Analysis
-
max time kernel
69s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 02:24
Static task
static1
Behavioral task
behavioral1
Sample
b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe
Resource
win10v2004-20241007-en
General
-
Target
b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe
-
Size
120KB
-
MD5
066638b544cc5e5635918c8cb51189cf
-
SHA1
06083627f1154df4ee38da355a7692d5221878f2
-
SHA256
b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261
-
SHA512
dbbbc1521c18d57da6248ee5731201b37791c52bc5aff67f747e9b776b7a29844971c24ceb97ab1cc879ec571ee14f41244715c026719cb039f76b6be0b4b5ff
-
SSDEEP
3072:E1HGrmOR0el203H/6TC+qF1SsB1bw4AVRrd9:E1HGxl9C81NBy9
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldchdjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgblphf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihnqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngahmngp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oceaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gofajcog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdminod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dihmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phckglbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojlkonpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojoalda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jekaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcccglnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgdmeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpogjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdnicemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aofhcmig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfijfdca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejcaanfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocdmccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmhile32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peooek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmhmdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcmjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giaddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hggeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkaihkih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjlpclc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbeaip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bambjnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgagnjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhqfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gofajcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lelmei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhcgjkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcghajkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhjhgpcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlidplcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhebij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohbqpki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmcqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdpfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoijjjcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdpmljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgbdge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idojon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flcjjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcaaloed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhopcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aellfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmkmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgdkbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlndfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkihfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnihneon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnpih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhjfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdljjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioapnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblinp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2480 Qjeihl32.exe 2968 Aodnfbpm.exe 2948 Afnfcl32.exe 2780 Aeepjh32.exe 2356 Akphfbbl.exe 2552 Aehmoh32.exe 2256 Bnekcm32.exe 2508 Bcdpacgl.exe 1868 Blodefdg.exe 3036 Cppjadhk.exe 2264 Clfkfeno.exe 1096 Coiqmp32.exe 2288 Cdfief32.exe 2056 Dbnblb32.exe 2488 Dlfgehqk.exe 1936 Deahcneh.exe 956 Ekpmad32.exe 620 Eonfgbhc.exe 1520 Edkopifk.exe 1596 Epaodjlo.exe 2660 Epdljjjm.exe 812 Fdaephpc.exe 2544 Fjomhonj.exe 1748 Ffenmp32.exe 688 Fqkbkicd.exe 1172 Fmdpejgf.exe 1588 Fbqhnqen.exe 2328 Gbcecpck.exe 2748 Gbeaip32.exe 2752 Gppkkikh.exe 2792 Gjephakn.exe 976 Hflpmb32.exe 3040 Hbgjmcba.exe 2652 Ihgpkinf.exe 2380 Iocdmccp.exe 1808 Ibejfffo.exe 2076 Ilmool32.exe 2656 Ipkgejcf.exe 1496 Jpndkj32.exe 2440 Jifhdphd.exe 2704 Jcnmme32.exe 1956 Jeofnpke.exe 548 Jogjgf32.exe 1660 Jddbpmpm.exe 1532 Knmghb32.exe 612 Kdgoelnk.exe 1620 Kpmpjm32.exe 1144 Kjfdcc32.exe 892 Kcnilhap.exe 1672 Klfndn32.exe 2460 Kjjnnbfj.exe 2964 Kccbgh32.exe 2868 Lhpkoo32.exe 2912 Lnmcge32.exe 2816 Lhbhdnio.exe 2720 Lnopmegg.exe 2648 Lkcqfifp.exe 1892 Lqpiopdh.exe 2800 Ljhngfkh.exe 2092 Lcpbpk32.exe 2304 Ljjjmeie.exe 1816 Mogcelgm.exe 1136 Mjmgbe32.exe 1480 Mpipkl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2108 b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe 2108 b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe 2480 Qjeihl32.exe 2480 Qjeihl32.exe 2968 Aodnfbpm.exe 2968 Aodnfbpm.exe 2948 Afnfcl32.exe 2948 Afnfcl32.exe 2780 Aeepjh32.exe 2780 Aeepjh32.exe 2356 Akphfbbl.exe 2356 Akphfbbl.exe 2552 Aehmoh32.exe 2552 Aehmoh32.exe 2256 Bnekcm32.exe 2256 Bnekcm32.exe 2508 Bcdpacgl.exe 2508 Bcdpacgl.exe 1868 Blodefdg.exe 1868 Blodefdg.exe 3036 Cppjadhk.exe 3036 Cppjadhk.exe 2264 Clfkfeno.exe 2264 Clfkfeno.exe 1096 Coiqmp32.exe 1096 Coiqmp32.exe 2288 Cdfief32.exe 2288 Cdfief32.exe 2056 Dbnblb32.exe 2056 Dbnblb32.exe 2488 Dlfgehqk.exe 2488 Dlfgehqk.exe 1936 Deahcneh.exe 1936 Deahcneh.exe 956 Ekpmad32.exe 956 Ekpmad32.exe 620 Eonfgbhc.exe 620 Eonfgbhc.exe 1520 Edkopifk.exe 1520 Edkopifk.exe 1596 Epaodjlo.exe 1596 Epaodjlo.exe 2660 Epdljjjm.exe 2660 Epdljjjm.exe 812 Fdaephpc.exe 812 Fdaephpc.exe 2544 Fjomhonj.exe 2544 Fjomhonj.exe 1748 Ffenmp32.exe 1748 Ffenmp32.exe 688 Fqkbkicd.exe 688 Fqkbkicd.exe 1172 Fmdpejgf.exe 1172 Fmdpejgf.exe 1588 Fbqhnqen.exe 1588 Fbqhnqen.exe 2328 Gbcecpck.exe 2328 Gbcecpck.exe 2748 Gbeaip32.exe 2748 Gbeaip32.exe 2752 Gppkkikh.exe 2752 Gppkkikh.exe 2792 Gjephakn.exe 2792 Gjephakn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gqgkjc32.dll Ahancp32.exe File created C:\Windows\SysWOW64\Mofjof32.dll Pihnqj32.exe File created C:\Windows\SysWOW64\Iomaaa32.exe Ilneef32.exe File created C:\Windows\SysWOW64\Naagdj32.dll Jjpehn32.exe File created C:\Windows\SysWOW64\Bfmlgi32.exe Bkghjq32.exe File opened for modification C:\Windows\SysWOW64\Paqdgcfl.exe Pfgcff32.exe File created C:\Windows\SysWOW64\Kjdpcnfi.exe Klocba32.exe File created C:\Windows\SysWOW64\Ngolgn32.exe Nabcog32.exe File opened for modification C:\Windows\SysWOW64\Dclgbgbh.exe Dqmkflcd.exe File opened for modification C:\Windows\SysWOW64\Efllcf32.exe Enagnc32.exe File created C:\Windows\SysWOW64\Alnoepam.exe Abejlj32.exe File created C:\Windows\SysWOW64\Qhbekoih.dll Ldchdjom.exe File opened for modification C:\Windows\SysWOW64\Mhlcnl32.exe Lngpac32.exe File created C:\Windows\SysWOW64\Nogjbbma.exe Njjbjk32.exe File created C:\Windows\SysWOW64\Nelglc32.dll Bnfodojp.exe File created C:\Windows\SysWOW64\Njjfli32.exe Maabcc32.exe File opened for modification C:\Windows\SysWOW64\Kkiiom32.exe Kelqff32.exe File created C:\Windows\SysWOW64\Aledbn32.dll Oafjfokk.exe File created C:\Windows\SysWOW64\Glneao32.dll Lqpiopdh.exe File opened for modification C:\Windows\SysWOW64\Nnhobgag.exe Nepkia32.exe File created C:\Windows\SysWOW64\Ieipfd32.dll Gqendf32.exe File opened for modification C:\Windows\SysWOW64\Mqlbnnej.exe Mgdmeh32.exe File opened for modification C:\Windows\SysWOW64\Obijpgcf.exe Oddmokoo.exe File created C:\Windows\SysWOW64\Qnoklc32.exe Pahjgb32.exe File created C:\Windows\SysWOW64\Bbqddm32.dll Ajjeld32.exe File created C:\Windows\SysWOW64\Cmgblphf.exe Cgjjdijo.exe File created C:\Windows\SysWOW64\Lnopmegg.exe Lhbhdnio.exe File created C:\Windows\SysWOW64\Midbog32.dll Bjanfl32.exe File created C:\Windows\SysWOW64\Agljbf32.dll Cfhjjp32.exe File created C:\Windows\SysWOW64\Ppcoqbao.exe Pghklq32.exe File opened for modification C:\Windows\SysWOW64\Clfkfeno.exe Cppjadhk.exe File created C:\Windows\SysWOW64\Iniglajj.exe Ihooog32.exe File created C:\Windows\SysWOW64\Jfplbaim.dll Djhnmj32.exe File opened for modification C:\Windows\SysWOW64\Ddnhidmm.exe Dbmlal32.exe File created C:\Windows\SysWOW64\Qibhao32.exe Phckglbq.exe File created C:\Windows\SysWOW64\Fdhigo32.exe Flmecm32.exe File opened for modification C:\Windows\SysWOW64\Jollgl32.exe Jjocoedg.exe File opened for modification C:\Windows\SysWOW64\Ihmcelkk.exe Iodolf32.exe File created C:\Windows\SysWOW64\Fcqoec32.exe Fjhjlm32.exe File created C:\Windows\SysWOW64\Pibbke32.dll Gbeaip32.exe File created C:\Windows\SysWOW64\Opbopn32.exe Oemjbe32.exe File opened for modification C:\Windows\SysWOW64\Nmeohnil.exe Mflgkd32.exe File created C:\Windows\SysWOW64\Jhgnbehe.exe Jbjejojn.exe File created C:\Windows\SysWOW64\Enagnc32.exe Eamgeo32.exe File created C:\Windows\SysWOW64\Gnmold32.dll Lmmaoq32.exe File created C:\Windows\SysWOW64\Gaclkmid.dll Dlfgehqk.exe File opened for modification C:\Windows\SysWOW64\Fdaephpc.exe Epdljjjm.exe File created C:\Windows\SysWOW64\Kdgoelnk.exe Knmghb32.exe File created C:\Windows\SysWOW64\Hkiknb32.exe Hhhblgim.exe File created C:\Windows\SysWOW64\Lgieac32.dll Hebqbl32.exe File created C:\Windows\SysWOW64\Hmbjih32.dll Pnihneon.exe File created C:\Windows\SysWOW64\Fhccoe32.exe Fnnobl32.exe File created C:\Windows\SysWOW64\Jcodcp32.exe Jcmhmp32.exe File created C:\Windows\SysWOW64\Ehhnndia.dll Cdmgkl32.exe File created C:\Windows\SysWOW64\Flcjjdpe.exe Fffabman.exe File created C:\Windows\SysWOW64\Dlfgehqk.exe Dbnblb32.exe File created C:\Windows\SysWOW64\Kdakoj32.exe Kgmkef32.exe File opened for modification C:\Windows\SysWOW64\Kakdpb32.exe Kmnljc32.exe File created C:\Windows\SysWOW64\Nehipedn.dll Fmnmih32.exe File opened for modification C:\Windows\SysWOW64\Dcofqphi.exe Dhiacg32.exe File created C:\Windows\SysWOW64\Imjhfl32.dll Pdljjplb.exe File created C:\Windows\SysWOW64\Oldcdk32.dll Adqbml32.exe File opened for modification C:\Windows\SysWOW64\Bdbdgh32.exe Bnfodojp.exe File created C:\Windows\SysWOW64\Ffifbijg.dll Aliejq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3344 3476 WerFault.exe 781 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpmljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jollgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqmadn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhdmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbadfdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkncmhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjppg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmaoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epaodjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjjmeie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgeopqfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feppqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeloo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpagbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncboo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedijo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnihneon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnacbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhmdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinqoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnbjill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmcapna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmhcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhcknpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogpmcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcecpck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocdmccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bipaodah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andlmnki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpogjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnjbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlleni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppjadhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnogmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmjanpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblbpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgdcapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cialng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkfkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcdjpba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpncbjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdakej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkgejcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbbfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmgkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcijmhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfodojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekaeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbaebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpndkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccaipaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhppo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcqcjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkpfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdakoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpokkdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqpqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombjpd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlekjqk.dll" Damhmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbadcdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodpobjn.dll" Blodefdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhnjdfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llcfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibhieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feppqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdgoll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfmgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komhohde.dll" Hincna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epaodjlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjanfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpnmhiij.dll" Fpijgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llainlje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlhbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkgcak32.dll" Omkidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofnnj32.dll" Eddlcgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkloip32.dll" Jogjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hopibdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpgomne.dll" Aoijjjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockmnl32.dll" Lcpbpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hndaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofibcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deghbk32.dll" Ehnknfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipojic32.dll" Bnekcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lghgocek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbdokceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nloedjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnopmegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpdkel32.dll" Ihooog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghofhlpo.dll" Dbmnjenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcmhmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbgfmkep.dll" Fjnkac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjgoaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeeon32.dll" Jdobjgqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eabjhf32.dll" Mflgkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljhppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcnnfd32.dll" Phhhchlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fimedaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmegi32.dll" Ljjjmeie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bigohejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkifld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjpacdo.dll" Ijphqbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklgck32.dll" Mnnhjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcikllja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfnqkbe.dll" Epdljjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejidna32.dll" Kpkali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbjejojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhnkggl.dll" Dfbfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmdpejgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bichcm32.dll" Iglkoaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oindpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aipickfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jifhdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfalc32.dll" Cmjoaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldchdjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dabkla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iodolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkihfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifghji32.dll" Jcnmme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eabeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbhmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Engnno32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2480 2108 b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe 30 PID 2108 wrote to memory of 2480 2108 b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe 30 PID 2108 wrote to memory of 2480 2108 b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe 30 PID 2108 wrote to memory of 2480 2108 b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe 30 PID 2480 wrote to memory of 2968 2480 Qjeihl32.exe 31 PID 2480 wrote to memory of 2968 2480 Qjeihl32.exe 31 PID 2480 wrote to memory of 2968 2480 Qjeihl32.exe 31 PID 2480 wrote to memory of 2968 2480 Qjeihl32.exe 31 PID 2968 wrote to memory of 2948 2968 Aodnfbpm.exe 32 PID 2968 wrote to memory of 2948 2968 Aodnfbpm.exe 32 PID 2968 wrote to memory of 2948 2968 Aodnfbpm.exe 32 PID 2968 wrote to memory of 2948 2968 Aodnfbpm.exe 32 PID 2948 wrote to memory of 2780 2948 Afnfcl32.exe 33 PID 2948 wrote to memory of 2780 2948 Afnfcl32.exe 33 PID 2948 wrote to memory of 2780 2948 Afnfcl32.exe 33 PID 2948 wrote to memory of 2780 2948 Afnfcl32.exe 33 PID 2780 wrote to memory of 2356 2780 Aeepjh32.exe 34 PID 2780 wrote to memory of 2356 2780 Aeepjh32.exe 34 PID 2780 wrote to memory of 2356 2780 Aeepjh32.exe 34 PID 2780 wrote to memory of 2356 2780 Aeepjh32.exe 34 PID 2356 wrote to memory of 2552 2356 Akphfbbl.exe 35 PID 2356 wrote to memory of 2552 2356 Akphfbbl.exe 35 PID 2356 wrote to memory of 2552 2356 Akphfbbl.exe 35 PID 2356 wrote to memory of 2552 2356 Akphfbbl.exe 35 PID 2552 wrote to memory of 2256 2552 Aehmoh32.exe 36 PID 2552 wrote to memory of 2256 2552 Aehmoh32.exe 36 PID 2552 wrote to memory of 2256 2552 Aehmoh32.exe 36 PID 2552 wrote to memory of 2256 2552 Aehmoh32.exe 36 PID 2256 wrote to memory of 2508 2256 Bnekcm32.exe 37 PID 2256 wrote to memory of 2508 2256 Bnekcm32.exe 37 PID 2256 wrote to memory of 2508 2256 Bnekcm32.exe 37 PID 2256 wrote to memory of 2508 2256 Bnekcm32.exe 37 PID 2508 wrote to memory of 1868 2508 Bcdpacgl.exe 38 PID 2508 wrote to memory of 1868 2508 Bcdpacgl.exe 38 PID 2508 wrote to memory of 1868 2508 Bcdpacgl.exe 38 PID 2508 wrote to memory of 1868 2508 Bcdpacgl.exe 38 PID 1868 wrote to memory of 3036 1868 Blodefdg.exe 39 PID 1868 wrote to memory of 3036 1868 Blodefdg.exe 39 PID 1868 wrote to memory of 3036 1868 Blodefdg.exe 39 PID 1868 wrote to memory of 3036 1868 Blodefdg.exe 39 PID 3036 wrote to memory of 2264 3036 Cppjadhk.exe 40 PID 3036 wrote to memory of 2264 3036 Cppjadhk.exe 40 PID 3036 wrote to memory of 2264 3036 Cppjadhk.exe 40 PID 3036 wrote to memory of 2264 3036 Cppjadhk.exe 40 PID 2264 wrote to memory of 1096 2264 Clfkfeno.exe 41 PID 2264 wrote to memory of 1096 2264 Clfkfeno.exe 41 PID 2264 wrote to memory of 1096 2264 Clfkfeno.exe 41 PID 2264 wrote to memory of 1096 2264 Clfkfeno.exe 41 PID 1096 wrote to memory of 2288 1096 Coiqmp32.exe 42 PID 1096 wrote to memory of 2288 1096 Coiqmp32.exe 42 PID 1096 wrote to memory of 2288 1096 Coiqmp32.exe 42 PID 1096 wrote to memory of 2288 1096 Coiqmp32.exe 42 PID 2288 wrote to memory of 2056 2288 Cdfief32.exe 43 PID 2288 wrote to memory of 2056 2288 Cdfief32.exe 43 PID 2288 wrote to memory of 2056 2288 Cdfief32.exe 43 PID 2288 wrote to memory of 2056 2288 Cdfief32.exe 43 PID 2056 wrote to memory of 2488 2056 Dbnblb32.exe 44 PID 2056 wrote to memory of 2488 2056 Dbnblb32.exe 44 PID 2056 wrote to memory of 2488 2056 Dbnblb32.exe 44 PID 2056 wrote to memory of 2488 2056 Dbnblb32.exe 44 PID 2488 wrote to memory of 1936 2488 Dlfgehqk.exe 45 PID 2488 wrote to memory of 1936 2488 Dlfgehqk.exe 45 PID 2488 wrote to memory of 1936 2488 Dlfgehqk.exe 45 PID 2488 wrote to memory of 1936 2488 Dlfgehqk.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe"C:\Users\Admin\AppData\Local\Temp\b6b4559375110152ae24aa288ab50d1bc839ed137e86b07ac0848dcf52753261.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Qjeihl32.exeC:\Windows\system32\Qjeihl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Aodnfbpm.exeC:\Windows\system32\Aodnfbpm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Afnfcl32.exeC:\Windows\system32\Afnfcl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Aeepjh32.exeC:\Windows\system32\Aeepjh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Aehmoh32.exeC:\Windows\system32\Aehmoh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Bnekcm32.exeC:\Windows\system32\Bnekcm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Blodefdg.exeC:\Windows\system32\Blodefdg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Cppjadhk.exeC:\Windows\system32\Cppjadhk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Clfkfeno.exeC:\Windows\system32\Clfkfeno.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Cdfief32.exeC:\Windows\system32\Cdfief32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Dbnblb32.exeC:\Windows\system32\Dbnblb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Dlfgehqk.exeC:\Windows\system32\Dlfgehqk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Eonfgbhc.exeC:\Windows\system32\Eonfgbhc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Edkopifk.exeC:\Windows\system32\Edkopifk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Epaodjlo.exeC:\Windows\system32\Epaodjlo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Fdaephpc.exeC:\Windows\system32\Fdaephpc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Fqkbkicd.exeC:\Windows\system32\Fqkbkicd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Gbeaip32.exeC:\Windows\system32\Gbeaip32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Gjephakn.exeC:\Windows\system32\Gjephakn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe33⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Hbgjmcba.exeC:\Windows\system32\Hbgjmcba.exe34⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ihgpkinf.exeC:\Windows\system32\Ihgpkinf.exe35⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Iocdmccp.exeC:\Windows\system32\Iocdmccp.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Ibejfffo.exeC:\Windows\system32\Ibejfffo.exe37⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe38⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ipkgejcf.exeC:\Windows\system32\Ipkgejcf.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Jifhdphd.exeC:\Windows\system32\Jifhdphd.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe43⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Jogjgf32.exeC:\Windows\system32\Jogjgf32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Jddbpmpm.exeC:\Windows\system32\Jddbpmpm.exe45⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Knmghb32.exeC:\Windows\system32\Knmghb32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Kdgoelnk.exeC:\Windows\system32\Kdgoelnk.exe47⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Kpmpjm32.exeC:\Windows\system32\Kpmpjm32.exe48⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe49⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Kcnilhap.exeC:\Windows\system32\Kcnilhap.exe50⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe51⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe52⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe53⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Lhpkoo32.exeC:\Windows\system32\Lhpkoo32.exe54⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe55⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe58⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe60⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Lcpbpk32.exeC:\Windows\system32\Lcpbpk32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Mogcelgm.exeC:\Windows\system32\Mogcelgm.exe63⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Mjmgbe32.exeC:\Windows\system32\Mjmgbe32.exe64⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Mpipkl32.exeC:\Windows\system32\Mpipkl32.exe65⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Mfchgflg.exeC:\Windows\system32\Mfchgflg.exe66⤵PID:2396
-
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe68⤵PID:800
-
C:\Windows\SysWOW64\Mnaiah32.exeC:\Windows\system32\Mnaiah32.exe69⤵PID:1020
-
C:\Windows\SysWOW64\Mginjnnp.exeC:\Windows\system32\Mginjnnp.exe70⤵PID:2988
-
C:\Windows\SysWOW64\Maabcc32.exeC:\Windows\system32\Maabcc32.exe71⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Njjfli32.exeC:\Windows\system32\Njjfli32.exe72⤵PID:2344
-
C:\Windows\SysWOW64\Nepkia32.exeC:\Windows\system32\Nepkia32.exe73⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe74⤵PID:2452
-
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe75⤵PID:3052
-
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe76⤵PID:776
-
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe77⤵PID:1472
-
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe78⤵PID:3004
-
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe79⤵
- Drops file in System32 directory
PID:364 -
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe80⤵PID:2292
-
C:\Windows\SysWOW64\Opekenmh.exeC:\Windows\system32\Opekenmh.exe81⤵PID:2492
-
C:\Windows\SysWOW64\Ollljo32.exeC:\Windows\system32\Ollljo32.exe82⤵PID:960
-
C:\Windows\SysWOW64\Odgqoa32.exeC:\Windows\system32\Odgqoa32.exe83⤵PID:2052
-
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe84⤵PID:1916
-
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe85⤵PID:1180
-
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe87⤵PID:884
-
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe88⤵PID:2996
-
C:\Windows\SysWOW64\Pccdqloh.exeC:\Windows\system32\Pccdqloh.exe89⤵PID:2212
-
C:\Windows\SysWOW64\Pnihneon.exeC:\Windows\system32\Pnihneon.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe91⤵PID:1684
-
C:\Windows\SysWOW64\Ppiapp32.exeC:\Windows\system32\Ppiapp32.exe92⤵PID:1640
-
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe93⤵PID:2100
-
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe94⤵PID:2152
-
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe95⤵PID:1396
-
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe96⤵PID:2088
-
C:\Windows\SysWOW64\Aonjpp32.exeC:\Windows\system32\Aonjpp32.exe97⤵PID:1308
-
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe98⤵
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe99⤵PID:2388
-
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe100⤵
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe101⤵PID:2220
-
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe102⤵PID:2160
-
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe103⤵PID:2860
-
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe104⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe106⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Cnogmk32.exeC:\Windows\system32\Cnogmk32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Ceioieei.exeC:\Windows\system32\Ceioieei.exe108⤵PID:2500
-
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe110⤵PID:1456
-
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe111⤵PID:1084
-
C:\Windows\SysWOW64\Ccaipaho.exeC:\Windows\system32\Ccaipaho.exe112⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe113⤵PID:1536
-
C:\Windows\SysWOW64\Cmimif32.exeC:\Windows\system32\Cmimif32.exe114⤵PID:1592
-
C:\Windows\SysWOW64\Dmljnfll.exeC:\Windows\system32\Dmljnfll.exe115⤵PID:2940
-
C:\Windows\SysWOW64\Dfdngl32.exeC:\Windows\system32\Dfdngl32.exe116⤵PID:2756
-
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe117⤵PID:1976
-
C:\Windows\SysWOW64\Doocln32.exeC:\Windows\system32\Doocln32.exe118⤵PID:3008
-
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe119⤵PID:2284
-
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe120⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Ddnhidmm.exeC:\Windows\system32\Ddnhidmm.exe121⤵PID:2012
-
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe122⤵PID:2368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-