi.exe File created C:\Windows\SysWOW64\Aligmfnp.dll Apmcefmf.exe File opened for modification C:\Windows\SysWOW64\Bkegah32.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Pdjiflem.dll Djlfma32.exe File opened for modification C:\Windows\SysWOW64\Imggplgm.exe Ifmocb32.exe File opened for modification C:\Windows\SysWOW64\Ifolhann.exe Inhdgdmk.exe File created C:\Windows\SysWOW64\Mnpkephg.dll Jipaip32.exe File created C:\Windows\SysWOW64\Gconbj32.exe Gqaafn32.exe File opened for modification C:\Windows\SysWOW64\Gecpnp32.exe Gcedad32.exe File created C:\Windows\SysWOW64\Knfddo32.dll Jlnmel32.exe File opened for modification C:\Windows\SysWOW64\Mcjhmcok.exe Lgchgb32.exe File opened for modification C:\Windows\SysWOW64\Famaimfe.exe Fmaeho32.exe File created C:\Windows\SysWOW64\Gcjmmdbf.exe Glpepj32.exe File opened for modification C:\Windows\SysWOW64\Hfjbmb32.exe Hclfag32.exe File opened for modification C:\Windows\SysWOW64\Phqmgg32.exe Pafdjmkq.exe File created C:\Windows\SysWOW64\Gbmhafee.dll Inmmbc32.exe File created C:\Windows\SysWOW64\Nbklpemb.dll Oekjjl32.exe File created C:\Windows\SysWOW64\Pkkkap32.dll Mjqmig32.exe File created C:\Windows\SysWOW64\Fjhqaemi.dll Mgmdapml.exe File opened for modification C:\Windows\SysWOW64\Qiflohqk.exe Paocnkph.exe File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe Kpieengb.exe File opened for modification C:\Windows\SysWOW64\Nqhepeai.exe Nkkmgncb.exe File created C:\Windows\SysWOW64\Gefcmp32.dll Paocnkph.exe File created C:\Windows\SysWOW64\Mflcaaja.dll Lnjldf32.exe File opened for modification C:\Windows\SysWOW64\Agihgp32.exe Ajehnk32.exe File created C:\Windows\SysWOW64\Faibdo32.dll Hmmdin32.exe File opened for modification C:\Windows\SysWOW64\Mmicfh32.exe Mgjnhaco.exe File opened for modification C:\Windows\SysWOW64\Bieopm32.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Lalcbnjb.dll Eeiheo32.exe File created C:\Windows\SysWOW64\Fnmfkmah.dll Hbkqdepm.exe File opened for modification C:\Windows\SysWOW64\Kilgoe32.exe Kgnkci32.exe File created C:\Windows\SysWOW64\Ikbilijo.dll Jpgmpk32.exe File created C:\Windows\SysWOW64\Plgolf32.exe Obokcqhk.exe File created C:\Windows\SysWOW64\Fgfdie32.exe Foolgh32.exe File created C:\Windows\SysWOW64\Hqmkfaia.dll Glnhjjml.exe File created C:\Windows\SysWOW64\Nqhepeai.exe Nkkmgncb.exe File opened for modification C:\Windows\SysWOW64\Cmkfji32.exe Cjljnn32.exe File opened for modification C:\Windows\SysWOW64\Mqnifg32.exe Mcjhmcok.exe File opened for modification C:\Windows\SysWOW64\Ahpifj32.exe Aebmjo32.exe File opened for modification C:\Windows\SysWOW64\Afdiondb.exe Acfmcc32.exe File created C:\Windows\SysWOW64\Kfpkcm32.dll Dpjbgh32.exe File created C:\Windows\SysWOW64\Ghndpi32.dll Jijokbfp.exe File created C:\Windows\SysWOW64\Boljgg32.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Ibeghl32.dll Kpafapbk.exe File created C:\Windows\SysWOW64\Nmabjfek.exe Ngdjaofc.exe File created C:\Windows\SysWOW64\Feachqgb.exe Fdpgph32.exe File opened for modification C:\Windows\SysWOW64\Bjdkjpkb.exe Bbmcibjp.exe File created C:\Windows\SysWOW64\Ajaclncd.dll Ciihklpj.exe File opened for modification C:\Windows\SysWOW64\Dmepkn32.exe Djfdob32.exe File created C:\Windows\SysWOW64\Gmeeepjp.exe Gghmmilh.exe File created C:\Windows\SysWOW64\Nijjkf32.dll Ofqmcj32.exe File created C:\Windows\SysWOW64\Eqpkfe32.dll Hqgddm32.exe File created C:\Windows\SysWOW64\Fhgpia32.dll Cpfmmf32.exe File opened for modification C:\Windows\SysWOW64\Momfan32.exe Mloiec32.exe File created C:\Windows\SysWOW64\Cmppehkh.exe Cidddj32.exe File created C:\Windows\SysWOW64\Gacdld32.dll Fpbnjjkm.exe File opened for modification C:\Windows\SysWOW64\Jnofgg32.exe Jlqjkk32.exe File created C:\Windows\SysWOW64\Ceebklai.exe Caifjn32.exe File created C:\Windows\SysWOW64\Nkajkp32.dll Eheglk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5732 5708 WerFault.exe 475 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomnhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpcooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjoqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhdaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfdie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgicg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajmjcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlfjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmppehkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqgddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhabndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlbdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfjjdjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlfma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieibdnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbmkan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oniebmda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpdglhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgioakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhbkohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iichjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkelolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonibk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqolji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjcffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdjaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmeon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnokgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpbigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgngbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mloiec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihmpinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnnab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcqlkjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakdcnhh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngdjaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfbap32.dll" Dbabho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnfkba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjkhdacm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eipgjaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aibijk32.dll" Hgnokgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmiflpof.dll" Hiioin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmijfmfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiepea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdompf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbabho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeomfi32.dll" Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibigbjj.dll" Adaiee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jefbnacn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpjbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjiflem.dll" Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqbajfj.dll" Ikldqile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpafapbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lonibk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Difqji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbdjcffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddblcik.dll" Ccgklc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoblnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" Bmbgfkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heliepmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeagimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpkfe32.dll" Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbklpemb.dll" Oekjjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibeghl32.dll" Kpafapbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnochnpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnnhngjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaegpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piliii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcllk32.dll" Ikgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamkdghb.dll" Kalipcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgfmi32.dll" Qdompf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjmif32.dll" Aklabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmnkd32.dll" Eihjolae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iocgfhhc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2652 2460 26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe 31 PID 2460 wrote to memory of 2652 2460 26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe 31 PID 2460 wrote to memory of 2652 2460 26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe 31 PID 2460 wrote to memory of 2652 2460 26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe 31 PID 2652 wrote to memory of 2464 2652 Lbfook32.exe 32 PID 2652 wrote to memory of 2464 2652 Lbfook32.exe 32 PID 2652 wrote to memory of 2464 2652 Lbfook32.exe 32 PID 2652 wrote to memory of 2464 2652 Lbfook32.exe 32 PID 2464 wrote to memory of 2676 2464 Lgchgb32.exe 33 PID 2464 wrote to memory of 2676 2464 Lgchgb32.exe 33 PID 2464 wrote to memory of 2676 2464 Lgchgb32.exe 33 PID 2464 wrote to memory of 2676 2464 Lgchgb32.exe 33 PID 2676 wrote to memory of 2724 2676 Mcjhmcok.exe 34 PID 2676 wrote to memory of 2724 2676 Mcjhmcok.exe 34 PID 2676 wrote to memory of 2724 2676 Mcjhmcok.exe 34 PID 2676 wrote to memory of 2724 2676 Mcjhmcok.exe 34 PID 2724 wrote to memory of 2688 2724 Mqnifg32.exe 35 PID 2724 wrote to memory of 2688 2724 Mqnifg32.exe 35 PID 2724 wrote to memory of 2688 2724 Mqnifg32.exe 35 PID 2724 wrote to memory of 2688 2724 Mqnifg32.exe 35 PID 2688 wrote to memory of 2744 2688 Mqpflg32.exe 36 PID 2688 wrote to memory of 2744 2688 Mqpflg32.exe 36 PID 2688 wrote to memory of 2744 2688 Mqpflg32.exe 36 PID 2688 wrote to memory of 2744 2688 Mqpflg32.exe 36 PID 2744 wrote to memory of 2636 2744 Mgjnhaco.exe 37 PID 2744 wrote to memory of 2636 2744 Mgjnhaco.exe 37 PID 2744 wrote to memory of 2636 2744 Mgjnhaco.exe 37 PID 2744 wrote to memory of 2636 2744 Mgjnhaco.exe 37 PID 2636 wrote to memory of 2616 2636 Mmicfh32.exe 38 PID 2636 wrote to memory of 2616 2636 Mmicfh32.exe 38 PID 2636 wrote to memory of 2616 2636 Mmicfh32.exe 38 PID 2636 wrote to memory of 2616 2636 Mmicfh32.exe 38 PID 2616 wrote to memory of 2880 2616 Nfahomfd.exe 39 PID 2616 wrote to memory of 2880 2616 Nfahomfd.exe 39 PID 2616 wrote to memory of 2880 2616 Nfahomfd.exe 39 PID 2616 wrote to memory of 2880 2616 Nfahomfd.exe 39 PID 2880 wrote to memory of 2820 2880 Nbhhdnlh.exe 40 PID 2880 wrote to memory of 2820 2880 Nbhhdnlh.exe 40 PID 2880 wrote to memory of 2820 2880 Nbhhdnlh.exe 40 PID 2880 wrote to memory of 2820 2880 Nbhhdnlh.exe 40 PID 2820 wrote to memory of 2316 2820 Ngealejo.exe 41 PID 2820 wrote to memory of 2316 2820 Ngealejo.exe 41 PID 2820 wrote to memory of 2316 2820 Ngealejo.exe 41 PID 2820 wrote to memory of 2316 2820 Ngealejo.exe 41 PID 2316 wrote to memory of 1976 2316 Nbjeinje.exe 42 PID 2316 wrote to memory of 1976 2316 Nbjeinje.exe 42 PID 2316 wrote to memory of 1976 2316 Nbjeinje.exe 42 PID 2316 wrote to memory of 1976 2316 Nbjeinje.exe 42 PID 1976 wrote to memory of 1760 1976 Nlefhcnc.exe 43 PID 1976 wrote to memory of 1760 1976 Nlefhcnc.exe 43 PID 1976 wrote to memory of 1760 1976 Nlefhcnc.exe 43 PID 1976 wrote to memory of 1760 1976 Nlefhcnc.exe 43 PID 1760 wrote to memory of 2380 1760 Nenkqi32.exe 44 PID 1760 wrote to memory of 2380 1760 Nenkqi32.exe 44 PID 1760 wrote to memory of 2380 1760 Nenkqi32.exe 44 PID 1760 wrote to memory of 2380 1760 Nenkqi32.exe 44 PID 2380 wrote to memory of 992 2380 Njjcip32.exe 45 PID 2380 wrote to memory of 992 2380 Njjcip32.exe 45 PID 2380 wrote to memory of 992 2380 Njjcip32.exe 45 PID 2380 wrote to memory of 992 2380 Njjcip32.exe 45 PID 992 wrote to memory of 1600 992 Opglafab.exe 46 PID 992 wrote to memory of 1600 992 Opglafab.exe 46 PID 992 wrote to memory of 1600 992 Opglafab.exe 46 PID 992 wrote to memory of 1600 992 Opglafab.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe"C:\Users\Admin\AppData\Local\Temp\26fe916bbc5e8ceff93b2ed5aea5e008db81adc49d25361ded9bde9ada420653.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe36⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe40⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Aomnhd32.exeC:\Windows\system32\Aomnhd32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe43⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe45⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe51⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe52⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe53⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe54⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe55⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe57⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe58⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe62⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe64⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe66⤵PID:1188
-
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:328 -
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe68⤵PID:1808
-
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe69⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe70⤵PID:2852
-
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe71⤵PID:2608
-
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe72⤵PID:2628
-
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe73⤵PID:1032
-
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe74⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe76⤵PID:2868
-
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe77⤵PID:2928
-
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe78⤵PID:2968
-
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe79⤵
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe80⤵
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe81⤵PID:1528
-
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe83⤵PID:612
-
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe84⤵PID:2060
-
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe87⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe88⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe89⤵PID:2988
-
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe90⤵PID:2816
-
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe91⤵PID:1292
-
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe92⤵PID:2924
-
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe93⤵PID:2424
-
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe94⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe95⤵PID:1312
-
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe96⤵PID:2476
-
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe98⤵PID:2764
-
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe99⤵PID:2784
-
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe101⤵PID:1512
-
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe102⤵PID:920
-
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe103⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe105⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe107⤵PID:2232
-
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe108⤵PID:2124
-
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe109⤵PID:600
-
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe110⤵
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe111⤵PID:3016
-
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe112⤵PID:2836
-
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe113⤵PID:820
-
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe114⤵PID:2896
-
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe115⤵PID:588
-
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe116⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe117⤵PID:1908
-
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe118⤵PID:1284
-
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe119⤵PID:1688
-
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe120⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe122⤵
- Modifies registry class
PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-