Analysis
-
max time kernel
150s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 04:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe
-
Size
74KB
-
MD5
0966c62a9d4ae2db7347cb487fdda973
-
SHA1
53e6d266a5ab1ea39d72dba451766442607c318d
-
SHA256
d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71
-
SHA512
415f071991066174b907ee55575090d04252404d25a814aced4abb2c89045fb7a9862648e00d391baaeaee2c7a42ea8fa6c01f7823508552c3fb276d3ef3c04f
-
SSDEEP
1536:dQAhDmLCyiYZi2o4NdqOAngwmJGRF6ZOJhTIpIAo:uuDmLhi8i2ourZwmJGRF/TEVo
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ieaekdkn.exeNeohbe32.exeMnefpq32.exeLoofjg32.exeEmkfmioh.exeFdcahdib.exeLncjhd32.exeFkdoii32.exeKphbmp32.exeBgfdjfkh.exeMhgbpb32.exeDpenkgfq.exeOpfdim32.exeAomghchl.exePjdjbl32.exeAedghf32.exeBgcdcjpf.exePfpflenm.exeDcdlpklh.exeBhdmahpn.exeOjilqf32.exeEbghkjjc.exeOlokighn.exeOoianpif.exeJpfcohfk.exeEnpoje32.exeJedlph32.exeBocfch32.exeNnboonmb.exeFlmglfhk.exeNppceo32.exeAnnpaq32.exeJekaeb32.exeIlcfjkgj.exeBnkpjd32.exeObopobhe.exeDabicikf.exeQcdinbdk.exeNgajeg32.exeHkkcbdhc.exeBjcnoe32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieaekdkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neohbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnefpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loofjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkfmioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdcahdib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lncjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkdoii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhgbpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpenkgfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfdim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomghchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdjbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aedghf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfpflenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcdlpklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhdmahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojilqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebghkjjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olokighn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooianpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfcohfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedlph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bocfch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnboonmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmglfhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Annpaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcfjkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkpjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obopobhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabicikf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcdinbdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkkcbdhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcnoe32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Koejqi32.exeLojclibo.exeLnopmegg.exeLjeabf32.exeLncjhd32.exeMmifiahi.exeMjmgbe32.exeMmkcoq32.exeMmmpdp32.exeMffdmfjd.exeMbobgfnf.exeNbaomf32.exeNjlcah32.exeNfeqli32.exeNblaajbd.exeOemjbe32.exeObakli32.exeOohlaj32.exeOimpnc32.exeOedqcdim.exeOolelj32.exePkcfak32.exePamnnemo.exePcagkmaj.exePpegdapd.exePojdem32.exeQoonqmqf.exeQdkfic32.exeQlbnja32.exeAhllda32.exeAnhdmh32.exeAchikonn.exeBoqgep32.exeBiikne32.exeBfmlgi32.exeBebiifka.exeBjanfl32.exeCnacbj32.exeCfmhfm32.exeCfoellgb.exeCipnng32.exeDfdngl32.exeDlqgob32.exeDbkolmia.exeDkhpfo32.exeDabicikf.exeDkkmln32.exeEhonebqq.exeEmkfmioh.exeEchoepmo.exeEmncci32.exeEeiggk32.exeEcmhqp32.exeEleliepj.exeEcodfogg.exeElgioe32.exeFadagl32.exeFljfdd32.exeFagnmkjm.exeFhqfie32.exeFnnobl32.exeFgfckbfa.exeFakhhk32.exeFjfllm32.exepid Process 2456 Koejqi32.exe 2972 Lojclibo.exe 2740 Lnopmegg.exe 3036 Ljeabf32.exe 2936 Lncjhd32.exe 2320 Mmifiahi.exe 2452 Mjmgbe32.exe 588 Mmkcoq32.exe 2552 Mmmpdp32.exe 2364 Mffdmfjd.exe 2772 Mbobgfnf.exe 1560 Nbaomf32.exe 2568 Njlcah32.exe 1320 Nfeqli32.exe 2084 Nblaajbd.exe 2504 Oemjbe32.exe 2300 Obakli32.exe 396 Oohlaj32.exe 1352 Oimpnc32.exe 1664 Oedqcdim.exe 1200 Oolelj32.exe 1844 Pkcfak32.exe 2328 Pamnnemo.exe 1680 Pcagkmaj.exe 2532 Ppegdapd.exe 1684 Pojdem32.exe 368 Qoonqmqf.exe 3000 Qdkfic32.exe 2892 Qlbnja32.exe 3004 Ahllda32.exe 2736 Anhdmh32.exe 2232 Achikonn.exe 2916 Boqgep32.exe 1492 Biikne32.exe 2464 Bfmlgi32.exe 1564 Bebiifka.exe 784 Bjanfl32.exe 2136 Cnacbj32.exe 1056 Cfmhfm32.exe 2276 Cfoellgb.exe 2208 Cipnng32.exe 2100 Dfdngl32.exe 1096 Dlqgob32.exe 2536 Dbkolmia.exe 2516 Dkhpfo32.exe 1820 Dabicikf.exe 620 Dkkmln32.exe 700 Ehonebqq.exe 900 Emkfmioh.exe 2612 Echoepmo.exe 1552 Emncci32.exe 2952 Eeiggk32.exe 2564 Ecmhqp32.exe 1740 Eleliepj.exe 2764 Ecodfogg.exe 2184 Elgioe32.exe 796 Fadagl32.exe 1032 Fljfdd32.exe 984 Fagnmkjm.exe 1808 Fhqfie32.exe 288 Fnnobl32.exe 892 Fgfckbfa.exe 316 Fakhhk32.exe 756 Fjfllm32.exe -
Loads dropped DLL 64 IoCs
Processes:
d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exeKoejqi32.exeLojclibo.exeLnopmegg.exeLjeabf32.exeLncjhd32.exeMmifiahi.exeMjmgbe32.exeMmkcoq32.exeMmmpdp32.exeMffdmfjd.exeMbobgfnf.exeNbaomf32.exeNjlcah32.exeNfeqli32.exeNblaajbd.exeOemjbe32.exeObakli32.exeOohlaj32.exeOimpnc32.exeOedqcdim.exeOolelj32.exePkcfak32.exePamnnemo.exePcagkmaj.exePpegdapd.exePhbinc32.exeQoonqmqf.exeQdkfic32.exeQlbnja32.exeAhllda32.exeAnhdmh32.exepid Process 2620 d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe 2620 d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe 2456 Koejqi32.exe 2456 Koejqi32.exe 2972 Lojclibo.exe 2972 Lojclibo.exe 2740 Lnopmegg.exe 2740 Lnopmegg.exe 3036 Ljeabf32.exe 3036 Ljeabf32.exe 2936 Lncjhd32.exe 2936 Lncjhd32.exe 2320 Mmifiahi.exe 2320 Mmifiahi.exe 2452 Mjmgbe32.exe 2452 Mjmgbe32.exe 588 Mmkcoq32.exe 588 Mmkcoq32.exe 2552 Mmmpdp32.exe 2552 Mmmpdp32.exe 2364 Mffdmfjd.exe 2364 Mffdmfjd.exe 2772 Mbobgfnf.exe 2772 Mbobgfnf.exe 1560 Nbaomf32.exe 1560 Nbaomf32.exe 2568 Njlcah32.exe 2568 Njlcah32.exe 1320 Nfeqli32.exe 1320 Nfeqli32.exe 2084 Nblaajbd.exe 2084 Nblaajbd.exe 2504 Oemjbe32.exe 2504 Oemjbe32.exe 2300 Obakli32.exe 2300 Obakli32.exe 396 Oohlaj32.exe 396 Oohlaj32.exe 1352 Oimpnc32.exe 1352 Oimpnc32.exe 1664 Oedqcdim.exe 1664 Oedqcdim.exe 1200 Oolelj32.exe 1200 Oolelj32.exe 1844 Pkcfak32.exe 1844 Pkcfak32.exe 2328 Pamnnemo.exe 2328 Pamnnemo.exe 1680 Pcagkmaj.exe 1680 Pcagkmaj.exe 2532 Ppegdapd.exe 2532 Ppegdapd.exe 1596 Phbinc32.exe 1596 Phbinc32.exe 368 Qoonqmqf.exe 368 Qoonqmqf.exe 3000 Qdkfic32.exe 3000 Qdkfic32.exe 2892 Qlbnja32.exe 2892 Qlbnja32.exe 3004 Ahllda32.exe 3004 Ahllda32.exe 2736 Anhdmh32.exe 2736 Anhdmh32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Boifinfg.exeFiepga32.exePdegnn32.exeNmhlnngi.exeOlobcm32.exeFlmlmc32.exeCgpnlgak.exeJnojjp32.exeEdafjiqe.exeAlnoepam.exeLmbmbi32.exeKcflbpnn.exeOphanl32.exeJmhile32.exeFngjmb32.exeBenbbcmf.exeDabicikf.exeGbcgne32.exePamnnemo.exeJifkmh32.exePnphlc32.exeFdcahdib.exeEmjoep32.exePkcfak32.exeGocnjn32.exeDpenkgfq.exeOpdkgj32.exeOolelj32.exeFakhhk32.exeIbeeeijg.exeGoidmibg.exeCgpmbgai.exeFglkeaqk.exeMnbbpkjg.exeAnnpaq32.exeMpcjfa32.exeHkifld32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Bmmgbbeq.exe Boifinfg.exe File created C:\Windows\SysWOW64\Qaqpffok.dll Fiepga32.exe File created C:\Windows\SysWOW64\Odjhea32.dll File opened for modification C:\Windows\SysWOW64\Ocfppm32.exe File opened for modification C:\Windows\SysWOW64\Onbhdl32.exe File created C:\Windows\SysWOW64\Linppb32.dll Pdegnn32.exe File created C:\Windows\SysWOW64\Jaqhiq32.exe File created C:\Windows\SysWOW64\Egfnceik.exe File opened for modification C:\Windows\SysWOW64\Acpofchk.exe File created C:\Windows\SysWOW64\Obckihng.dll Nmhlnngi.exe File opened for modification C:\Windows\SysWOW64\Ofefqf32.exe Olobcm32.exe File created C:\Windows\SysWOW64\Ioccpggm.dll Flmlmc32.exe File created C:\Windows\SysWOW64\Cahbem32.exe Cgpnlgak.exe File created C:\Windows\SysWOW64\Dnmlom32.dll File created C:\Windows\SysWOW64\Ekegqfbb.dll File opened for modification C:\Windows\SysWOW64\Djmkkb32.exe File created C:\Windows\SysWOW64\Jnafop32.exe Jnojjp32.exe File created C:\Windows\SysWOW64\Enijcn32.exe Edafjiqe.exe File opened for modification C:\Windows\SysWOW64\Bakgmgpe.exe Alnoepam.exe File opened for modification C:\Windows\SysWOW64\Mboekp32.exe Lmbmbi32.exe File created C:\Windows\SysWOW64\Kdehmb32.exe Kcflbpnn.exe File created C:\Windows\SysWOW64\Olmilk32.exe File created C:\Windows\SysWOW64\Olobcm32.exe Ophanl32.exe File created C:\Windows\SysWOW64\Ghplofkf.dll Jmhile32.exe File created C:\Windows\SysWOW64\Dfonie32.dll Fngjmb32.exe File created C:\Windows\SysWOW64\Bpdgolml.exe Benbbcmf.exe File created C:\Windows\SysWOW64\Qpfqjime.dll File created C:\Windows\SysWOW64\Joigkgel.dll Dabicikf.exe File opened for modification C:\Windows\SysWOW64\Foccfp32.exe File created C:\Windows\SysWOW64\Dcoklagc.exe File created C:\Windows\SysWOW64\Jqpkkadl.dll File created C:\Windows\SysWOW64\Ghmokomm.exe Gbcgne32.exe File created C:\Windows\SysWOW64\Jeieehmo.dll File created C:\Windows\SysWOW64\Mfnime32.exe File created C:\Windows\SysWOW64\Clnnhq32.exe File created C:\Windows\SysWOW64\Bdemaknk.dll Pamnnemo.exe File created C:\Windows\SysWOW64\Fnnnoaop.dll Jifkmh32.exe File created C:\Windows\SysWOW64\Pcmadj32.exe Pnphlc32.exe File created C:\Windows\SysWOW64\Fknido32.exe Fdcahdib.exe File created C:\Windows\SysWOW64\Eehkba32.dll Emjoep32.exe File opened for modification C:\Windows\SysWOW64\Dmnkgddc.exe File opened for modification C:\Windows\SysWOW64\Baaoiklb.exe File opened for modification C:\Windows\SysWOW64\Pamnnemo.exe Pkcfak32.exe File created C:\Windows\SysWOW64\Ocaiehfo.dll Gocnjn32.exe File created C:\Windows\SysWOW64\Djnbdlla.exe Dpenkgfq.exe File created C:\Windows\SysWOW64\Oimpppoj.exe Opdkgj32.exe File created C:\Windows\SysWOW64\Kcofnejq.exe File opened for modification C:\Windows\SysWOW64\Ecelck32.exe File created C:\Windows\SysWOW64\Nicbejbc.dll File opened for modification C:\Windows\SysWOW64\Pkcfak32.exe Oolelj32.exe File created C:\Windows\SysWOW64\Pcfjelcc.dll Fakhhk32.exe File created C:\Windows\SysWOW64\Ikmjnnah.exe Ibeeeijg.exe File created C:\Windows\SysWOW64\Gfclic32.exe Goidmibg.exe File opened for modification C:\Windows\SysWOW64\Dcgmgh32.exe Cgpmbgai.exe File opened for modification C:\Windows\SysWOW64\Fmicnhob.exe Fglkeaqk.exe File opened for modification C:\Windows\SysWOW64\Mfngdmgb.exe Mnbbpkjg.exe File created C:\Windows\SysWOW64\Bfadkh32.dll File created C:\Windows\SysWOW64\Aadfahob.dll File created C:\Windows\SysWOW64\Fnhabphk.exe File opened for modification C:\Windows\SysWOW64\Bgfdjfkh.exe Annpaq32.exe File created C:\Windows\SysWOW64\Mmgkoe32.exe Mpcjfa32.exe File created C:\Windows\SysWOW64\Eqjjhn32.dll Hkifld32.exe File created C:\Windows\SysWOW64\Dpkmgi32.dll File created C:\Windows\SysWOW64\Gfkdeihf.dll -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dieiap32.exeHcfenn32.exeOenngb32.exeInopce32.exeQcgkeonp.exeAlnoepam.exeHbdfoiki.exeOelcho32.exeHnjdpm32.exeKhpaidpk.exeGmjbchnq.exeCafbmdbh.exeBabpgo32.exeEhhghdgc.exeMjialchg.exePelpgb32.exeFpdqlkhe.exeFehjcc32.exeHolqbipe.exeOlokighn.exeOabdol32.exeLjnebe32.exeFglkeaqk.exeLnpejklj.exeJpdibapb.exeLejbhbpn.exeNmhlnngi.exeKmgekh32.exeApjdin32.exeJncqlj32.exeMpflmbnc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dieiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcfenn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inopce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgkeonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnoepam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdfoiki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelcho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjdpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpaidpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjbchnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cafbmdbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babpgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhghdgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjialchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pelpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdqlkhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fehjcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holqbipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olokighn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabdol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglkeaqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpejklj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdibapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejbhbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhlnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmgekh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncqlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpflmbnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Qdieaf32.exeBgndnd32.exeNhhfbd32.exeAhllda32.exeAbpohb32.exeEiehilaa.exeHiichkog.exeJdobjgqg.exeOoianpif.exeOmkidb32.exeHekhid32.exeDcijmhdj.exePjdjbl32.exePmbpda32.exeNjbanida.exeCgmiba32.exeJhboidoj.exeBgcdcjpf.exePhknlfem.exeHnmcne32.exeConmkh32.exeImpdeg32.exeCiknhb32.exeBfifqg32.exeJiaaaicm.exeBibagmhk.exePgdfbb32.exeOhfgeo32.exeJmhile32.exeEhhghdgc.exeEhgmiq32.exeGocnjn32.exeAjcpgi32.exeGicpnhbb.exeHocmbjhn.exeKehidp32.exeGmipmlan.exeGqgjlb32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdieaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgndnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhhfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahllda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abpohb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmcdgdna.dll" Eiehilaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiichkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhfehjna.dll" Jdobjgqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooianpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geedqq32.dll" Omkidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hekhid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcijmhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkgdg32.dll" Pjdjbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmbpda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njbanida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlegof32.dll" Cgmiba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhboidoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadkkbpe.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelglc32.dll" Bgndnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phknlfem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnmcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Conmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Impdeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdimeom.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciknhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgffgf.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfifqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeecca32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmqnh32.dll" Jiaaaicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgade32.dll" Bibagmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcpho32.dll" Pgdfbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jliaac32.dll" Ohfgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghplofkf.dll" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebdhmbm.dll" Ehhghdgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehgmiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gocnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhogfdf.dll" Ajcpgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlgdedc.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gicpnhbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadged32.dll" Hocmbjhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kehidp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmipmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfifqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqgjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exeKoejqi32.exeLojclibo.exeLnopmegg.exeLjeabf32.exeLncjhd32.exeMmifiahi.exeMjmgbe32.exeMmkcoq32.exeMmmpdp32.exeMffdmfjd.exeMbobgfnf.exeNbaomf32.exeNjlcah32.exeNfeqli32.exeNblaajbd.exedescription pid Process procid_target PID 2620 wrote to memory of 2456 2620 d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe 30 PID 2620 wrote to memory of 2456 2620 d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe 30 PID 2620 wrote to memory of 2456 2620 d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe 30 PID 2620 wrote to memory of 2456 2620 d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe 30 PID 2456 wrote to memory of 2972 2456 Koejqi32.exe 31 PID 2456 wrote to memory of 2972 2456 Koejqi32.exe 31 PID 2456 wrote to memory of 2972 2456 Koejqi32.exe 31 PID 2456 wrote to memory of 2972 2456 Koejqi32.exe 31 PID 2972 wrote to memory of 2740 2972 Lojclibo.exe 32 PID 2972 wrote to memory of 2740 2972 Lojclibo.exe 32 PID 2972 wrote to memory of 2740 2972 Lojclibo.exe 32 PID 2972 wrote to memory of 2740 2972 Lojclibo.exe 32 PID 2740 wrote to memory of 3036 2740 Lnopmegg.exe 33 PID 2740 wrote to memory of 3036 2740 Lnopmegg.exe 33 PID 2740 wrote to memory of 3036 2740 Lnopmegg.exe 33 PID 2740 wrote to memory of 3036 2740 Lnopmegg.exe 33 PID 3036 wrote to memory of 2936 3036 Ljeabf32.exe 34 PID 3036 wrote to memory of 2936 3036 Ljeabf32.exe 34 PID 3036 wrote to memory of 2936 3036 Ljeabf32.exe 34 PID 3036 wrote to memory of 2936 3036 Ljeabf32.exe 34 PID 2936 wrote to memory of 2320 2936 Lncjhd32.exe 35 PID 2936 wrote to memory of 2320 2936 Lncjhd32.exe 35 PID 2936 wrote to memory of 2320 2936 Lncjhd32.exe 35 PID 2936 wrote to memory of 2320 2936 Lncjhd32.exe 35 PID 2320 wrote to memory of 2452 2320 Mmifiahi.exe 36 PID 2320 wrote to memory of 2452 2320 Mmifiahi.exe 36 PID 2320 wrote to memory of 2452 2320 Mmifiahi.exe 36 PID 2320 wrote to memory of 2452 2320 Mmifiahi.exe 36 PID 2452 wrote to memory of 588 2452 Mjmgbe32.exe 37 PID 2452 wrote to memory of 588 2452 Mjmgbe32.exe 37 PID 2452 wrote to memory of 588 2452 Mjmgbe32.exe 37 PID 2452 wrote to memory of 588 2452 Mjmgbe32.exe 37 PID 588 wrote to memory of 2552 588 Mmkcoq32.exe 38 PID 588 wrote to memory of 2552 588 Mmkcoq32.exe 38 PID 588 wrote to memory of 2552 588 Mmkcoq32.exe 38 PID 588 wrote to memory of 2552 588 Mmkcoq32.exe 38 PID 2552 wrote to memory of 2364 2552 Mmmpdp32.exe 39 PID 2552 wrote to memory of 2364 2552 Mmmpdp32.exe 39 PID 2552 wrote to memory of 2364 2552 Mmmpdp32.exe 39 PID 2552 wrote to memory of 2364 2552 Mmmpdp32.exe 39 PID 2364 wrote to memory of 2772 2364 Mffdmfjd.exe 40 PID 2364 wrote to memory of 2772 2364 Mffdmfjd.exe 40 PID 2364 wrote to memory of 2772 2364 Mffdmfjd.exe 40 PID 2364 wrote to memory of 2772 2364 Mffdmfjd.exe 40 PID 2772 wrote to memory of 1560 2772 Mbobgfnf.exe 41 PID 2772 wrote to memory of 1560 2772 Mbobgfnf.exe 41 PID 2772 wrote to memory of 1560 2772 Mbobgfnf.exe 41 PID 2772 wrote to memory of 1560 2772 Mbobgfnf.exe 41 PID 1560 wrote to memory of 2568 1560 Nbaomf32.exe 42 PID 1560 wrote to memory of 2568 1560 Nbaomf32.exe 42 PID 1560 wrote to memory of 2568 1560 Nbaomf32.exe 42 PID 1560 wrote to memory of 2568 1560 Nbaomf32.exe 42 PID 2568 wrote to memory of 1320 2568 Njlcah32.exe 43 PID 2568 wrote to memory of 1320 2568 Njlcah32.exe 43 PID 2568 wrote to memory of 1320 2568 Njlcah32.exe 43 PID 2568 wrote to memory of 1320 2568 Njlcah32.exe 43 PID 1320 wrote to memory of 2084 1320 Nfeqli32.exe 44 PID 1320 wrote to memory of 2084 1320 Nfeqli32.exe 44 PID 1320 wrote to memory of 2084 1320 Nfeqli32.exe 44 PID 1320 wrote to memory of 2084 1320 Nfeqli32.exe 44 PID 2084 wrote to memory of 2504 2084 Nblaajbd.exe 45 PID 2084 wrote to memory of 2504 2084 Nblaajbd.exe 45 PID 2084 wrote to memory of 2504 2084 Nblaajbd.exe 45 PID 2084 wrote to memory of 2504 2084 Nblaajbd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe"C:\Users\Admin\AppData\Local\Temp\d68efcc0f141020b14008dcb17cd6d7f1ad20c59197c57ef56649c16ff301a71.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Koejqi32.exeC:\Windows\system32\Koejqi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ljeabf32.exeC:\Windows\system32\Ljeabf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Lncjhd32.exeC:\Windows\system32\Lncjhd32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Mjmgbe32.exeC:\Windows\system32\Mjmgbe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Mmmpdp32.exeC:\Windows\system32\Mmmpdp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Mffdmfjd.exeC:\Windows\system32\Mffdmfjd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Njlcah32.exeC:\Windows\system32\Njlcah32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Pojdem32.exeC:\Windows\system32\Pojdem32.exe27⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe28⤵
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:368 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe34⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe35⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe36⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe37⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe38⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe39⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe40⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe41⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe42⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe43⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Dfdngl32.exeC:\Windows\system32\Dfdngl32.exe44⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe45⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe46⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Dkhpfo32.exeC:\Windows\system32\Dkhpfo32.exe47⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Dkkmln32.exeC:\Windows\system32\Dkkmln32.exe49⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe50⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe52⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Emncci32.exeC:\Windows\system32\Emncci32.exe53⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Eeiggk32.exeC:\Windows\system32\Eeiggk32.exe54⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ecmhqp32.exeC:\Windows\system32\Ecmhqp32.exe55⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Eleliepj.exeC:\Windows\system32\Eleliepj.exe56⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe57⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe58⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe59⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe60⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe61⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Fhqfie32.exeC:\Windows\system32\Fhqfie32.exe62⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Fnnobl32.exeC:\Windows\system32\Fnnobl32.exe63⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Fgfckbfa.exeC:\Windows\system32\Fgfckbfa.exe64⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Fjfllm32.exeC:\Windows\system32\Fjfllm32.exe66⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe67⤵PID:2684
-
C:\Windows\SysWOW64\Gjiibm32.exeC:\Windows\system32\Gjiibm32.exe68⤵PID:936
-
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe69⤵PID:472
-
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe70⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Gbfklolh.exeC:\Windows\system32\Gbfklolh.exe71⤵PID:1760
-
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe72⤵PID:2580
-
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe73⤵PID:2836
-
C:\Windows\SysWOW64\Gicpnhbb.exeC:\Windows\system32\Gicpnhbb.exe74⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe75⤵PID:2788
-
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe76⤵PID:1804
-
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe77⤵PID:2088
-
C:\Windows\SysWOW64\Hjieapck.exeC:\Windows\system32\Hjieapck.exe78⤵PID:1276
-
C:\Windows\SysWOW64\Hbpmbndm.exeC:\Windows\system32\Hbpmbndm.exe79⤵PID:2308
-
C:\Windows\SysWOW64\Hngngo32.exeC:\Windows\system32\Hngngo32.exe80⤵PID:1128
-
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe81⤵PID:1244
-
C:\Windows\SysWOW64\Hmlkhk32.exeC:\Windows\system32\Hmlkhk32.exe82⤵PID:3060
-
C:\Windows\SysWOW64\Hgaoec32.exeC:\Windows\system32\Hgaoec32.exe83⤵PID:1456
-
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe84⤵PID:1260
-
C:\Windows\SysWOW64\Hjbhgolp.exeC:\Windows\system32\Hjbhgolp.exe85⤵PID:1300
-
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe86⤵PID:108
-
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe87⤵PID:1636
-
C:\Windows\SysWOW64\Ibpjaagi.exeC:\Windows\system32\Ibpjaagi.exe88⤵PID:2520
-
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe89⤵PID:868
-
C:\Windows\SysWOW64\Infjfblm.exeC:\Windows\system32\Infjfblm.exe90⤵PID:2980
-
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe91⤵PID:2900
-
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe92⤵PID:920
-
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe93⤵PID:2124
-
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe94⤵PID:2556
-
C:\Windows\SysWOW64\Jffhec32.exeC:\Windows\system32\Jffhec32.exe95⤵PID:1880
-
C:\Windows\SysWOW64\Jalmcl32.exeC:\Windows\system32\Jalmcl32.exe96⤵PID:2636
-
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe97⤵PID:2624
-
C:\Windows\SysWOW64\Jfkbqcam.exeC:\Windows\system32\Jfkbqcam.exe98⤵PID:824
-
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe99⤵PID:976
-
C:\Windows\SysWOW64\Jdobjgqg.exeC:\Windows\system32\Jdobjgqg.exe100⤵
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Jepoao32.exeC:\Windows\system32\Jepoao32.exe101⤵PID:1280
-
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:876 -
C:\Windows\SysWOW64\Jeblgodb.exeC:\Windows\system32\Jeblgodb.exe103⤵PID:2872
-
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe104⤵PID:2876
-
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe105⤵PID:1796
-
C:\Windows\SysWOW64\Kdjenkgh.exeC:\Windows\system32\Kdjenkgh.exe106⤵PID:3052
-
C:\Windows\SysWOW64\Kopikdgn.exeC:\Windows\system32\Kopikdgn.exe107⤵PID:1816
-
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe108⤵PID:2228
-
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe109⤵PID:2832
-
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe110⤵PID:1044
-
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe111⤵PID:2192
-
C:\Windows\SysWOW64\Loofjg32.exeC:\Windows\system32\Loofjg32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe113⤵PID:2400
-
C:\Windows\SysWOW64\Lcmopepp.exeC:\Windows\system32\Lcmopepp.exe114⤵PID:1156
-
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe115⤵PID:596
-
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe116⤵PID:2352
-
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe117⤵PID:3064
-
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe118⤵PID:2780
-
C:\Windows\SysWOW64\Mkmmpg32.exeC:\Windows\system32\Mkmmpg32.exe119⤵PID:1380
-
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe120⤵PID:2632
-
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe121⤵PID:1936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-