Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 14:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe
-
Size
72KB
-
MD5
6c731c4c81f954f974458276a0be95a8
-
SHA1
f430892f9b3751847fc431b5ce34178b82248089
-
SHA256
4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4
-
SHA512
f0eb8485c932e36105b45bc3c8f4fad510c55e93d40426aca4d091a091b6b6c60414ac381b4a5b68ab5de369291b76d22c895dc6005a98f1ca1fdb2bc4158bc5
-
SSDEEP
1536:gy671ZDPIZKZOErVG+zMD8bQYmh+4gxeLY5HgIkg47l09Y1GP+Jl9k0ej:gF5ZEZfCG+zMD85o+Zx2Y9gI2l0wIJj
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihlpqonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaaekl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilifndlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbhnkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajapoqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdblkoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilifndlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngqeha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iabhdefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaolpke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hechkfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qifpqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadakl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdqfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdnlcakk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogohdeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpiacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndiomdde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iomcpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bojipjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chjmmnnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcdfdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjdcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdnop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbglpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojbnkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabaec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhobgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbhoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdidmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lomglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhndnpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdaod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blobmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdehpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oojfnakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgjdmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glomllkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaeehmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eebibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cniajdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edhpaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Engjkeab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibmkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqddmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbmhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcchbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfabkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehclbpic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphgbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fladmn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2660 Dilchhgg.exe 2656 Dbdham32.exe 2712 Dmjlof32.exe 2700 Dfbqgldn.exe 2604 Eloipb32.exe 2548 Ebialmjb.exe 2288 Egfjdchi.exe 112 Ebknblho.exe 1088 Eldbkbop.exe 620 Emeobj32.exe 316 Ecogodlk.exe 2152 Ejioln32.exe 1084 Epfhde32.exe 2164 Emjhmipi.exe 1524 Ebfqfpop.exe 3060 Fiqibj32.exe 1340 Fdfmpc32.exe 1956 Fegjgkla.exe 2852 Fpmned32.exe 1804 Fbkjap32.exe 2376 Flcojeak.exe 1076 Fobkfqpo.exe 2328 Felcbk32.exe 2284 Fkilka32.exe 1712 Facdgl32.exe 2792 Flhhed32.exe 2176 Gdcmig32.exe 2832 Ggbieb32.exe 2596 Gmlablaa.exe 2968 Gmnngl32.exe 1600 Gajjhkgh.exe 1140 Gckfpc32.exe 2512 Gmqkml32.exe 2592 Glfgnh32.exe 2440 Genlgnhd.exe 1784 Hhmhcigh.exe 1508 Hofqpc32.exe 776 Heqimm32.exe 3052 Hhoeii32.exe 2184 Hoimecmb.exe 3068 Hcdifa32.exe 960 Hhaanh32.exe 644 Hajfgnjc.exe 760 Hhcndhap.exe 780 Hnpgloog.exe 2040 Hkdgecna.exe 1732 Hbnpbm32.exe 1592 Icplje32.exe 1596 Ikfdkc32.exe 2880 Ijidfpci.exe 2556 Iqcmcj32.exe 2848 Icbipe32.exe 948 Igmepdbc.exe 1484 Ifpelq32.exe 300 Ingmmn32.exe 1808 Iqfiii32.exe 1704 Icdeee32.exe 1696 Ifbaapfk.exe 2208 Ijnnao32.exe 2460 Iianmlfn.exe 2948 Iokfjf32.exe 2344 Icfbkded.exe 1536 Imogcj32.exe 1660 Iomcpe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2196 4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe 2196 4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe 2660 Dilchhgg.exe 2660 Dilchhgg.exe 2656 Dbdham32.exe 2656 Dbdham32.exe 2712 Dmjlof32.exe 2712 Dmjlof32.exe 2700 Dfbqgldn.exe 2700 Dfbqgldn.exe 2604 Eloipb32.exe 2604 Eloipb32.exe 2548 Ebialmjb.exe 2548 Ebialmjb.exe 2288 Egfjdchi.exe 2288 Egfjdchi.exe 112 Ebknblho.exe 112 Ebknblho.exe 1088 Eldbkbop.exe 1088 Eldbkbop.exe 620 Emeobj32.exe 620 Emeobj32.exe 316 Ecogodlk.exe 316 Ecogodlk.exe 2152 Ejioln32.exe 2152 Ejioln32.exe 1084 Epfhde32.exe 1084 Epfhde32.exe 2164 Emjhmipi.exe 2164 Emjhmipi.exe 1524 Ebfqfpop.exe 1524 Ebfqfpop.exe 3060 Fiqibj32.exe 3060 Fiqibj32.exe 1340 Fdfmpc32.exe 1340 Fdfmpc32.exe 1956 Fegjgkla.exe 1956 Fegjgkla.exe 2852 Fpmned32.exe 2852 Fpmned32.exe 1804 Fbkjap32.exe 1804 Fbkjap32.exe 2376 Flcojeak.exe 2376 Flcojeak.exe 1076 Fobkfqpo.exe 1076 Fobkfqpo.exe 2328 Felcbk32.exe 2328 Felcbk32.exe 2284 Fkilka32.exe 2284 Fkilka32.exe 1712 Facdgl32.exe 1712 Facdgl32.exe 2792 Flhhed32.exe 2792 Flhhed32.exe 2176 Gdcmig32.exe 2176 Gdcmig32.exe 2832 Ggbieb32.exe 2832 Ggbieb32.exe 2596 Gmlablaa.exe 2596 Gmlablaa.exe 2968 Gmnngl32.exe 2968 Gmnngl32.exe 1600 Gajjhkgh.exe 1600 Gajjhkgh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Apkbnibq.exe Alofnj32.exe File created C:\Windows\SysWOW64\Gkldbf32.dll Dndndbnl.exe File created C:\Windows\SysWOW64\Dkjkcfjc.exe Ddpbfl32.exe File opened for modification C:\Windows\SysWOW64\Jjlmkb32.exe Jkimpfmg.exe File created C:\Windows\SysWOW64\Lqgjkbop.exe Kninog32.exe File created C:\Windows\SysWOW64\Hmpbja32.exe Hplbamdf.exe File opened for modification C:\Windows\SysWOW64\Kkaolm32.exe Khcbpa32.exe File created C:\Windows\SysWOW64\Kalgdehn.dll Process not Found File created C:\Windows\SysWOW64\Iocioq32.exe Ilemce32.exe File opened for modification C:\Windows\SysWOW64\Mlgkbi32.exe Miiofn32.exe File created C:\Windows\SysWOW64\Qhfbfdem.dll Ekfaij32.exe File opened for modification C:\Windows\SysWOW64\Heakefnf.exe Hogcil32.exe File created C:\Windows\SysWOW64\Ejadibmh.exe Echlmh32.exe File opened for modification C:\Windows\SysWOW64\Mehpga32.exe Mcidkf32.exe File created C:\Windows\SysWOW64\Cfaqfh32.exe Cdpdnpif.exe File created C:\Windows\SysWOW64\Hplbamdf.exe Hlqfqo32.exe File created C:\Windows\SysWOW64\Nhfdqb32.exe Neghdg32.exe File opened for modification C:\Windows\SysWOW64\Hchoop32.exe Hpicbe32.exe File created C:\Windows\SysWOW64\Dlhaaogd.exe Djjeedhp.exe File created C:\Windows\SysWOW64\Kphipide.dll Dooqceid.exe File opened for modification C:\Windows\SysWOW64\Jljeeqfn.exe Jhniebne.exe File created C:\Windows\SysWOW64\Npffaq32.exe Nljjqbfp.exe File opened for modification C:\Windows\SysWOW64\Ilemce32.exe Ijfqfj32.exe File created C:\Windows\SysWOW64\Nkdpmn32.exe Nlapaapg.exe File created C:\Windows\SysWOW64\Odanqb32.exe Opebpdad.exe File created C:\Windows\SysWOW64\Eciljg32.dll Jkkjeeke.exe File created C:\Windows\SysWOW64\Nnbaaioa.dll Poacighp.exe File opened for modification C:\Windows\SysWOW64\Nafiej32.exe Nogmin32.exe File created C:\Windows\SysWOW64\Kljmapka.dll Agqfme32.exe File opened for modification C:\Windows\SysWOW64\Bbcjca32.exe Bpengf32.exe File created C:\Windows\SysWOW64\Eenfifcn.dll Abjeejep.exe File created C:\Windows\SysWOW64\Ebappk32.exe Epcddopf.exe File created C:\Windows\SysWOW64\Ajjgei32.exe Qhkkim32.exe File opened for modification C:\Windows\SysWOW64\Cfaqfh32.exe Cdpdnpif.exe File opened for modification C:\Windows\SysWOW64\Dochelmj.exe Dglpdomh.exe File opened for modification C:\Windows\SysWOW64\Dlhaaogd.exe Djjeedhp.exe File created C:\Windows\SysWOW64\Cmfnjnin.exe Cbajme32.exe File created C:\Windows\SysWOW64\Aodnfbpm.exe Process not Found File created C:\Windows\SysWOW64\Kbnlnmnm.dll Lgnjke32.exe File created C:\Windows\SysWOW64\Qhnmei32.dll Nlldmimi.exe File created C:\Windows\SysWOW64\Lilfchel.dll Glaiak32.exe File opened for modification C:\Windows\SysWOW64\Aioodg32.exe Process not Found File created C:\Windows\SysWOW64\Hpnlndkp.exe Hjddaj32.exe File opened for modification C:\Windows\SysWOW64\Cjikaa32.exe Process not Found File created C:\Windows\SysWOW64\Ecoihm32.exe Eqamla32.exe File created C:\Windows\SysWOW64\Icijhlgk.dll Ihijhpdo.exe File created C:\Windows\SysWOW64\Blgeahoo.exe Bemmenhb.exe File created C:\Windows\SysWOW64\Ckabkdol.dll Dhibakmb.exe File opened for modification C:\Windows\SysWOW64\Liekddkh.exe Lbkchj32.exe File opened for modification C:\Windows\SysWOW64\Edjlgq32.exe Eblpke32.exe File opened for modification C:\Windows\SysWOW64\Anpahn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nfglfdeb.exe Ncipjieo.exe File opened for modification C:\Windows\SysWOW64\Jbfkeo32.exe Jcckibfg.exe File created C:\Windows\SysWOW64\Lfkfkopk.exe Lodnjboi.exe File created C:\Windows\SysWOW64\Gpmllpef.exe Gnlpeh32.exe File opened for modification C:\Windows\SysWOW64\Gipqpplq.exe Gcchgini.exe File created C:\Windows\SysWOW64\Nkbcgnie.exe Nlocka32.exe File created C:\Windows\SysWOW64\Fiqibj32.exe Ebfqfpop.exe File opened for modification C:\Windows\SysWOW64\Ijnnao32.exe Ifbaapfk.exe File created C:\Windows\SysWOW64\Lnfhal32.dll Kjpceebh.exe File opened for modification C:\Windows\SysWOW64\Ikicikap.exe Idokma32.exe File opened for modification C:\Windows\SysWOW64\Ffmkhe32.exe Fpcblkje.exe File opened for modification C:\Windows\SysWOW64\Mjpkbk32.exe Mganfp32.exe File created C:\Windows\SysWOW64\Dcpoab32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 3972 3460 Process not Found 1151 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehclbpic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fladmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifgekbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfeic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfddkmch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkpcbecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebknblho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggjjlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdqma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcakbjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjboeenh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhfgcgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heqimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmbhnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmoceol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgannal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilomj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maocekoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fobkfqpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlfmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfmkjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcedne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebappk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdblkoco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmned32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchbmigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmqcmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iblola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaholp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokhcodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imogcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnnao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnlnaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mganfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkgcmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjlgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoboml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdbcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momapqgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjalndpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjeakfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icabeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlbbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfceom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miaaki32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifekkdfq.dll" Ibillk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qijdqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmlbaqfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Honiikpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkebebd.dll" Kfaljjdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqnillbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jclnnmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcbociq.dll" Jnpoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcdifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofdeeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkiio32.dll" Ncgcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hflndjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lodnjboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anhbdpje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nljhhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llpaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nifgekbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgmilmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doeljaja.dll" Odanqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hchoop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnqhkcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohomgb32.dll" Jgnchplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbpefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdbgnmd.dll" Nfglfdeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdlpnamm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhogaamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjhfjpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmien32.dll" Qnalcqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flfnhnfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmikpngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjhgidjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacmfp32.dll" Ionehnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmeagdlp.dll" Gfdaid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcfjhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnodgbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfjm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cniajdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblbj32.dll" Dfpfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mblcin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nifgekbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnpcb32.dll" Qifpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lighjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neekogkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dabfjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejccaofe.dll" Jkabmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhfbgmj.dll" Cceapl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hafbghhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaqeogll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll" Bhjpnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebappk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pchbmigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceickb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fladmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihpflaf.dll" Idokma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcdmbk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2660 2196 4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe 30 PID 2196 wrote to memory of 2660 2196 4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe 30 PID 2196 wrote to memory of 2660 2196 4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe 30 PID 2196 wrote to memory of 2660 2196 4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe 30 PID 2660 wrote to memory of 2656 2660 Dilchhgg.exe 31 PID 2660 wrote to memory of 2656 2660 Dilchhgg.exe 31 PID 2660 wrote to memory of 2656 2660 Dilchhgg.exe 31 PID 2660 wrote to memory of 2656 2660 Dilchhgg.exe 31 PID 2656 wrote to memory of 2712 2656 Dbdham32.exe 32 PID 2656 wrote to memory of 2712 2656 Dbdham32.exe 32 PID 2656 wrote to memory of 2712 2656 Dbdham32.exe 32 PID 2656 wrote to memory of 2712 2656 Dbdham32.exe 32 PID 2712 wrote to memory of 2700 2712 Dmjlof32.exe 33 PID 2712 wrote to memory of 2700 2712 Dmjlof32.exe 33 PID 2712 wrote to memory of 2700 2712 Dmjlof32.exe 33 PID 2712 wrote to memory of 2700 2712 Dmjlof32.exe 33 PID 2700 wrote to memory of 2604 2700 Dfbqgldn.exe 34 PID 2700 wrote to memory of 2604 2700 Dfbqgldn.exe 34 PID 2700 wrote to memory of 2604 2700 Dfbqgldn.exe 34 PID 2700 wrote to memory of 2604 2700 Dfbqgldn.exe 34 PID 2604 wrote to memory of 2548 2604 Eloipb32.exe 35 PID 2604 wrote to memory of 2548 2604 Eloipb32.exe 35 PID 2604 wrote to memory of 2548 2604 Eloipb32.exe 35 PID 2604 wrote to memory of 2548 2604 Eloipb32.exe 35 PID 2548 wrote to memory of 2288 2548 Ebialmjb.exe 36 PID 2548 wrote to memory of 2288 2548 Ebialmjb.exe 36 PID 2548 wrote to memory of 2288 2548 Ebialmjb.exe 36 PID 2548 wrote to memory of 2288 2548 Ebialmjb.exe 36 PID 2288 wrote to memory of 112 2288 Egfjdchi.exe 37 PID 2288 wrote to memory of 112 2288 Egfjdchi.exe 37 PID 2288 wrote to memory of 112 2288 Egfjdchi.exe 37 PID 2288 wrote to memory of 112 2288 Egfjdchi.exe 37 PID 112 wrote to memory of 1088 112 Ebknblho.exe 38 PID 112 wrote to memory of 1088 112 Ebknblho.exe 38 PID 112 wrote to memory of 1088 112 Ebknblho.exe 38 PID 112 wrote to memory of 1088 112 Ebknblho.exe 38 PID 1088 wrote to memory of 620 1088 Eldbkbop.exe 39 PID 1088 wrote to memory of 620 1088 Eldbkbop.exe 39 PID 1088 wrote to memory of 620 1088 Eldbkbop.exe 39 PID 1088 wrote to memory of 620 1088 Eldbkbop.exe 39 PID 620 wrote to memory of 316 620 Emeobj32.exe 40 PID 620 wrote to memory of 316 620 Emeobj32.exe 40 PID 620 wrote to memory of 316 620 Emeobj32.exe 40 PID 620 wrote to memory of 316 620 Emeobj32.exe 40 PID 316 wrote to memory of 2152 316 Ecogodlk.exe 41 PID 316 wrote to memory of 2152 316 Ecogodlk.exe 41 PID 316 wrote to memory of 2152 316 Ecogodlk.exe 41 PID 316 wrote to memory of 2152 316 Ecogodlk.exe 41 PID 2152 wrote to memory of 1084 2152 Ejioln32.exe 42 PID 2152 wrote to memory of 1084 2152 Ejioln32.exe 42 PID 2152 wrote to memory of 1084 2152 Ejioln32.exe 42 PID 2152 wrote to memory of 1084 2152 Ejioln32.exe 42 PID 1084 wrote to memory of 2164 1084 Epfhde32.exe 43 PID 1084 wrote to memory of 2164 1084 Epfhde32.exe 43 PID 1084 wrote to memory of 2164 1084 Epfhde32.exe 43 PID 1084 wrote to memory of 2164 1084 Epfhde32.exe 43 PID 2164 wrote to memory of 1524 2164 Emjhmipi.exe 44 PID 2164 wrote to memory of 1524 2164 Emjhmipi.exe 44 PID 2164 wrote to memory of 1524 2164 Emjhmipi.exe 44 PID 2164 wrote to memory of 1524 2164 Emjhmipi.exe 44 PID 1524 wrote to memory of 3060 1524 Ebfqfpop.exe 45 PID 1524 wrote to memory of 3060 1524 Ebfqfpop.exe 45 PID 1524 wrote to memory of 3060 1524 Ebfqfpop.exe 45 PID 1524 wrote to memory of 3060 1524 Ebfqfpop.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe"C:\Users\Admin\AppData\Local\Temp\4f62fd4a48d04a6889b2fcae679e90ac387ed6abf05a251b368bfbde32636df4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Fobkfqpo.exeC:\Windows\system32\Fobkfqpo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Felcbk32.exeC:\Windows\system32\Felcbk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Fkilka32.exeC:\Windows\system32\Fkilka32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Gmlablaa.exeC:\Windows\system32\Gmlablaa.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Gajjhkgh.exeC:\Windows\system32\Gajjhkgh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe33⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe34⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe35⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe36⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe37⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Heqimm32.exeC:\Windows\system32\Heqimm32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe41⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe43⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe44⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe45⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe46⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Hkdgecna.exeC:\Windows\system32\Hkdgecna.exe47⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe48⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe49⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe50⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe51⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe52⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Icbipe32.exeC:\Windows\system32\Icbipe32.exe53⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe54⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe55⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe56⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe57⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Icdeee32.exeC:\Windows\system32\Icdeee32.exe58⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe61⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Iokfjf32.exeC:\Windows\system32\Iokfjf32.exe62⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Icfbkded.exeC:\Windows\system32\Icfbkded.exe63⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe66⤵PID:2052
-
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe68⤵PID:2076
-
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe69⤵PID:2664
-
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe70⤵PID:2564
-
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe71⤵PID:2652
-
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe72⤵PID:408
-
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe73⤵PID:376
-
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe74⤵PID:2120
-
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe75⤵PID:292
-
C:\Windows\SysWOW64\Jijacjnc.exeC:\Windows\system32\Jijacjnc.exe76⤵PID:736
-
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe77⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe78⤵PID:3028
-
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Jcdadhjb.exeC:\Windows\system32\Jcdadhjb.exe80⤵PID:1960
-
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe81⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe83⤵PID:1412
-
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe84⤵PID:2640
-
C:\Windows\SysWOW64\Jcikog32.exeC:\Windows\system32\Jcikog32.exe85⤵PID:2856
-
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe86⤵PID:2696
-
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe87⤵PID:2956
-
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe88⤵PID:2100
-
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe89⤵PID:1136
-
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe90⤵PID:1440
-
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe91⤵PID:1820
-
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe92⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe93⤵PID:1796
-
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe94⤵PID:2828
-
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe95⤵PID:1544
-
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe96⤵PID:2236
-
C:\Windows\SysWOW64\Kimjhnnl.exeC:\Windows\system32\Kimjhnnl.exe97⤵PID:2648
-
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe98⤵PID:2744
-
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe100⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe101⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe102⤵PID:712
-
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe103⤵PID:1644
-
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe104⤵PID:2156
-
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe105⤵PID:2140
-
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe106⤵PID:1104
-
C:\Windows\SysWOW64\Ldmaijdc.exeC:\Windows\system32\Ldmaijdc.exe107⤵PID:1364
-
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe108⤵PID:2808
-
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe109⤵PID:2200
-
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe110⤵PID:2576
-
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe111⤵PID:400
-
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe112⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe113⤵PID:2372
-
C:\Windows\SysWOW64\Ldbjdj32.exeC:\Windows\system32\Ldbjdj32.exe114⤵PID:3004
-
C:\Windows\SysWOW64\Mecglbfl.exeC:\Windows\system32\Mecglbfl.exe115⤵PID:884
-
C:\Windows\SysWOW64\Mpikik32.exeC:\Windows\system32\Mpikik32.exe116⤵PID:2128
-
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe117⤵PID:668
-
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe118⤵PID:2668
-
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe119⤵PID:236
-
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe120⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe121⤵PID:804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-