Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe
-
Size
74KB
-
MD5
a818aa3b125a33c3f788d79cc780bca7
-
SHA1
c0244401bdaa0f23c6966dec6e3a94110c908afa
-
SHA256
64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3
-
SHA512
5aa9efb131982d7d8bc6f9ee86574b77f5b3af81ae4a77efa18d28278626e51ae63d65688a4b139f2c45a3a57dae265f51304cd70c92535f703dc841769ab76e
-
SSDEEP
1536:exwGnXRpSCu+g/EvGV+ttdtWdngDAmfhEWt8iJPjCxJqPRQWRcRes3cO57OW9:+eCuhV+ttc3mJEWaAneWW199
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmpbdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnahgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jimdcqom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgfjggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klngkfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdjaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baefnmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbknkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbefcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepcelel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqaiph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnmpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfpbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjfnnajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkkpmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmnclmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieomef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikldqile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgkocj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgbfnngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncmcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmkfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aohgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljghjpfe.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1948 Ednbncmb.exe 1248 Ekhkjm32.exe 2460 Ejkkfjkj.exe 2896 Edqocbkp.exe 2596 Elldgehk.exe 2616 Edclib32.exe 2584 Fffefjmi.exe 2156 Fqlicclo.exe 2928 Ffibkj32.exe 2340 Foafdoag.exe 2984 Ffkoai32.exe 668 Fmegncpp.exe 1908 Fbbofjnh.exe 2420 Fdpkbf32.exe 964 Fkjdopeh.exe 876 Fofpoo32.exe 908 Fdbhge32.exe 1132 Findhdcb.exe 1720 Fgadda32.exe 2292 Gbfiaj32.exe 2268 Geeemeif.exe 2312 Gcheib32.exe 2528 Gkomjo32.exe 2232 Gnmifk32.exe 1772 Gqlebf32.exe 1708 Gcjbna32.exe 1240 Gjdjklek.exe 2548 Gmbfggdo.exe 2816 Gpabcbdb.exe 2776 Gfkkpmko.exe 2784 Giiglhjb.exe 1984 Gaqomeke.exe 2620 Gcokiaji.exe 2888 Gfmgelil.exe 2128 Gildahhp.exe 2920 Gljpncgc.exe 1476 Gpelnb32.exe 1280 Hinqgg32.exe 2228 Hmjlhfof.exe 2076 Hllmcc32.exe 896 Hnkion32.exe 1340 Heealhla.exe 1764 Hhcmhdke.exe 560 Hloiib32.exe 692 Hpjeialg.exe 1968 Hibjbgbh.exe 1856 Hjdfjo32.exe 1284 Hbknkl32.exe 2388 Heikgh32.exe 884 Hdlkcdog.exe 2788 Hlccdboi.exe 3012 Hjfcpo32.exe 2404 Hnbopmnm.exe 2652 Hmeolj32.exe 2960 Helgmg32.exe 536 Hdoghdmd.exe 2068 Hhjcic32.exe 1788 Hfmddp32.exe 2452 Hndlem32.exe 2144 Hmglajcd.exe 1644 Ipehmebh.exe 1980 Idadnd32.exe 1940 Ifoqjo32.exe 444 Ijklknbn.exe -
Loads dropped DLL 64 IoCs
pid Process 1952 64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe 1952 64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe 1948 Ednbncmb.exe 1948 Ednbncmb.exe 1248 Ekhkjm32.exe 1248 Ekhkjm32.exe 2460 Ejkkfjkj.exe 2460 Ejkkfjkj.exe 2896 Edqocbkp.exe 2896 Edqocbkp.exe 2596 Elldgehk.exe 2596 Elldgehk.exe 2616 Edclib32.exe 2616 Edclib32.exe 2584 Fffefjmi.exe 2584 Fffefjmi.exe 2156 Fqlicclo.exe 2156 Fqlicclo.exe 2928 Ffibkj32.exe 2928 Ffibkj32.exe 2340 Foafdoag.exe 2340 Foafdoag.exe 2984 Ffkoai32.exe 2984 Ffkoai32.exe 668 Fmegncpp.exe 668 Fmegncpp.exe 1908 Fbbofjnh.exe 1908 Fbbofjnh.exe 2420 Fdpkbf32.exe 2420 Fdpkbf32.exe 964 Fkjdopeh.exe 964 Fkjdopeh.exe 876 Fofpoo32.exe 876 Fofpoo32.exe 908 Fdbhge32.exe 908 Fdbhge32.exe 1132 Findhdcb.exe 1132 Findhdcb.exe 1720 Fgadda32.exe 1720 Fgadda32.exe 2292 Gbfiaj32.exe 2292 Gbfiaj32.exe 2268 Geeemeif.exe 2268 Geeemeif.exe 2312 Gcheib32.exe 2312 Gcheib32.exe 2528 Gkomjo32.exe 2528 Gkomjo32.exe 2232 Gnmifk32.exe 2232 Gnmifk32.exe 1772 Gqlebf32.exe 1772 Gqlebf32.exe 1708 Gcjbna32.exe 1708 Gcjbna32.exe 1240 Gjdjklek.exe 1240 Gjdjklek.exe 2548 Gmbfggdo.exe 2548 Gmbfggdo.exe 2816 Gpabcbdb.exe 2816 Gpabcbdb.exe 2776 Gfkkpmko.exe 2776 Gfkkpmko.exe 2784 Giiglhjb.exe 2784 Giiglhjb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jmipdo32.exe Jimdcqom.exe File created C:\Windows\SysWOW64\Kdphjm32.exe Kablnadm.exe File opened for modification C:\Windows\SysWOW64\Bchhqo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dghjkpck.exe Process not Found File created C:\Windows\SysWOW64\Kembmblk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Noagjc32.exe Process not Found File created C:\Windows\SysWOW64\Peblpbgn.dll Pleofj32.exe File created C:\Windows\SysWOW64\Mmfejo32.dll Lopfhk32.exe File created C:\Windows\SysWOW64\Mopbgn32.exe Mlafkb32.exe File opened for modification C:\Windows\SysWOW64\Ghdiokbq.exe Gefmcp32.exe File created C:\Windows\SysWOW64\Ndmdqcnk.dll Process not Found File created C:\Windows\SysWOW64\Ghndpi32.dll Jlhkgm32.exe File created C:\Windows\SysWOW64\Epbpbnan.exe Eihgfd32.exe File opened for modification C:\Windows\SysWOW64\Jbpfnh32.exe Jhjbqo32.exe File opened for modification C:\Windows\SysWOW64\Mdgkjopd.exe Mploiq32.exe File created C:\Windows\SysWOW64\Ohopde32.dll Nhepoaif.exe File opened for modification C:\Windows\SysWOW64\Hmeolj32.exe Hnbopmnm.exe File created C:\Windows\SysWOW64\Clpabm32.exe Cbgmigeq.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Caifjn32.exe File created C:\Windows\SysWOW64\Elpbhe32.dll Pndalkgf.exe File opened for modification C:\Windows\SysWOW64\Befnbd32.exe Process not Found File created C:\Windows\SysWOW64\Gedbfimc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qmepanje.exe Process not Found File created C:\Windows\SysWOW64\Fkpejiad.dll Hibjbgbh.exe File created C:\Windows\SysWOW64\Pdppqbkn.exe Paaddgkj.exe File opened for modification C:\Windows\SysWOW64\Kcmdjgbh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pigklmqc.exe Process not Found File created C:\Windows\SysWOW64\Bmcnqama.exe Bgffhkoj.exe File created C:\Windows\SysWOW64\Oiimgf32.dll Edoefl32.exe File created C:\Windows\SysWOW64\Nmldkj32.dll Process not Found File created C:\Windows\SysWOW64\Oiahnnji.exe Process not Found File created C:\Windows\SysWOW64\Mcjhmcok.exe Mqklqhpg.exe File created C:\Windows\SysWOW64\Mgcfig32.dll Piqpkpml.exe File created C:\Windows\SysWOW64\Chpenm32.dll Hiclkp32.exe File opened for modification C:\Windows\SysWOW64\Imgnjb32.exe Indnnfdn.exe File opened for modification C:\Windows\SysWOW64\Fhdmph32.exe Fefqdl32.exe File opened for modification C:\Windows\SysWOW64\Ojblbgdg.exe Oplgeoea.exe File created C:\Windows\SysWOW64\Ggbieb32.exe Process not Found File created C:\Windows\SysWOW64\Bdaabk32.exe Process not Found File created C:\Windows\SysWOW64\Nfidjbdg.exe Nbniid32.exe File created C:\Windows\SysWOW64\Mdoljh32.dll Iphecepe.exe File opened for modification C:\Windows\SysWOW64\Nqhepeai.exe Nnjicjbf.exe File opened for modification C:\Windows\SysWOW64\Iianmlfn.exe Process not Found File created C:\Windows\SysWOW64\Jalnli32.dll Process not Found File created C:\Windows\SysWOW64\Moancj32.dll Fbbofjnh.exe File created C:\Windows\SysWOW64\Dchdgl32.dll Mneohj32.exe File created C:\Windows\SysWOW64\Demofaol.exe Djgkii32.exe File created C:\Windows\SysWOW64\Ihbcmaje.exe Iedfqeka.exe File created C:\Windows\SysWOW64\Dllbljej.dll Heikgh32.exe File opened for modification C:\Windows\SysWOW64\Plolgk32.exe Piqpkpml.exe File created C:\Windows\SysWOW64\Qobbofgn.exe Pejmfqan.exe File opened for modification C:\Windows\SysWOW64\Gceailog.exe Goiehm32.exe File opened for modification C:\Windows\SysWOW64\Bcjcme32.exe Bqlfaj32.exe File opened for modification C:\Windows\SysWOW64\Hgfheodo.exe Process not Found File created C:\Windows\SysWOW64\Hnkion32.exe Hllmcc32.exe File created C:\Windows\SysWOW64\Napbjjom.exe Njfjnpgp.exe File opened for modification C:\Windows\SysWOW64\Ligfakaa.exe Process not Found File created C:\Windows\SysWOW64\Knfndjdp.exe Kglehp32.exe File opened for modification C:\Windows\SysWOW64\Cbjlhpkb.exe Colpld32.exe File created C:\Windows\SysWOW64\Ahhaobfe.exe Process not Found File created C:\Windows\SysWOW64\Ahcbfd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Abjeejep.exe Process not Found File created C:\Windows\SysWOW64\Nelgfoke.dll Process not Found File opened for modification C:\Windows\SysWOW64\Einjdb32.exe Egonhf32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkompgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeppdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deenjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eanldqgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjleclph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffhkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlqjone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoolael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkfgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmglajcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkmie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinqgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfjggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbafalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ednbncmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edclib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpopddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponklpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifcib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbdmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaglcgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiflohqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcedad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apedah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdgipkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caaggpdh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqohpf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbofmcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdhopfa.dll" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaqkn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgkfkohg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emclhigi.dll" Pejmfqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejcmmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelpjgll.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobnd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchaehnb.dll" Locjhqpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kofcbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhjag32.dll" Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anljck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmknff32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbadjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iamdkfnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mneohj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll" Phcilf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiekgbjc.dll" Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiobie32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmphha32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll" Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmobfna.dll" Gfkmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmkedj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokhho32.dll" Mndhnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffibkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcncbo32.dll" Mkaghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpflkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdmhnfl.dll" Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmpn32.dll" Jhjphfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjeanhe.dll" Cbgmigeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll" Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhkopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cchlkipc.dll" Gpelnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kigndekn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 1948 1952 64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe 30 PID 1952 wrote to memory of 1948 1952 64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe 30 PID 1952 wrote to memory of 1948 1952 64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe 30 PID 1952 wrote to memory of 1948 1952 64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe 30 PID 1948 wrote to memory of 1248 1948 Ednbncmb.exe 31 PID 1948 wrote to memory of 1248 1948 Ednbncmb.exe 31 PID 1948 wrote to memory of 1248 1948 Ednbncmb.exe 31 PID 1948 wrote to memory of 1248 1948 Ednbncmb.exe 31 PID 1248 wrote to memory of 2460 1248 Ekhkjm32.exe 32 PID 1248 wrote to memory of 2460 1248 Ekhkjm32.exe 32 PID 1248 wrote to memory of 2460 1248 Ekhkjm32.exe 32 PID 1248 wrote to memory of 2460 1248 Ekhkjm32.exe 32 PID 2460 wrote to memory of 2896 2460 Ejkkfjkj.exe 33 PID 2460 wrote to memory of 2896 2460 Ejkkfjkj.exe 33 PID 2460 wrote to memory of 2896 2460 Ejkkfjkj.exe 33 PID 2460 wrote to memory of 2896 2460 Ejkkfjkj.exe 33 PID 2896 wrote to memory of 2596 2896 Edqocbkp.exe 34 PID 2896 wrote to memory of 2596 2896 Edqocbkp.exe 34 PID 2896 wrote to memory of 2596 2896 Edqocbkp.exe 34 PID 2896 wrote to memory of 2596 2896 Edqocbkp.exe 34 PID 2596 wrote to memory of 2616 2596 Elldgehk.exe 35 PID 2596 wrote to memory of 2616 2596 Elldgehk.exe 35 PID 2596 wrote to memory of 2616 2596 Elldgehk.exe 35 PID 2596 wrote to memory of 2616 2596 Elldgehk.exe 35 PID 2616 wrote to memory of 2584 2616 Edclib32.exe 36 PID 2616 wrote to memory of 2584 2616 Edclib32.exe 36 PID 2616 wrote to memory of 2584 2616 Edclib32.exe 36 PID 2616 wrote to memory of 2584 2616 Edclib32.exe 36 PID 2584 wrote to memory of 2156 2584 Fffefjmi.exe 37 PID 2584 wrote to memory of 2156 2584 Fffefjmi.exe 37 PID 2584 wrote to memory of 2156 2584 Fffefjmi.exe 37 PID 2584 wrote to memory of 2156 2584 Fffefjmi.exe 37 PID 2156 wrote to memory of 2928 2156 Fqlicclo.exe 38 PID 2156 wrote to memory of 2928 2156 Fqlicclo.exe 38 PID 2156 wrote to memory of 2928 2156 Fqlicclo.exe 38 PID 2156 wrote to memory of 2928 2156 Fqlicclo.exe 38 PID 2928 wrote to memory of 2340 2928 Ffibkj32.exe 39 PID 2928 wrote to memory of 2340 2928 Ffibkj32.exe 39 PID 2928 wrote to memory of 2340 2928 Ffibkj32.exe 39 PID 2928 wrote to memory of 2340 2928 Ffibkj32.exe 39 PID 2340 wrote to memory of 2984 2340 Foafdoag.exe 40 PID 2340 wrote to memory of 2984 2340 Foafdoag.exe 40 PID 2340 wrote to memory of 2984 2340 Foafdoag.exe 40 PID 2340 wrote to memory of 2984 2340 Foafdoag.exe 40 PID 2984 wrote to memory of 668 2984 Ffkoai32.exe 41 PID 2984 wrote to memory of 668 2984 Ffkoai32.exe 41 PID 2984 wrote to memory of 668 2984 Ffkoai32.exe 41 PID 2984 wrote to memory of 668 2984 Ffkoai32.exe 41 PID 668 wrote to memory of 1908 668 Fmegncpp.exe 42 PID 668 wrote to memory of 1908 668 Fmegncpp.exe 42 PID 668 wrote to memory of 1908 668 Fmegncpp.exe 42 PID 668 wrote to memory of 1908 668 Fmegncpp.exe 42 PID 1908 wrote to memory of 2420 1908 Fbbofjnh.exe 43 PID 1908 wrote to memory of 2420 1908 Fbbofjnh.exe 43 PID 1908 wrote to memory of 2420 1908 Fbbofjnh.exe 43 PID 1908 wrote to memory of 2420 1908 Fbbofjnh.exe 43 PID 2420 wrote to memory of 964 2420 Fdpkbf32.exe 44 PID 2420 wrote to memory of 964 2420 Fdpkbf32.exe 44 PID 2420 wrote to memory of 964 2420 Fdpkbf32.exe 44 PID 2420 wrote to memory of 964 2420 Fdpkbf32.exe 44 PID 964 wrote to memory of 876 964 Fkjdopeh.exe 45 PID 964 wrote to memory of 876 964 Fkjdopeh.exe 45 PID 964 wrote to memory of 876 964 Fkjdopeh.exe 45 PID 964 wrote to memory of 876 964 Fkjdopeh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe"C:\Users\Admin\AppData\Local\Temp\64d406184210d9ac6ac56698cb1c42c079e0d738794e9f6de36fec4dff9ad9c3.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe33⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe34⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe35⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe36⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe37⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe40⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe42⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe43⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe44⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe45⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe46⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe48⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe51⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe52⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe53⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe55⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe56⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe57⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe58⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe59⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe60⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe62⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe63⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe64⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe65⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe66⤵PID:1088
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe67⤵PID:2356
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe68⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe69⤵PID:2844
-
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe70⤵PID:832
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe71⤵PID:2684
-
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe72⤵PID:1592
-
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe73⤵PID:2764
-
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe74⤵PID:1648
-
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe75⤵PID:2996
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe76⤵PID:2164
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe77⤵PID:1676
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe78⤵PID:2288
-
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe79⤵PID:372
-
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe80⤵PID:2368
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe81⤵PID:1608
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe82⤵PID:1668
-
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe83⤵PID:2172
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe84⤵PID:1532
-
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe85⤵PID:2100
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe86⤵PID:2884
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe87⤵PID:1724
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe88⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe89⤵PID:2084
-
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe90⤵PID:2296
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe92⤵PID:1252
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe93⤵PID:2932
-
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe94⤵PID:2280
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe95⤵PID:1512
-
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe96⤵PID:2628
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe97⤵PID:880
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe98⤵PID:2712
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe99⤵PID:2944
-
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe101⤵PID:1864
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe102⤵PID:2688
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe103⤵PID:1304
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe104⤵PID:3016
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe105⤵PID:2572
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe106⤵PID:2716
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe108⤵PID:2808
-
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe109⤵PID:2980
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe110⤵PID:2204
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe111⤵PID:2720
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe112⤵PID:1956
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe113⤵PID:2244
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe114⤵PID:3044
-
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe115⤵PID:2028
-
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe116⤵PID:2856
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe117⤵PID:1824
-
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe118⤵PID:1904
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe119⤵PID:844
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe120⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe121⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-