Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 04:07
Static task
static1
Behavioral task
behavioral1
Sample
e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe
Resource
win10v2004-20241007-en
General
-
Target
e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe
-
Size
90KB
-
MD5
0f9eebf861111b8ef7cc0a03befc561b
-
SHA1
9a9c5f93ef3f90cf9949625238005154181507ee
-
SHA256
e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa
-
SHA512
ad10f84f6f49899dc00bffc4e61587a5a0da11a6d4cac7384a473b4d6b028608c61ab4001138e43594ef541c3ba8fec93a136f83c3b1996882e5ca4caea31fa9
-
SSDEEP
1536:j/0kkZnWGM4R/6oHUZmwKthSSNEgBx0sl9XL7XnYGlu/Ub0VkVNK:jnk1eop0gBx0SBYGlu/Ub0+NK
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdhkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffldlne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdjkhdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alihaioe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpfmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqlfaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjjma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnaooi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqbbagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odchbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccmpce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ompefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfcnegnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oococb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imokehhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmgjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbefcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdiefffn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdjaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klngkfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlgimqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkhejkcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldmleam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjphcff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oemgplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accqnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adifpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnkbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbcoio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfioia32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1916 Fpmbfbgo.exe 2992 Fhdjgoha.exe 2148 Fkbgckgd.exe 2768 Fnacpffh.exe 2716 Fcnkhmdp.exe 2688 Fkecij32.exe 1592 Fqalaa32.exe 2608 Fcphnm32.exe 3036 Ffodjh32.exe 2876 Flhmfbim.exe 376 Fogibnha.exe 1936 Fgnadkic.exe 1912 Fmkilb32.exe 3044 Goiehm32.exe 2252 Gfcnegnk.exe 1864 Ghajacmo.exe 448 Gcgnnlle.exe 680 Gbjojh32.exe 2040 Gdhkfd32.exe 1364 Gmpcgace.exe 1268 Gnaooi32.exe 620 Gblkoham.exe 900 Gifclb32.exe 2220 Gncldi32.exe 2136 Gqahqd32.exe 2072 Gdmdacnn.exe 3052 Ggkqmoma.exe 2864 Gneijien.exe 2788 Gcbabpcf.exe 2840 Hkiicmdh.exe 2852 Hmkeke32.exe 2744 Hqfaldbo.exe 580 Hfcjdkpg.exe 2896 Hnjbeh32.exe 1552 Hahnac32.exe 2384 Hgbfnngi.exe 796 Hpnkbpdd.exe 1248 Hfhcoj32.exe 2212 Hifpke32.exe 1808 Hldlga32.exe 1860 Hcldhnkk.exe 776 Hihlqeib.exe 1316 Hlgimqhf.exe 964 Iikifegp.exe 1380 Ihniaa32.exe 1924 Iliebpfc.exe 1672 Ipeaco32.exe 2128 Iafnjg32.exe 2832 Iimfld32.exe 2704 Ihpfgalh.exe 2792 Illbhp32.exe 2588 Ibejdjln.exe 2692 Iahkpg32.exe 1644 Iedfqeka.exe 1976 Ilnomp32.exe 2900 Ijqoilii.exe 2200 Imokehhl.exe 2256 Iakgefqe.exe 1108 Idicbbpi.exe 956 Ijclol32.exe 2432 Ioohokoo.exe 568 Iamdkfnc.exe 2412 Ippdgc32.exe 2168 Idkpganf.exe -
Loads dropped DLL 64 IoCs
pid Process 2340 e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe 2340 e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe 1916 Fpmbfbgo.exe 1916 Fpmbfbgo.exe 2992 Fhdjgoha.exe 2992 Fhdjgoha.exe 2148 Fkbgckgd.exe 2148 Fkbgckgd.exe 2768 Fnacpffh.exe 2768 Fnacpffh.exe 2716 Fcnkhmdp.exe 2716 Fcnkhmdp.exe 2688 Fkecij32.exe 2688 Fkecij32.exe 1592 Fqalaa32.exe 1592 Fqalaa32.exe 2608 Fcphnm32.exe 2608 Fcphnm32.exe 3036 Ffodjh32.exe 3036 Ffodjh32.exe 2876 Flhmfbim.exe 2876 Flhmfbim.exe 376 Fogibnha.exe 376 Fogibnha.exe 1936 Fgnadkic.exe 1936 Fgnadkic.exe 1912 Fmkilb32.exe 1912 Fmkilb32.exe 3044 Goiehm32.exe 3044 Goiehm32.exe 2252 Gfcnegnk.exe 2252 Gfcnegnk.exe 1864 Ghajacmo.exe 1864 Ghajacmo.exe 448 Gcgnnlle.exe 448 Gcgnnlle.exe 680 Gbjojh32.exe 680 Gbjojh32.exe 2040 Gdhkfd32.exe 2040 Gdhkfd32.exe 1364 Gmpcgace.exe 1364 Gmpcgace.exe 1268 Gnaooi32.exe 1268 Gnaooi32.exe 620 Gblkoham.exe 620 Gblkoham.exe 900 Gifclb32.exe 900 Gifclb32.exe 2220 Gncldi32.exe 2220 Gncldi32.exe 2136 Gqahqd32.exe 2136 Gqahqd32.exe 2072 Gdmdacnn.exe 2072 Gdmdacnn.exe 3052 Ggkqmoma.exe 3052 Ggkqmoma.exe 2864 Gneijien.exe 2864 Gneijien.exe 2788 Gcbabpcf.exe 2788 Gcbabpcf.exe 2840 Hkiicmdh.exe 2840 Hkiicmdh.exe 2852 Hmkeke32.exe 2852 Hmkeke32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bdqlajbb.exe Bbbpenco.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Iedfqeka.exe Iahkpg32.exe File opened for modification C:\Windows\SysWOW64\Jampjian.exe Jbjpom32.exe File opened for modification C:\Windows\SysWOW64\Nfoghakb.exe Nhlgmd32.exe File created C:\Windows\SysWOW64\Pkoicb32.exe Phqmgg32.exe File created C:\Windows\SysWOW64\Qdlggg32.exe Qppkfhlc.exe File created C:\Windows\SysWOW64\Jmclfnqb.dll Aoagccfn.exe File opened for modification C:\Windows\SysWOW64\Bnfddp32.exe Bjkhdacm.exe File opened for modification C:\Windows\SysWOW64\Bdqlajbb.exe Bbbpenco.exe File created C:\Windows\SysWOW64\Mjfnomde.exe Mfjann32.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe Nibqqh32.exe File created C:\Windows\SysWOW64\Nfdgghho.dll Phnpagdp.exe File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe Cfmhdpnc.exe File opened for modification C:\Windows\SysWOW64\Pdeqfhjd.exe Pebpkk32.exe File created C:\Windows\SysWOW64\Qgejemnf.dll Cnfqccna.exe File created C:\Windows\SysWOW64\Liihgqil.dll Gfcnegnk.exe File created C:\Windows\SysWOW64\Ijehdl32.exe Ifjlcmmj.exe File created C:\Windows\SysWOW64\Omioekbo.exe Onfoin32.exe File created C:\Windows\SysWOW64\Akabgebj.exe Alnalh32.exe File opened for modification C:\Windows\SysWOW64\Abmgjo32.exe Anbkipok.exe File created C:\Windows\SysWOW64\Nloone32.dll Cmpgpond.exe File created C:\Windows\SysWOW64\Jbjpom32.exe Jondnnbk.exe File created C:\Windows\SysWOW64\Decimbli.dll Kglehp32.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Mnmpdlac.exe File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Jajcdjca.exe Jbhcim32.exe File created C:\Windows\SysWOW64\Jampjian.exe Jbjpom32.exe File created C:\Windows\SysWOW64\Lgpgbj32.dll Ajpepm32.exe File opened for modification C:\Windows\SysWOW64\Pkjphcff.exe Plgolf32.exe File opened for modification C:\Windows\SysWOW64\Alihaioe.exe Qnghel32.exe File opened for modification C:\Windows\SysWOW64\Aohdmdoh.exe Alihaioe.exe File created C:\Windows\SysWOW64\Oljomn32.dll Gcgnnlle.exe File opened for modification C:\Windows\SysWOW64\Kocmim32.exe Kglehp32.exe File created C:\Windows\SysWOW64\Giddhc32.dll Oippjl32.exe File created C:\Windows\SysWOW64\Eicjoa32.dll Npjlhcmd.exe File created C:\Windows\SysWOW64\Hnoefj32.dll Neknki32.exe File created C:\Windows\SysWOW64\Bhapci32.dll Plgolf32.exe File created C:\Windows\SysWOW64\Hkgoklhk.dll Pidfdofi.exe File created C:\Windows\SysWOW64\Ccjoli32.exe Cegoqlof.exe File created C:\Windows\SysWOW64\Fkecij32.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Majdmi32.dll Jlnklcej.exe File created C:\Windows\SysWOW64\Bkdbhahq.dll Klpdaf32.exe File opened for modification C:\Windows\SysWOW64\Mjkgjl32.exe Mbcoio32.exe File opened for modification C:\Windows\SysWOW64\Nibqqh32.exe Nfdddm32.exe File created C:\Windows\SysWOW64\Oefdbdjo.dll Ofhjopbg.exe File opened for modification C:\Windows\SysWOW64\Mmicfh32.exe Mimgeigj.exe File opened for modification C:\Windows\SysWOW64\Nfdddm32.exe Nnmlcp32.exe File created C:\Windows\SysWOW64\Fqalaa32.exe Fkecij32.exe File opened for modification C:\Windows\SysWOW64\Khghgchk.exe Jampjian.exe File created C:\Windows\SysWOW64\Mkndhabp.exe Lhpglecl.exe File created C:\Windows\SysWOW64\Khghgchk.exe Jampjian.exe File opened for modification C:\Windows\SysWOW64\Qcachc32.exe Qpbglhjq.exe File created C:\Windows\SysWOW64\Jidmcq32.dll Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Cgfkmgnj.exe Ccjoli32.exe File created C:\Windows\SysWOW64\Odedge32.exe Opihgfop.exe File created C:\Windows\SysWOW64\Adpqglen.dll Alnalh32.exe File created C:\Windows\SysWOW64\Oghnkh32.dll Ccmpce32.exe File created C:\Windows\SysWOW64\Lgapeogq.dll Hcldhnkk.exe File created C:\Windows\SysWOW64\Jioopgef.exe Jedcpi32.exe File created C:\Windows\SysWOW64\Kkeecogo.exe Klbdgb32.exe File opened for modification C:\Windows\SysWOW64\Khkbbc32.exe Kpdjaecc.exe File opened for modification C:\Windows\SysWOW64\Mmdjkhdh.exe Mjfnomde.exe File created C:\Windows\SysWOW64\Bmbgfkje.exe Bjdkjpkb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokehhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidfdofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqlfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jioopgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgjgboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnomp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locjhqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebpkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahkpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabopjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqfaldbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnkbpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boljgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpigma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnmgdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfoin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbkipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jampjian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnpagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncbdomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmpooah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnghel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andgop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdghaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefhcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opglafab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpjba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqocoin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljomn32.dll" Gcgnnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmdepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieocod32.dll" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjeilhc.dll" Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odldga32.dll" Napbjjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cenljmgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfcnegnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdmdacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pohhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njfjnpgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paknelgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbbpenco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcldhnkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeafjiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocnkj32.dll" Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilnomp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mikjpiim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll" Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbklf32.dll" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiqcmnn.dll" Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fogibnha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlefhcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjkgjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneebcff.dll" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcenjk32.dll" Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcijqc32.dll" Gifclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jojkco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkfeo32.dll" Mqpflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll" Bjmeiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hqfaldbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abnhjmjc.dll" Lqipkhbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henjfpgi.dll" Mmdjkhdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oibmpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpkl32.dll" Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qggpmn32.dll" Ijclol32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 1916 2340 e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe 30 PID 2340 wrote to memory of 1916 2340 e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe 30 PID 2340 wrote to memory of 1916 2340 e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe 30 PID 2340 wrote to memory of 1916 2340 e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe 30 PID 1916 wrote to memory of 2992 1916 Fpmbfbgo.exe 31 PID 1916 wrote to memory of 2992 1916 Fpmbfbgo.exe 31 PID 1916 wrote to memory of 2992 1916 Fpmbfbgo.exe 31 PID 1916 wrote to memory of 2992 1916 Fpmbfbgo.exe 31 PID 2992 wrote to memory of 2148 2992 Fhdjgoha.exe 32 PID 2992 wrote to memory of 2148 2992 Fhdjgoha.exe 32 PID 2992 wrote to memory of 2148 2992 Fhdjgoha.exe 32 PID 2992 wrote to memory of 2148 2992 Fhdjgoha.exe 32 PID 2148 wrote to memory of 2768 2148 Fkbgckgd.exe 33 PID 2148 wrote to memory of 2768 2148 Fkbgckgd.exe 33 PID 2148 wrote to memory of 2768 2148 Fkbgckgd.exe 33 PID 2148 wrote to memory of 2768 2148 Fkbgckgd.exe 33 PID 2768 wrote to memory of 2716 2768 Fnacpffh.exe 34 PID 2768 wrote to memory of 2716 2768 Fnacpffh.exe 34 PID 2768 wrote to memory of 2716 2768 Fnacpffh.exe 34 PID 2768 wrote to memory of 2716 2768 Fnacpffh.exe 34 PID 2716 wrote to memory of 2688 2716 Fcnkhmdp.exe 35 PID 2716 wrote to memory of 2688 2716 Fcnkhmdp.exe 35 PID 2716 wrote to memory of 2688 2716 Fcnkhmdp.exe 35 PID 2716 wrote to memory of 2688 2716 Fcnkhmdp.exe 35 PID 2688 wrote to memory of 1592 2688 Fkecij32.exe 36 PID 2688 wrote to memory of 1592 2688 Fkecij32.exe 36 PID 2688 wrote to memory of 1592 2688 Fkecij32.exe 36 PID 2688 wrote to memory of 1592 2688 Fkecij32.exe 36 PID 1592 wrote to memory of 2608 1592 Fqalaa32.exe 37 PID 1592 wrote to memory of 2608 1592 Fqalaa32.exe 37 PID 1592 wrote to memory of 2608 1592 Fqalaa32.exe 37 PID 1592 wrote to memory of 2608 1592 Fqalaa32.exe 37 PID 2608 wrote to memory of 3036 2608 Fcphnm32.exe 38 PID 2608 wrote to memory of 3036 2608 Fcphnm32.exe 38 PID 2608 wrote to memory of 3036 2608 Fcphnm32.exe 38 PID 2608 wrote to memory of 3036 2608 Fcphnm32.exe 38 PID 3036 wrote to memory of 2876 3036 Ffodjh32.exe 39 PID 3036 wrote to memory of 2876 3036 Ffodjh32.exe 39 PID 3036 wrote to memory of 2876 3036 Ffodjh32.exe 39 PID 3036 wrote to memory of 2876 3036 Ffodjh32.exe 39 PID 2876 wrote to memory of 376 2876 Flhmfbim.exe 40 PID 2876 wrote to memory of 376 2876 Flhmfbim.exe 40 PID 2876 wrote to memory of 376 2876 Flhmfbim.exe 40 PID 2876 wrote to memory of 376 2876 Flhmfbim.exe 40 PID 376 wrote to memory of 1936 376 Fogibnha.exe 41 PID 376 wrote to memory of 1936 376 Fogibnha.exe 41 PID 376 wrote to memory of 1936 376 Fogibnha.exe 41 PID 376 wrote to memory of 1936 376 Fogibnha.exe 41 PID 1936 wrote to memory of 1912 1936 Fgnadkic.exe 42 PID 1936 wrote to memory of 1912 1936 Fgnadkic.exe 42 PID 1936 wrote to memory of 1912 1936 Fgnadkic.exe 42 PID 1936 wrote to memory of 1912 1936 Fgnadkic.exe 42 PID 1912 wrote to memory of 3044 1912 Fmkilb32.exe 43 PID 1912 wrote to memory of 3044 1912 Fmkilb32.exe 43 PID 1912 wrote to memory of 3044 1912 Fmkilb32.exe 43 PID 1912 wrote to memory of 3044 1912 Fmkilb32.exe 43 PID 3044 wrote to memory of 2252 3044 Goiehm32.exe 44 PID 3044 wrote to memory of 2252 3044 Goiehm32.exe 44 PID 3044 wrote to memory of 2252 3044 Goiehm32.exe 44 PID 3044 wrote to memory of 2252 3044 Goiehm32.exe 44 PID 2252 wrote to memory of 1864 2252 Gfcnegnk.exe 45 PID 2252 wrote to memory of 1864 2252 Gfcnegnk.exe 45 PID 2252 wrote to memory of 1864 2252 Gfcnegnk.exe 45 PID 2252 wrote to memory of 1864 2252 Gfcnegnk.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe"C:\Users\Admin\AppData\Local\Temp\e619b8144a2616a963962442f6917515650b740d6b93767b59a285e905cd24fa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe34⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe35⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe36⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe37⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe39⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe40⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe41⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe43⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe45⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe47⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe48⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe49⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe51⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe53⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe57⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe59⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe60⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe63⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe64⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe65⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe67⤵PID:2032
-
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe68⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe71⤵PID:1792
-
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe73⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe74⤵PID:2672
-
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:632 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe77⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe78⤵PID:1628
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe79⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe80⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe82⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe83⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe84⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe86⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe87⤵
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe88⤵PID:2564
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe90⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe93⤵PID:2192
-
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe94⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe95⤵PID:2132
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe96⤵PID:2708
-
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe97⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe98⤵PID:1960
-
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe99⤵PID:1244
-
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe101⤵PID:2208
-
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe103⤵PID:1516
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe104⤵PID:992
-
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe105⤵PID:2140
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe106⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe107⤵PID:2772
-
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe108⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe109⤵PID:2880
-
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe111⤵PID:3004
-
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe112⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe114⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe115⤵PID:2824
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe116⤵PID:2632
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe117⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe118⤵PID:2812
-
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe119⤵PID:2924
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe121⤵PID:484
-
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe122⤵
- System Location Discovery: System Language Discovery
PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-