Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 08:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe
-
Size
74KB
-
MD5
d99fb8ca68c912f5552310793b3f6a50
-
SHA1
fe96934f996c277b7ad2491658b6867daeab9e3e
-
SHA256
7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54a
-
SHA512
1935c3b5d5fd0a8057928f4032f1729923fcf2b7f10ba87096eea9b418dae8837ac0dd3103c8778585b60fdeb29d49d2469d9e0b23cb8b3ef86ee43881b4ea14
-
SSDEEP
768:0FUm5hNCLGpYqKGPAZoAn0RfI+i94WqGmBOnDDI46+66chAhrU1c67dw0gbAaAvs:0G+NCIlFAP9ZZmoDcp3y2a3HAVy
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fglfgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfpfdeon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjleclph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giaidnkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iogpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icifjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddaemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjfkmdlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deakjjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonibk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgngbmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpopddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ageompfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koipglep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfcgbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffibceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikgkei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkjpggkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigbebhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kalipcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmgmpnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bknjfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkipao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoebgcol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fimoiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflchkii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfoee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaimipjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fennoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oflpgnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njbfnjeg.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2692 Boogmgkl.exe 2708 Bfioia32.exe 2832 Bfioia32.exe 2740 Bkegah32.exe 2552 Cbppnbhm.exe 3036 Ciihklpj.exe 1788 Ckhdggom.exe 2864 Cfmhdpnc.exe 2092 Cileqlmg.exe 2356 Cpfmmf32.exe 2012 Cbdiia32.exe 1776 Cinafkkd.exe 2108 Ckmnbg32.exe 2132 Cnkjnb32.exe 2388 Ceebklai.exe 2232 Clojhf32.exe 2396 Cnmfdb32.exe 1308 Calcpm32.exe 340 Cegoqlof.exe 2016 Cfhkhd32.exe 2456 Djdgic32.exe 2956 Dnpciaef.exe 2504 Danpemej.exe 1044 Djfdob32.exe 1000 Dmepkn32.exe 2240 Dcohghbk.exe 2088 Dbaice32.exe 2816 Dmgmpnhl.exe 2728 Dpeiligo.exe 2620 Ddaemh32.exe 2764 Dmijfmfi.exe 2876 Dlljaj32.exe 2892 Dbfbnddq.exe 1732 Deenjpcd.exe 1748 Dlofgj32.exe 2424 Dpjbgh32.exe 332 Eakooqih.exe 620 Eibgpnjk.exe 2324 Ekdchf32.exe 2368 Ebklic32.exe 444 Elcpbigl.exe 1916 Eoblnd32.exe 1188 Emdmjamj.exe 2416 Eeldkonl.exe 1208 Ekhmcelc.exe 2912 Eodicd32.exe 1648 Emgioakg.exe 1636 Epeekmjk.exe 2924 Ehlmljkm.exe 2788 Einjdb32.exe 2800 Emifeqid.exe 2824 Ephbal32.exe 2032 Edcnakpa.exe 2296 Egajnfoe.exe 1596 Ekmfne32.exe 1904 Eipgjaoi.exe 1520 Fpjofl32.exe 112 Fdekgjno.exe 2124 Fchkbg32.exe 2116 Fibcoalf.exe 1288 Fplllkdc.exe 3068 Fplllkdc.exe 1660 Foolgh32.exe 1692 Feiddbbj.exe -
Loads dropped DLL 64 IoCs
pid Process 2640 7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe 2640 7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe 2692 Boogmgkl.exe 2692 Boogmgkl.exe 2708 Bfioia32.exe 2708 Bfioia32.exe 2832 Bfioia32.exe 2832 Bfioia32.exe 2740 Bkegah32.exe 2740 Bkegah32.exe 2552 Cbppnbhm.exe 2552 Cbppnbhm.exe 3036 Ciihklpj.exe 3036 Ciihklpj.exe 1788 Ckhdggom.exe 1788 Ckhdggom.exe 2864 Cfmhdpnc.exe 2864 Cfmhdpnc.exe 2092 Cileqlmg.exe 2092 Cileqlmg.exe 2356 Cpfmmf32.exe 2356 Cpfmmf32.exe 2012 Cbdiia32.exe 2012 Cbdiia32.exe 1776 Cinafkkd.exe 1776 Cinafkkd.exe 2108 Ckmnbg32.exe 2108 Ckmnbg32.exe 2132 Cnkjnb32.exe 2132 Cnkjnb32.exe 2388 Ceebklai.exe 2388 Ceebklai.exe 2232 Clojhf32.exe 2232 Clojhf32.exe 2396 Cnmfdb32.exe 2396 Cnmfdb32.exe 1308 Calcpm32.exe 1308 Calcpm32.exe 340 Cegoqlof.exe 340 Cegoqlof.exe 2016 Cfhkhd32.exe 2016 Cfhkhd32.exe 2456 Djdgic32.exe 2456 Djdgic32.exe 2956 Dnpciaef.exe 2956 Dnpciaef.exe 2504 Danpemej.exe 2504 Danpemej.exe 1044 Djfdob32.exe 1044 Djfdob32.exe 1000 Dmepkn32.exe 1000 Dmepkn32.exe 2240 Dcohghbk.exe 2240 Dcohghbk.exe 2088 Dbaice32.exe 2088 Dbaice32.exe 2816 Dmgmpnhl.exe 2816 Dmgmpnhl.exe 2728 Dpeiligo.exe 2728 Dpeiligo.exe 2620 Ddaemh32.exe 2620 Ddaemh32.exe 2764 Dmijfmfi.exe 2764 Dmijfmfi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gdjqamme.exe Glchpp32.exe File created C:\Windows\SysWOW64\Ahdkab32.dll Lnqjnhge.exe File opened for modification C:\Windows\SysWOW64\Ffakjm32.dll Kocpbfei.exe File created C:\Windows\SysWOW64\Cmapaflf.dll Koipglep.exe File opened for modification C:\Windows\SysWOW64\Efjmbaba.exe Ebnabb32.exe File opened for modification C:\Windows\SysWOW64\Ggapbcne.exe Gcedad32.exe File created C:\Windows\SysWOW64\Keppajog.dll Ieibdnnp.exe File opened for modification C:\Windows\SysWOW64\Jagpdd32.exe Jmlddeio.exe File created C:\Windows\SysWOW64\Mbqkiind.exe Mneohj32.exe File created C:\Windows\SysWOW64\Agihgp32.exe Aobpfb32.exe File created C:\Windows\SysWOW64\Bbllnlfd.exe Bkbdabog.exe File created C:\Windows\SysWOW64\Ibcphc32.exe Inhdgdmk.exe File created C:\Windows\SysWOW64\Gqaafn32.exe Gmeeepjp.exe File created C:\Windows\SysWOW64\Hcojam32.exe Heliepmn.exe File created C:\Windows\SysWOW64\Hlhjdd32.dll Oefjdgjk.exe File created C:\Windows\SysWOW64\Jkbolo32.dll Qhilkege.exe File created C:\Windows\SysWOW64\Lknocpdc.dll Feddombd.exe File created C:\Windows\SysWOW64\Kadica32.exe Kadica32.exe File created C:\Windows\SysWOW64\Gqlhkofn.exe Gnnlocgk.exe File opened for modification C:\Windows\SysWOW64\Hbidne32.exe Hnnhngjf.exe File created C:\Windows\SysWOW64\Indnnfdn.exe Ikfbbjdj.exe File opened for modification C:\Windows\SysWOW64\Glehgdkn.dll Indnnfdn.exe File created C:\Windows\SysWOW64\Iphgln32.exe Iaegpaao.exe File created C:\Windows\SysWOW64\Jefbnacn.exe Jfcabd32.exe File opened for modification C:\Windows\SysWOW64\Fadndbci.exe Fofbhgde.exe File created C:\Windows\SysWOW64\Cmppehkh.exe Cehhdkjf.exe File opened for modification C:\Windows\SysWOW64\Keclgbfi.dll Gpggei32.exe File opened for modification C:\Windows\SysWOW64\Lhfnkqgk.exe Ldjbkb32.exe File created C:\Windows\SysWOW64\Fgglcg32.dll Piliii32.exe File created C:\Windows\SysWOW64\Epbbkf32.exe Elgfkhpi.exe File opened for modification C:\Windows\SysWOW64\Ehnfpifm.exe Eeojcmfi.exe File opened for modification C:\Windows\SysWOW64\Inojhc32.exe Ijcngenj.exe File opened for modification C:\Windows\SysWOW64\Hcgmfgfd.exe Hddmjk32.exe File opened for modification C:\Windows\SysWOW64\Fcpacf32.exe Fodebh32.exe File created C:\Windows\SysWOW64\Homdhjai.exe Hgflflqg.exe File opened for modification C:\Windows\SysWOW64\Heliepmn.exe Hbnmienj.exe File created C:\Windows\SysWOW64\Iibgoigc.dll Keeeje32.exe File opened for modification C:\Windows\SysWOW64\Pdbmfb32.exe Ppfafcpb.exe File opened for modification C:\Windows\SysWOW64\Flnlkgjq.exe Fdgdji32.exe File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe Kdeaelok.exe File created C:\Windows\SysWOW64\Jjipagod.dll Emifeqid.exe File created C:\Windows\SysWOW64\Mflcaaja.dll Llmmpcfe.exe File created C:\Windows\SysWOW64\Pioeoi32.exe Pjleclph.exe File created C:\Windows\SysWOW64\Feddombd.exe Fbegbacp.exe File created C:\Windows\SysWOW64\Fppaej32.exe Fmaeho32.exe File opened for modification C:\Windows\SysWOW64\Gojhafnb.exe Gpggei32.exe File created C:\Windows\SysWOW64\Neniei32.dll Dcohghbk.exe File created C:\Windows\SysWOW64\Lcmdjb32.dll Odkgec32.exe File created C:\Windows\SysWOW64\Flnlkgjq.exe Fdgdji32.exe File opened for modification C:\Windows\SysWOW64\Fmfocnjg.exe Fkhbgbkc.exe File opened for modification C:\Windows\SysWOW64\Kmkihbho.exe Kipmhc32.exe File opened for modification C:\Windows\SysWOW64\Koipglep.exe Kljdkpfl.exe File opened for modification C:\Windows\SysWOW64\Elgfkhpi.exe Emdeok32.exe File opened for modification C:\Windows\SysWOW64\Colpld32.exe Cmmcpi32.exe File created C:\Windows\SysWOW64\Fihfnp32.exe Fkefbcmf.exe File opened for modification C:\Windows\SysWOW64\Boogmgkl.exe 7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe File created C:\Windows\SysWOW64\Eakooqih.exe Dpjbgh32.exe File created C:\Windows\SysWOW64\Iiqldc32.exe Ifbphh32.exe File created C:\Windows\SysWOW64\Iieepbje.exe Iejiodbl.exe File opened for modification C:\Windows\SysWOW64\Ppmgfb32.exe Phfoee32.exe File created C:\Windows\SysWOW64\Jqgaapqd.dll Anogijnb.exe File created C:\Windows\SysWOW64\Bndlbd32.dll Igoomk32.exe File created C:\Windows\SysWOW64\Lkggmldl.exe Lhhkapeh.exe File opened for modification C:\Windows\SysWOW64\Nnleiipc.exe Njpihk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7244 7220 WerFault.exe 763 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkicbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkipao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegeonpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagkjbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbidne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcnakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jieaofmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpbigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbaml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckilei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacfidem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldheebad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdmfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadndbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnnab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmijfmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaapa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbdci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnpnkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlljaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcojam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojlbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkmeiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagpdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iediin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggggoda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdldd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfocnjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcedad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaojnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpdcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alddjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdjglfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgnhkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joggci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajokhp32.dll" Ehnfpifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll" 7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aognbnkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpeem32.dll" Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Honnki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhcmedli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfifa32.dll" Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cceogcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnkoid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmmcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iegeonpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pebncn32.dll" Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faiboc32.dll" Pfnmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebepdj32.dll" Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fganph32.dll" Fglfgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmihbe32.dll" Jigbebhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdbf32.dll" Aiaoclgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnhgha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lncfcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgmpqdg.dll" Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldgnklmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mobomnoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmplbgpm.dll" Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgajdjlj.dll" Jnmiag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljhgm32.dll" Ekhmcelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflomd32.dll" Gfnjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codebccd.dll" Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll" Kfaalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmijfmfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbnmienj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjplobo.dll" Ichmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Modlbmmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppinkcnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cglalbbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokggo32.dll" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edcnakpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khohkamc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keeeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meoaif32.dll" Opialpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loeccoai.dll" Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Figmjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" Bfioia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Indnnfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kalipcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehdigjnf.dll" Jpajbl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2692 2640 7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe 31 PID 2640 wrote to memory of 2692 2640 7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe 31 PID 2640 wrote to memory of 2692 2640 7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe 31 PID 2640 wrote to memory of 2692 2640 7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe 31 PID 2692 wrote to memory of 2708 2692 Boogmgkl.exe 32 PID 2692 wrote to memory of 2708 2692 Boogmgkl.exe 32 PID 2692 wrote to memory of 2708 2692 Boogmgkl.exe 32 PID 2692 wrote to memory of 2708 2692 Boogmgkl.exe 32 PID 2708 wrote to memory of 2832 2708 Bfioia32.exe 33 PID 2708 wrote to memory of 2832 2708 Bfioia32.exe 33 PID 2708 wrote to memory of 2832 2708 Bfioia32.exe 33 PID 2708 wrote to memory of 2832 2708 Bfioia32.exe 33 PID 2832 wrote to memory of 2740 2832 Bfioia32.exe 34 PID 2832 wrote to memory of 2740 2832 Bfioia32.exe 34 PID 2832 wrote to memory of 2740 2832 Bfioia32.exe 34 PID 2832 wrote to memory of 2740 2832 Bfioia32.exe 34 PID 2740 wrote to memory of 2552 2740 Bkegah32.exe 35 PID 2740 wrote to memory of 2552 2740 Bkegah32.exe 35 PID 2740 wrote to memory of 2552 2740 Bkegah32.exe 35 PID 2740 wrote to memory of 2552 2740 Bkegah32.exe 35 PID 2552 wrote to memory of 3036 2552 Cbppnbhm.exe 36 PID 2552 wrote to memory of 3036 2552 Cbppnbhm.exe 36 PID 2552 wrote to memory of 3036 2552 Cbppnbhm.exe 36 PID 2552 wrote to memory of 3036 2552 Cbppnbhm.exe 36 PID 3036 wrote to memory of 1788 3036 Ciihklpj.exe 37 PID 3036 wrote to memory of 1788 3036 Ciihklpj.exe 37 PID 3036 wrote to memory of 1788 3036 Ciihklpj.exe 37 PID 3036 wrote to memory of 1788 3036 Ciihklpj.exe 37 PID 1788 wrote to memory of 2864 1788 Ckhdggom.exe 38 PID 1788 wrote to memory of 2864 1788 Ckhdggom.exe 38 PID 1788 wrote to memory of 2864 1788 Ckhdggom.exe 38 PID 1788 wrote to memory of 2864 1788 Ckhdggom.exe 38 PID 2864 wrote to memory of 2092 2864 Cfmhdpnc.exe 39 PID 2864 wrote to memory of 2092 2864 Cfmhdpnc.exe 39 PID 2864 wrote to memory of 2092 2864 Cfmhdpnc.exe 39 PID 2864 wrote to memory of 2092 2864 Cfmhdpnc.exe 39 PID 2092 wrote to memory of 2356 2092 Cileqlmg.exe 40 PID 2092 wrote to memory of 2356 2092 Cileqlmg.exe 40 PID 2092 wrote to memory of 2356 2092 Cileqlmg.exe 40 PID 2092 wrote to memory of 2356 2092 Cileqlmg.exe 40 PID 2356 wrote to memory of 2012 2356 Cpfmmf32.exe 41 PID 2356 wrote to memory of 2012 2356 Cpfmmf32.exe 41 PID 2356 wrote to memory of 2012 2356 Cpfmmf32.exe 41 PID 2356 wrote to memory of 2012 2356 Cpfmmf32.exe 41 PID 2012 wrote to memory of 1776 2012 Cbdiia32.exe 42 PID 2012 wrote to memory of 1776 2012 Cbdiia32.exe 42 PID 2012 wrote to memory of 1776 2012 Cbdiia32.exe 42 PID 2012 wrote to memory of 1776 2012 Cbdiia32.exe 42 PID 1776 wrote to memory of 2108 1776 Cinafkkd.exe 43 PID 1776 wrote to memory of 2108 1776 Cinafkkd.exe 43 PID 1776 wrote to memory of 2108 1776 Cinafkkd.exe 43 PID 1776 wrote to memory of 2108 1776 Cinafkkd.exe 43 PID 2108 wrote to memory of 2132 2108 Ckmnbg32.exe 44 PID 2108 wrote to memory of 2132 2108 Ckmnbg32.exe 44 PID 2108 wrote to memory of 2132 2108 Ckmnbg32.exe 44 PID 2108 wrote to memory of 2132 2108 Ckmnbg32.exe 44 PID 2132 wrote to memory of 2388 2132 Cnkjnb32.exe 45 PID 2132 wrote to memory of 2388 2132 Cnkjnb32.exe 45 PID 2132 wrote to memory of 2388 2132 Cnkjnb32.exe 45 PID 2132 wrote to memory of 2388 2132 Cnkjnb32.exe 45 PID 2388 wrote to memory of 2232 2388 Ceebklai.exe 46 PID 2388 wrote to memory of 2232 2388 Ceebklai.exe 46 PID 2388 wrote to memory of 2232 2388 Ceebklai.exe 46 PID 2388 wrote to memory of 2232 2388 Ceebklai.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe"C:\Users\Admin\AppData\Local\Temp\7003981e9a5de931105eb00bd9551a82582fa8e5569ecf0d17196fa51096b54aN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe34⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe35⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe36⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe38⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe39⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe40⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe41⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe43⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe44⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe45⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe47⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe48⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe49⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe50⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe51⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe53⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe55⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe56⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe57⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe58⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe59⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe60⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe61⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe62⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe63⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe64⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe65⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe66⤵PID:2508
-
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe67⤵PID:3020
-
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe68⤵PID:2784
-
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe69⤵PID:2584
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe70⤵PID:1056
-
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe71⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe72⤵PID:2744
-
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe73⤵PID:1564
-
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe74⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe75⤵PID:1908
-
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe77⤵PID:2536
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe78⤵PID:2140
-
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe79⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe80⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe81⤵PID:1832
-
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe82⤵PID:1644
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe83⤵PID:1980
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe84⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe85⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe86⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe87⤵PID:2624
-
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe88⤵PID:2868
-
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe89⤵PID:2760
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe90⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe91⤵PID:1968
-
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe92⤵PID:1588
-
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe93⤵PID:2168
-
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe94⤵PID:1720
-
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe96⤵PID:2220
-
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe97⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe98⤵PID:2804
-
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe99⤵PID:2680
-
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe100⤵PID:2856
-
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe101⤵
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe102⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe103⤵PID:764
-
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe105⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe106⤵PID:3048
-
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe107⤵PID:2328
-
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe108⤵PID:1584
-
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe109⤵PID:2688
-
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe111⤵PID:2896
-
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe112⤵PID:2588
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1172 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe114⤵PID:2348
-
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe115⤵PID:2180
-
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe116⤵PID:2528
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe117⤵PID:804
-
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe118⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe120⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe121⤵PID:1620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-