Analysis
-
max time kernel
39s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 12:04
Behavioral task
behavioral1
Sample
e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe
-
Size
280KB
-
MD5
f71044a74fb20ba8d94d774fb90ba1af
-
SHA1
5565024c4412b9f15bf91612664e989472e399f3
-
SHA256
e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c
-
SHA512
662741395f607f0ff087007ee160c56f7a09a808abb73169474e387034a1c55e67c66d1aefcae6a5e9fc4ba25a43f145f9311a633e4e3fe3d0e8ce75551a52b2
-
SSDEEP
6144:fUp2nG++/i/GOORjMmRUoooooooooooooooooooooooooy/GF:cplFi//OVLCoooooooooooooooooooo+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cillkbac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcedad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljkaeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldmleam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mihdgkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajnpecbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ageompfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamdkfnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppddpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcofio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmeeepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhhkapeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmabj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhcoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbchni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkakicam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oajlkojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkielpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbfilffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghmmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkcbnanl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkibcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnpecbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdiogq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdadjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fppaej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqodqodl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkmgncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpjhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adnpkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqodqodl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhmcmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqnoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbgckgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqolji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aobpfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fepjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmcopebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kijkje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgjml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacfidem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioeclg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 300 Hbfepmmn.exe 552 Hipmmg32.exe 2288 Hdlkcdog.exe 2868 Hjfcpo32.exe 2808 Ijklknbn.exe 3068 Ifampo32.exe 2788 Iegjqk32.exe 2424 Ifffkncm.exe 2852 Ielclkhe.exe 2944 Jbpdeogo.exe 2240 Jkkija32.exe 1296 Jepmgj32.exe 2516 Jjbbpmgo.exe 2024 Jjdofm32.exe 1084 Kfkpknkq.exe 448 Kpadhg32.exe 1700 Kljabgnh.exe 2560 Kbgjkn32.exe 2564 Kllnhg32.exe 1772 Knnkpobc.exe 2892 Kfebambf.exe 1936 Lkakicam.exe 2200 Lghlndfa.exe 1736 Lnbdko32.exe 1608 Lkfddc32.exe 2420 Lmgalkcf.exe 1320 Ljkaeo32.exe 1952 Lmjnak32.exe 2396 Lohjnf32.exe 2184 Lmljgj32.exe 2792 Lokgcf32.exe 3056 Mmogmjmn.exe 2844 Mchoid32.exe 2796 Mkddnf32.exe 1828 Mnbpjb32.exe 3004 Mihdgkpp.exe 980 Meoell32.exe 1656 Mgmahg32.exe 1928 Mjkndb32.exe 2636 Meabakda.exe 2116 Mjnjjbbh.exe 1496 Ncfoch32.exe 2232 Nfdkoc32.exe 2000 Ndhlhg32.exe 604 Njbdea32.exe 1536 Nmqpam32.exe 2300 Npolmh32.exe 2256 Nfidjbdg.exe 1776 Njdqka32.exe 292 Nlfmbibo.exe 1220 Ndmecgba.exe 1556 Nmejllia.exe 2164 Noffdd32.exe 2224 Nfnneb32.exe 2712 Oiljam32.exe 3000 Opfbngfb.exe 1940 Obdojcef.exe 2740 Ohagbj32.exe 3060 Olmcchlg.exe 2940 Oajlkojn.exe 1248 Oeehln32.exe 2136 Olophhjd.exe 2100 Oehdan32.exe 2536 Ohfqmi32.exe -
Loads dropped DLL 64 IoCs
pid Process 1684 e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe 1684 e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe 300 Hbfepmmn.exe 300 Hbfepmmn.exe 552 Hipmmg32.exe 552 Hipmmg32.exe 2288 Hdlkcdog.exe 2288 Hdlkcdog.exe 2868 Hjfcpo32.exe 2868 Hjfcpo32.exe 2808 Ijklknbn.exe 2808 Ijklknbn.exe 3068 Ifampo32.exe 3068 Ifampo32.exe 2788 Iegjqk32.exe 2788 Iegjqk32.exe 2424 Ifffkncm.exe 2424 Ifffkncm.exe 2852 Ielclkhe.exe 2852 Ielclkhe.exe 2944 Jbpdeogo.exe 2944 Jbpdeogo.exe 2240 Jkkija32.exe 2240 Jkkija32.exe 1296 Jepmgj32.exe 1296 Jepmgj32.exe 2516 Jjbbpmgo.exe 2516 Jjbbpmgo.exe 2024 Jjdofm32.exe 2024 Jjdofm32.exe 1084 Kfkpknkq.exe 1084 Kfkpknkq.exe 448 Kpadhg32.exe 448 Kpadhg32.exe 1700 Kljabgnh.exe 1700 Kljabgnh.exe 2560 Kbgjkn32.exe 2560 Kbgjkn32.exe 2564 Kllnhg32.exe 2564 Kllnhg32.exe 1772 Knnkpobc.exe 1772 Knnkpobc.exe 2892 Kfebambf.exe 2892 Kfebambf.exe 1936 Lkakicam.exe 1936 Lkakicam.exe 2200 Lghlndfa.exe 2200 Lghlndfa.exe 1736 Lnbdko32.exe 1736 Lnbdko32.exe 1608 Lkfddc32.exe 1608 Lkfddc32.exe 2420 Lmgalkcf.exe 2420 Lmgalkcf.exe 1320 Ljkaeo32.exe 1320 Ljkaeo32.exe 1952 Lmjnak32.exe 1952 Lmjnak32.exe 2396 Lohjnf32.exe 2396 Lohjnf32.exe 2184 Lmljgj32.exe 2184 Lmljgj32.exe 2792 Lokgcf32.exe 2792 Lokgcf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dafmqb32.exe Ddblgn32.exe File created C:\Windows\SysWOW64\Bnfifeml.dll Ehjqgjmp.exe File opened for modification C:\Windows\SysWOW64\Kijkje32.exe Kbpbmkan.exe File created C:\Windows\SysWOW64\Ipfpae32.dll Apkgpf32.exe File opened for modification C:\Windows\SysWOW64\Cbgmigeq.exe Cpiqmlfm.exe File opened for modification C:\Windows\SysWOW64\Bbhccm32.exe Blkjkflb.exe File created C:\Windows\SysWOW64\Dkejof32.dll Meoell32.exe File opened for modification C:\Windows\SysWOW64\Gonocmbi.exe Gbjojh32.exe File opened for modification C:\Windows\SysWOW64\Bchfhfeh.exe Bnknoogp.exe File created C:\Windows\SysWOW64\Lcblan32.exe Laqojfli.exe File opened for modification C:\Windows\SysWOW64\Nijpdfhm.exe Njgpij32.exe File created C:\Windows\SysWOW64\Golbnm32.exe Gmmfaa32.exe File created C:\Windows\SysWOW64\Hcldhnkk.exe Hpphhp32.exe File opened for modification C:\Windows\SysWOW64\Ihniaa32.exe Ieomef32.exe File created C:\Windows\SysWOW64\Pdlkggmp.dll Lnqjnhge.exe File created C:\Windows\SysWOW64\Ffaaoh32.exe Fcbecl32.exe File created C:\Windows\SysWOW64\Hcdnhoac.exe Hnheohcl.exe File created C:\Windows\SysWOW64\Eegkpo32.exe Dbiocd32.exe File created C:\Windows\SysWOW64\Nfnidhlj.dll Fabaocfl.exe File created C:\Windows\SysWOW64\Jagpdd32.exe Jjnhhjjk.exe File created C:\Windows\SysWOW64\Bbhccm32.exe Blkjkflb.exe File created C:\Windows\SysWOW64\Obgmpo32.dll Bkbdabog.exe File opened for modification C:\Windows\SysWOW64\Bnqned32.exe Bgffhkoj.exe File created C:\Windows\SysWOW64\Eddmlhaq.dll Lnhgim32.exe File created C:\Windows\SysWOW64\Flocfmnl.exe Ekmfne32.exe File opened for modification C:\Windows\SysWOW64\Odkgec32.exe Onnnml32.exe File created C:\Windows\SysWOW64\Nehhoand.dll Olpbaa32.exe File created C:\Windows\SysWOW64\Odkgec32.exe Onnnml32.exe File opened for modification C:\Windows\SysWOW64\Hclfag32.exe Hifbdnbi.exe File created C:\Windows\SysWOW64\Kbgjkn32.exe Kljabgnh.exe File created C:\Windows\SysWOW64\Oigemnhm.dll Odmabj32.exe File opened for modification C:\Windows\SysWOW64\Iejiodbl.exe Ibkmchbh.exe File created C:\Windows\SysWOW64\Jhjbqo32.exe Jbnjhh32.exe File opened for modification C:\Windows\SysWOW64\Kekiphge.exe Koaqcn32.exe File opened for modification C:\Windows\SysWOW64\Bqgmfkhg.exe Bkjdndjo.exe File created C:\Windows\SysWOW64\Pdfndl32.dll Giolnomh.exe File opened for modification C:\Windows\SysWOW64\Nenkqi32.exe Nmfbpk32.exe File opened for modification C:\Windows\SysWOW64\Oiffkkbk.exe Ofhjopbg.exe File created C:\Windows\SysWOW64\Efeckm32.dll Ceebklai.exe File created C:\Windows\SysWOW64\Dijdkh32.dll Emoldlmc.exe File created C:\Windows\SysWOW64\Ciajik32.dll Hdlkcdog.exe File created C:\Windows\SysWOW64\Bnqned32.exe Bgffhkoj.exe File created C:\Windows\SysWOW64\Oimeai32.dll Djgkii32.exe File opened for modification C:\Windows\SysWOW64\Ggagmjbq.exe Fepjea32.exe File created C:\Windows\SysWOW64\Imokehhl.exe Ilnomp32.exe File opened for modification C:\Windows\SysWOW64\Dmmpolof.exe Dhpgfeao.exe File created C:\Windows\SysWOW64\Ldeiojhn.dll Iaimipjl.exe File created C:\Windows\SysWOW64\Iegjqk32.exe Ifampo32.exe File created C:\Windows\SysWOW64\Ghcicglo.dll Plaimk32.exe File created C:\Windows\SysWOW64\Hmoofdea.exe Hjacjifm.exe File created C:\Windows\SysWOW64\Hmdhad32.exe Hcldhnkk.exe File created C:\Windows\SysWOW64\Gghmmilh.exe Gdjqamme.exe File created C:\Windows\SysWOW64\Gaagcpdl.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Adnjbnhn.dll Glnhjjml.exe File created C:\Windows\SysWOW64\Mgmahg32.exe Meoell32.exe File created C:\Windows\SysWOW64\Mhmdim32.dll Poklngnf.exe File created C:\Windows\SysWOW64\Gblkoham.exe Gonocmbi.exe File created C:\Windows\SysWOW64\Jlhbje32.dll Cmfmojcb.exe File created C:\Windows\SysWOW64\Omckoi32.exe Ohfcfb32.exe File created C:\Windows\SysWOW64\Llpfjomf.exe Kgcnahoo.exe File opened for modification C:\Windows\SysWOW64\Accqnc32.exe Alihaioe.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe Bchfhfeh.exe File opened for modification C:\Windows\SysWOW64\Kokmmkcm.exe Klmqapci.exe File created C:\Windows\SysWOW64\Nijpdfhm.exe Njgpij32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3068 6152 WerFault.exe 713 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfljkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcdjca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjlhcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomdoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcblan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpflkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olophhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plolgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbccgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpabpcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacajg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhahkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfilffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpebmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqnoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagkjbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciaefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhbkohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdcfoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbobkol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkqlgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljabgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcigco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpdaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbmlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfmbibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphiqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmnjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpckece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajqbakc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklknbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmfchei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opihgfop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibqqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imjkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadbdkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkqmpip.dll" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmofdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aobpfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kambcbhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnhci32.dll" Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Objaha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jacfidem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhqnpqce.dll" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdonhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkhhhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lonibk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flfpabkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efhqmadd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnqjnhge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opialpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefkh32.dll" Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engeeehn.dll" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alelkg32.dll" Daaenlng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghlaj32.dll" Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccbphk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaihob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnclf32.dll" Jkkija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klihnmmj.dll" Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpojkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkglbmf.dll" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hipmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpadhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmaibil.dll" Eecafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oplelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbmfgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll" Pmkhjncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncnhl32.dll" Mcnbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adfbpega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekhmcelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnibcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djgkii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knpbpo32.dll" Lonibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcijlpq.dll" Hcgmfgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnhnc32.dll" Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmffpom.dll" Ajcipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhljkm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 300 1684 e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe 30 PID 1684 wrote to memory of 300 1684 e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe 30 PID 1684 wrote to memory of 300 1684 e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe 30 PID 1684 wrote to memory of 300 1684 e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe 30 PID 300 wrote to memory of 552 300 Hbfepmmn.exe 31 PID 300 wrote to memory of 552 300 Hbfepmmn.exe 31 PID 300 wrote to memory of 552 300 Hbfepmmn.exe 31 PID 300 wrote to memory of 552 300 Hbfepmmn.exe 31 PID 552 wrote to memory of 2288 552 Hipmmg32.exe 32 PID 552 wrote to memory of 2288 552 Hipmmg32.exe 32 PID 552 wrote to memory of 2288 552 Hipmmg32.exe 32 PID 552 wrote to memory of 2288 552 Hipmmg32.exe 32 PID 2288 wrote to memory of 2868 2288 Hdlkcdog.exe 33 PID 2288 wrote to memory of 2868 2288 Hdlkcdog.exe 33 PID 2288 wrote to memory of 2868 2288 Hdlkcdog.exe 33 PID 2288 wrote to memory of 2868 2288 Hdlkcdog.exe 33 PID 2868 wrote to memory of 2808 2868 Hjfcpo32.exe 34 PID 2868 wrote to memory of 2808 2868 Hjfcpo32.exe 34 PID 2868 wrote to memory of 2808 2868 Hjfcpo32.exe 34 PID 2868 wrote to memory of 2808 2868 Hjfcpo32.exe 34 PID 2808 wrote to memory of 3068 2808 Ijklknbn.exe 35 PID 2808 wrote to memory of 3068 2808 Ijklknbn.exe 35 PID 2808 wrote to memory of 3068 2808 Ijklknbn.exe 35 PID 2808 wrote to memory of 3068 2808 Ijklknbn.exe 35 PID 3068 wrote to memory of 2788 3068 Ifampo32.exe 36 PID 3068 wrote to memory of 2788 3068 Ifampo32.exe 36 PID 3068 wrote to memory of 2788 3068 Ifampo32.exe 36 PID 3068 wrote to memory of 2788 3068 Ifampo32.exe 36 PID 2788 wrote to memory of 2424 2788 Iegjqk32.exe 37 PID 2788 wrote to memory of 2424 2788 Iegjqk32.exe 37 PID 2788 wrote to memory of 2424 2788 Iegjqk32.exe 37 PID 2788 wrote to memory of 2424 2788 Iegjqk32.exe 37 PID 2424 wrote to memory of 2852 2424 Ifffkncm.exe 38 PID 2424 wrote to memory of 2852 2424 Ifffkncm.exe 38 PID 2424 wrote to memory of 2852 2424 Ifffkncm.exe 38 PID 2424 wrote to memory of 2852 2424 Ifffkncm.exe 38 PID 2852 wrote to memory of 2944 2852 Ielclkhe.exe 39 PID 2852 wrote to memory of 2944 2852 Ielclkhe.exe 39 PID 2852 wrote to memory of 2944 2852 Ielclkhe.exe 39 PID 2852 wrote to memory of 2944 2852 Ielclkhe.exe 39 PID 2944 wrote to memory of 2240 2944 Jbpdeogo.exe 40 PID 2944 wrote to memory of 2240 2944 Jbpdeogo.exe 40 PID 2944 wrote to memory of 2240 2944 Jbpdeogo.exe 40 PID 2944 wrote to memory of 2240 2944 Jbpdeogo.exe 40 PID 2240 wrote to memory of 1296 2240 Jkkija32.exe 41 PID 2240 wrote to memory of 1296 2240 Jkkija32.exe 41 PID 2240 wrote to memory of 1296 2240 Jkkija32.exe 41 PID 2240 wrote to memory of 1296 2240 Jkkija32.exe 41 PID 1296 wrote to memory of 2516 1296 Jepmgj32.exe 42 PID 1296 wrote to memory of 2516 1296 Jepmgj32.exe 42 PID 1296 wrote to memory of 2516 1296 Jepmgj32.exe 42 PID 1296 wrote to memory of 2516 1296 Jepmgj32.exe 42 PID 2516 wrote to memory of 2024 2516 Jjbbpmgo.exe 43 PID 2516 wrote to memory of 2024 2516 Jjbbpmgo.exe 43 PID 2516 wrote to memory of 2024 2516 Jjbbpmgo.exe 43 PID 2516 wrote to memory of 2024 2516 Jjbbpmgo.exe 43 PID 2024 wrote to memory of 1084 2024 Jjdofm32.exe 44 PID 2024 wrote to memory of 1084 2024 Jjdofm32.exe 44 PID 2024 wrote to memory of 1084 2024 Jjdofm32.exe 44 PID 2024 wrote to memory of 1084 2024 Jjdofm32.exe 44 PID 1084 wrote to memory of 448 1084 Kfkpknkq.exe 45 PID 1084 wrote to memory of 448 1084 Kfkpknkq.exe 45 PID 1084 wrote to memory of 448 1084 Kfkpknkq.exe 45 PID 1084 wrote to memory of 448 1084 Kfkpknkq.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe"C:\Users\Admin\AppData\Local\Temp\e1632d0ad873ced2d0a81c066cd572e466c6243eb7f5b0104addb585a32db86c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe33⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe34⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe35⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe36⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe39⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe40⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe41⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe42⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe43⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe44⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe46⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe47⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe48⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe49⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe50⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:292 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe52⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe53⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe54⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe55⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe56⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe57⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe58⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe59⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe62⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe64⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe67⤵PID:1524
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe68⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe69⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe70⤵PID:2456
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe71⤵PID:2132
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe72⤵PID:1932
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe73⤵PID:1584
-
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe74⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe75⤵PID:2800
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe77⤵PID:2708
-
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe78⤵PID:1476
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe79⤵PID:2488
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe80⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe81⤵PID:2272
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe82⤵PID:2608
-
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe83⤵PID:236
-
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe85⤵
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:688 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe87⤵PID:1288
-
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe90⤵PID:2352
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe91⤵PID:2440
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe92⤵PID:2236
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe93⤵PID:2692
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe94⤵PID:2284
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe95⤵
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe96⤵PID:2512
-
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe97⤵PID:2096
-
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe98⤵PID:1920
-
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe99⤵
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe100⤵PID:1624
-
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe101⤵PID:2248
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe102⤵PID:2340
-
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe103⤵PID:2572
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe104⤵PID:2880
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe105⤵PID:2936
-
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe106⤵PID:2680
-
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe107⤵PID:2748
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe108⤵PID:1804
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe109⤵PID:2500
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe111⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe112⤵PID:1520
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe113⤵PID:2312
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe114⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe117⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe118⤵PID:2956
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe119⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe120⤵PID:2480
-
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-