Analysis
-
max time kernel
62s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 21:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
-
Size
87KB
-
MD5
f5a49610f8d29d0e57d900346f66776c
-
SHA1
a64ce067c85f0594dee08a6e73f28c7c45006acf
-
SHA256
3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6
-
SHA512
6266d30c7f2aa2d565ffc13ae55d1745a3838587eb22e48f628d2a3188f80c75e64e677549bfb1698b1f6d0456d01d4c39837c8342165939efd327a4aec6378a
-
SSDEEP
1536:/HlT0DBqocKg4shVjGvk2iqVHrIXqIvruQFm6qQ/zY4RQ4+RSRBDNrR0RVe7R6Rj:/hABxeZVjpIH2dFm6jefAnDlmbGcGFDA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfdffll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpnkjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abachg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oebffm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqjmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebccal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgpeimhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aecdpmbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcafbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljlhme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoalpaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nijcgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leaallcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddpndhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkfkoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegaje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blcokf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mahinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgjfflkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqffna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfncad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olokighn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaahgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amledj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfkbhae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fleihi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnoqbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eddlcgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikafpbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aibfik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlokegib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Likbpceb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbmem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccdmmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omjgkjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceioieei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gomhkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebffm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajipmocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blplkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqoocmcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnmnojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeokdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpgae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cilfka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbcha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebkpma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmhjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emadjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Empphi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmfpnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cccgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nocgbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdpdpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmobpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojoalda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikhqbo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2240 Jlbhjkij.exe 2900 Jaopcbga.exe 1824 Jlgaek32.exe 2776 Jddbpmpm.exe 2768 Kpkcdn32.exe 868 Kjfdcc32.exe 1172 Kjhahb32.exe 3036 Llkgpmck.exe 2188 Lhbhdnio.exe 2504 Lqbfdp32.exe 324 Mfakbf32.exe 2460 Mcghajkq.exe 2568 Mlbmem32.exe 1844 Nhngem32.exe 780 Nebgoa32.exe 2056 Nfhmai32.exe 1552 Oiifcdhn.exe 1088 Ohppjpkc.exe 2316 Oahdce32.exe 1772 Olnipn32.exe 1188 Odimdqne.exe 2032 Pgjfflkf.exe 2224 Papkcd32.exe 2896 Peapmhnk.exe 2948 Pgamgken.exe 2372 Polakmbi.exe 308 Qcjjakip.exe 2800 Abachg32.exe 388 Agebam32.exe 1684 Bjfkbhae.exe 2136 Bcopkn32.exe 2508 Beplcfmd.exe 2788 Bbdmljln.exe 2296 Bklaepbn.exe 1956 Bedene32.exe 2260 Bnmjgkpo.exe 2232 Ccjbobnf.exe 2500 Ceioieei.exe 1020 Cfkkam32.exe 2532 Cmdcngbd.exe 2480 Cikdbhhi.exe 2388 Cbcikn32.exe 112 Cpgieb32.exe 2384 Cipnng32.exe 2660 Domffn32.exe 1120 Dhekodik.exe 2960 Dplbpaim.exe 3016 Dhggdcgh.exe 2944 Daplmimi.exe 2860 Dodlfmlb.exe 2604 Ddqeodjj.exe 592 Ddcadd32.exe 1708 Emkfmioh.exe 2692 Echoepmo.exe 3060 Eibgbj32.exe 2736 Empphi32.exe 692 Eoalpaaa.exe 2292 Eghdanac.exe 2452 Eleliepj.exe 980 Ehlmnfeo.exe 1556 Fepnhjdh.exe 948 Fljfdd32.exe 1836 Fagnmkjm.exe 1768 Fplknh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2248 3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe 2248 3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe 2240 Jlbhjkij.exe 2240 Jlbhjkij.exe 2900 Jaopcbga.exe 2900 Jaopcbga.exe 1824 Jlgaek32.exe 1824 Jlgaek32.exe 2776 Jddbpmpm.exe 2776 Jddbpmpm.exe 2768 Kpkcdn32.exe 2768 Kpkcdn32.exe 868 Kjfdcc32.exe 868 Kjfdcc32.exe 1172 Kjhahb32.exe 1172 Kjhahb32.exe 3036 Llkgpmck.exe 3036 Llkgpmck.exe 2188 Lhbhdnio.exe 2188 Lhbhdnio.exe 2504 Lqbfdp32.exe 2504 Lqbfdp32.exe 324 Mfakbf32.exe 324 Mfakbf32.exe 2460 Mcghajkq.exe 2460 Mcghajkq.exe 2568 Mlbmem32.exe 2568 Mlbmem32.exe 1844 Nhngem32.exe 1844 Nhngem32.exe 780 Nebgoa32.exe 780 Nebgoa32.exe 2056 Nfhmai32.exe 2056 Nfhmai32.exe 1552 Oiifcdhn.exe 1552 Oiifcdhn.exe 1088 Ohppjpkc.exe 1088 Ohppjpkc.exe 2316 Oahdce32.exe 2316 Oahdce32.exe 1772 Olnipn32.exe 1772 Olnipn32.exe 1188 Odimdqne.exe 1188 Odimdqne.exe 2032 Pgjfflkf.exe 2032 Pgjfflkf.exe 2224 Papkcd32.exe 2224 Papkcd32.exe 2896 Peapmhnk.exe 2896 Peapmhnk.exe 2948 Pgamgken.exe 2948 Pgamgken.exe 2372 Polakmbi.exe 2372 Polakmbi.exe 308 Qcjjakip.exe 308 Qcjjakip.exe 2800 Abachg32.exe 2800 Abachg32.exe 388 Agebam32.exe 388 Agebam32.exe 1684 Bjfkbhae.exe 1684 Bjfkbhae.exe 2136 Bcopkn32.exe 2136 Bcopkn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bcgoolln.exe Biakbc32.exe File created C:\Windows\SysWOW64\Lielgo32.dll Njbanida.exe File opened for modification C:\Windows\SysWOW64\Lpiqel32.exe Lmjdia32.exe File created C:\Windows\SysWOW64\Gamfncdb.dll Pbcahgjd.exe File created C:\Windows\SysWOW64\Jlbhjkij.exe 3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe File created C:\Windows\SysWOW64\Dnhgifal.dll Dhekodik.exe File created C:\Windows\SysWOW64\Emkfmioh.exe Ddcadd32.exe File created C:\Windows\SysWOW64\Lgpbhg32.dll Hklhca32.exe File created C:\Windows\SysWOW64\Cocbbk32.exe Cjfjjd32.exe File created C:\Windows\SysWOW64\Pfppja32.dll Dcffmb32.exe File created C:\Windows\SysWOW64\Dpkfchgk.dll Bjfkbhae.exe File opened for modification C:\Windows\SysWOW64\Gmloigln.exe Gqendf32.exe File opened for modification C:\Windows\SysWOW64\Mclbkjcf.exe Mgebfi32.exe File created C:\Windows\SysWOW64\Daplmimi.exe Dhggdcgh.exe File created C:\Windows\SysWOW64\Hjincg32.dll Jhikhefb.exe File created C:\Windows\SysWOW64\Jpajdi32.exe Jhfepfme.exe File created C:\Windows\SysWOW64\Qlbphm32.dll Afeold32.exe File created C:\Windows\SysWOW64\Neponk32.dll Kfnmnojj.exe File opened for modification C:\Windows\SysWOW64\Fjpggb32.exe Fecool32.exe File opened for modification C:\Windows\SysWOW64\Kjfdcc32.exe Kpkcdn32.exe File opened for modification C:\Windows\SysWOW64\Eoalpaaa.exe Empphi32.exe File opened for modification C:\Windows\SysWOW64\Pjlifjjb.exe Peoanckj.exe File created C:\Windows\SysWOW64\Eefneh32.dll Iqnlpq32.exe File opened for modification C:\Windows\SysWOW64\Nnkqih32.exe Ndclpb32.exe File opened for modification C:\Windows\SysWOW64\Abejlj32.exe Ahpfoa32.exe File opened for modification C:\Windows\SysWOW64\Agebam32.exe Abachg32.exe File created C:\Windows\SysWOW64\Mieimpkc.dll Nnkqih32.exe File created C:\Windows\SysWOW64\Fpdgab32.dll Leaallcb.exe File created C:\Windows\SysWOW64\Lbfdnijp.exe Lebcdd32.exe File created C:\Windows\SysWOW64\Fihmiqhb.dll Kamncagl.exe File created C:\Windows\SysWOW64\Klnkaf32.dll 3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe File created C:\Windows\SysWOW64\Mnneabff.exe Mkpieggc.exe File opened for modification C:\Windows\SysWOW64\Aanonj32.exe Paclje32.exe File opened for modification C:\Windows\SysWOW64\Choejien.exe Cpcaeghc.exe File created C:\Windows\SysWOW64\Kbedmedg.exe Jofhqiec.exe File opened for modification C:\Windows\SysWOW64\Hjaiaolb.exe Gibmglep.exe File created C:\Windows\SysWOW64\Gpfggeai.exe Gkiooocb.exe File created C:\Windows\SysWOW64\Pkicij32.dll Phhhchlp.exe File created C:\Windows\SysWOW64\Gibmglep.exe Gfcqkafl.exe File created C:\Windows\SysWOW64\Mmdigbbj.dll Eabgjeef.exe File created C:\Windows\SysWOW64\Biiajp32.dll Flcjjdpe.exe File opened for modification C:\Windows\SysWOW64\Kdlbckee.exe Kdjenkgh.exe File created C:\Windows\SysWOW64\Hjcajn32.exe Hbhmfk32.exe File created C:\Windows\SysWOW64\Kocodbpk.exe Kldchgag.exe File opened for modification C:\Windows\SysWOW64\Cdpdpl32.exe Cobkhe32.exe File created C:\Windows\SysWOW64\Polakmbi.exe Pgamgken.exe File opened for modification C:\Windows\SysWOW64\Bnmjgkpo.exe Bedene32.exe File created C:\Windows\SysWOW64\Iganmp32.exe Iofiimkd.exe File opened for modification C:\Windows\SysWOW64\Hhpjfoji.exe Hccbnhla.exe File created C:\Windows\SysWOW64\Glqang32.dll Mqhhbn32.exe File created C:\Windows\SysWOW64\Abdpfmcb.dll Oejgbonl.exe File created C:\Windows\SysWOW64\Mbmfpdcn.dll Hkdmaenk.exe File opened for modification C:\Windows\SysWOW64\Ncplfj32.exe Nelkme32.exe File created C:\Windows\SysWOW64\Ccpbpn32.dll Lggpdmap.exe File created C:\Windows\SysWOW64\Pmpcoabe.exe Oqibjq32.exe File created C:\Windows\SysWOW64\Chghodgj.exe Cpldjajo.exe File created C:\Windows\SysWOW64\Fleihi32.exe Fghppa32.exe File created C:\Windows\SysWOW64\Nhcdgfop.dll Ppcmhj32.exe File created C:\Windows\SysWOW64\Dippfplg.exe Cccgni32.exe File opened for modification C:\Windows\SysWOW64\Lgpjcnhh.exe Lpfagd32.exe File created C:\Windows\SysWOW64\Ifdlmglb.dll Jadnoc32.exe File created C:\Windows\SysWOW64\Idchbb32.dll Pgamgken.exe File created C:\Windows\SysWOW64\Olbpmelm.dll Flkohc32.exe File created C:\Windows\SysWOW64\Ecdofe32.dll Bmhmgbif.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3720 4064 WerFault.exe 747 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipnng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laknfmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bplofekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehjmppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkccob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaolad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmhjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchmblji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djokgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npieoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgfdjfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnecjgch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaiqfib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejgbonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfggeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclfccmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odimdqne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pipklo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchobqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhlphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgmhaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omonmpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccdmmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqlikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obamebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnefiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpdpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblpnepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbedmedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memonbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgjfflkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empphi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabgjeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkike32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdqbbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqnho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgljced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmmpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaaoakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjfjjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnncoini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahpkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpchmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcknqicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjplj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aliejq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqegb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegpamoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaaeegkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhmai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodlfmlb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbdmljln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmlbeoba.dll" Iclfccmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khkdmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aimckl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kplhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgapn32.dll" Dafchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnffmh32.dll" Gfhikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adekhkng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fipiqm32.dll" Jnncoini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdkmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgdco32.dll" Colegflh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkngbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgkike32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaojiqej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obamebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgpnq32.dll" Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdjopf32.dll" Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgloo32.dll" Glajmppm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klmfmacc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aliejq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okefloqc.dll" Cpgieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbpmelm.dll" Flkohc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amledj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngpfbjkg.dll" Pacqlcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhpjehm.dll" Oenmkngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnmlpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmobpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmlkcpgf.dll" Bmfamg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhgnbehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcaghm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jaahgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gocpcfeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmqpinlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhfld32.dll" Lhnlqjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daplmimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eaoaafli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onkjocjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdophn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kplhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnajl32.dll" Dbnpcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Almjcobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clehoiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbfebbc.dll" Dheljhof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Giaddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lldkem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Domffn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipnge32.dll" Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfqaph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnmlpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdggbbn.dll" Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdbdlp32.dll" Idagdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjeblf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odimdqne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqhhbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahmln32.dll" Mhdcbjal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jncenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alpokdmi.dll" Ejpkho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aggkdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bapejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhocf32.dll" Eheblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijkjde32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2240 2248 3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe 30 PID 2248 wrote to memory of 2240 2248 3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe 30 PID 2248 wrote to memory of 2240 2248 3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe 30 PID 2248 wrote to memory of 2240 2248 3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe 30 PID 2240 wrote to memory of 2900 2240 Jlbhjkij.exe 31 PID 2240 wrote to memory of 2900 2240 Jlbhjkij.exe 31 PID 2240 wrote to memory of 2900 2240 Jlbhjkij.exe 31 PID 2240 wrote to memory of 2900 2240 Jlbhjkij.exe 31 PID 2900 wrote to memory of 1824 2900 Jaopcbga.exe 32 PID 2900 wrote to memory of 1824 2900 Jaopcbga.exe 32 PID 2900 wrote to memory of 1824 2900 Jaopcbga.exe 32 PID 2900 wrote to memory of 1824 2900 Jaopcbga.exe 32 PID 1824 wrote to memory of 2776 1824 Jlgaek32.exe 33 PID 1824 wrote to memory of 2776 1824 Jlgaek32.exe 33 PID 1824 wrote to memory of 2776 1824 Jlgaek32.exe 33 PID 1824 wrote to memory of 2776 1824 Jlgaek32.exe 33 PID 2776 wrote to memory of 2768 2776 Jddbpmpm.exe 34 PID 2776 wrote to memory of 2768 2776 Jddbpmpm.exe 34 PID 2776 wrote to memory of 2768 2776 Jddbpmpm.exe 34 PID 2776 wrote to memory of 2768 2776 Jddbpmpm.exe 34 PID 2768 wrote to memory of 868 2768 Kpkcdn32.exe 35 PID 2768 wrote to memory of 868 2768 Kpkcdn32.exe 35 PID 2768 wrote to memory of 868 2768 Kpkcdn32.exe 35 PID 2768 wrote to memory of 868 2768 Kpkcdn32.exe 35 PID 868 wrote to memory of 1172 868 Kjfdcc32.exe 36 PID 868 wrote to memory of 1172 868 Kjfdcc32.exe 36 PID 868 wrote to memory of 1172 868 Kjfdcc32.exe 36 PID 868 wrote to memory of 1172 868 Kjfdcc32.exe 36 PID 1172 wrote to memory of 3036 1172 Kjhahb32.exe 37 PID 1172 wrote to memory of 3036 1172 Kjhahb32.exe 37 PID 1172 wrote to memory of 3036 1172 Kjhahb32.exe 37 PID 1172 wrote to memory of 3036 1172 Kjhahb32.exe 37 PID 3036 wrote to memory of 2188 3036 Llkgpmck.exe 38 PID 3036 wrote to memory of 2188 3036 Llkgpmck.exe 38 PID 3036 wrote to memory of 2188 3036 Llkgpmck.exe 38 PID 3036 wrote to memory of 2188 3036 Llkgpmck.exe 38 PID 2188 wrote to memory of 2504 2188 Lhbhdnio.exe 39 PID 2188 wrote to memory of 2504 2188 Lhbhdnio.exe 39 PID 2188 wrote to memory of 2504 2188 Lhbhdnio.exe 39 PID 2188 wrote to memory of 2504 2188 Lhbhdnio.exe 39 PID 2504 wrote to memory of 324 2504 Lqbfdp32.exe 40 PID 2504 wrote to memory of 324 2504 Lqbfdp32.exe 40 PID 2504 wrote to memory of 324 2504 Lqbfdp32.exe 40 PID 2504 wrote to memory of 324 2504 Lqbfdp32.exe 40 PID 324 wrote to memory of 2460 324 Mfakbf32.exe 41 PID 324 wrote to memory of 2460 324 Mfakbf32.exe 41 PID 324 wrote to memory of 2460 324 Mfakbf32.exe 41 PID 324 wrote to memory of 2460 324 Mfakbf32.exe 41 PID 2460 wrote to memory of 2568 2460 Mcghajkq.exe 42 PID 2460 wrote to memory of 2568 2460 Mcghajkq.exe 42 PID 2460 wrote to memory of 2568 2460 Mcghajkq.exe 42 PID 2460 wrote to memory of 2568 2460 Mcghajkq.exe 42 PID 2568 wrote to memory of 1844 2568 Mlbmem32.exe 43 PID 2568 wrote to memory of 1844 2568 Mlbmem32.exe 43 PID 2568 wrote to memory of 1844 2568 Mlbmem32.exe 43 PID 2568 wrote to memory of 1844 2568 Mlbmem32.exe 43 PID 1844 wrote to memory of 780 1844 Nhngem32.exe 44 PID 1844 wrote to memory of 780 1844 Nhngem32.exe 44 PID 1844 wrote to memory of 780 1844 Nhngem32.exe 44 PID 1844 wrote to memory of 780 1844 Nhngem32.exe 44 PID 780 wrote to memory of 2056 780 Nebgoa32.exe 45 PID 780 wrote to memory of 2056 780 Nebgoa32.exe 45 PID 780 wrote to memory of 2056 780 Nebgoa32.exe 45 PID 780 wrote to memory of 2056 780 Nebgoa32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe"C:\Users\Admin\AppData\Local\Temp\3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Jlbhjkij.exeC:\Windows\system32\Jlbhjkij.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Jaopcbga.exeC:\Windows\system32\Jaopcbga.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Jlgaek32.exeC:\Windows\system32\Jlgaek32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Jddbpmpm.exeC:\Windows\system32\Jddbpmpm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Kpkcdn32.exeC:\Windows\system32\Kpkcdn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Lqbfdp32.exeC:\Windows\system32\Lqbfdp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mfakbf32.exeC:\Windows\system32\Mfakbf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Oahdce32.exeC:\Windows\system32\Oahdce32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Pgjfflkf.exeC:\Windows\system32\Pgjfflkf.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Qcjjakip.exeC:\Windows\system32\Qcjjakip.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:388 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Bcopkn32.exeC:\Windows\system32\Bcopkn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe33⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Bbdmljln.exeC:\Windows\system32\Bbdmljln.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe35⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe37⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe38⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ceioieei.exeC:\Windows\system32\Ceioieei.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe40⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe41⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Cikdbhhi.exeC:\Windows\system32\Cikdbhhi.exe42⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe43⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Dplbpaim.exeC:\Windows\system32\Dplbpaim.exe48⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Dhggdcgh.exeC:\Windows\system32\Dhggdcgh.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe52⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe54⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe55⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe56⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Empphi32.exeC:\Windows\system32\Empphi32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Eghdanac.exeC:\Windows\system32\Eghdanac.exe59⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Eleliepj.exeC:\Windows\system32\Eleliepj.exe60⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ehlmnfeo.exeC:\Windows\system32\Ehlmnfeo.exe61⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe62⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe63⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe64⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Fplknh32.exeC:\Windows\system32\Fplknh32.exe65⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Fjdpgnee.exeC:\Windows\system32\Fjdpgnee.exe66⤵PID:2668
-
C:\Windows\SysWOW64\Fghppa32.exeC:\Windows\system32\Fghppa32.exe67⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Fleihi32.exeC:\Windows\system32\Fleihi32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Fcoaebjc.exeC:\Windows\system32\Fcoaebjc.exe69⤵PID:2664
-
C:\Windows\SysWOW64\Gndebkii.exeC:\Windows\system32\Gndebkii.exe70⤵PID:2852
-
C:\Windows\SysWOW64\Gfpjgn32.exeC:\Windows\system32\Gfpjgn32.exe71⤵PID:3008
-
C:\Windows\SysWOW64\Gqendf32.exeC:\Windows\system32\Gqendf32.exe72⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe73⤵PID:2732
-
C:\Windows\SysWOW64\Gfdcbmbn.exeC:\Windows\system32\Gfdcbmbn.exe74⤵PID:2596
-
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe76⤵PID:3064
-
C:\Windows\SysWOW64\Helmiiec.exeC:\Windows\system32\Helmiiec.exe77⤵PID:2696
-
C:\Windows\SysWOW64\Hkfeec32.exeC:\Windows\system32\Hkfeec32.exe78⤵PID:2932
-
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe79⤵PID:2524
-
C:\Windows\SysWOW64\Hminbkql.exeC:\Windows\system32\Hminbkql.exe80⤵PID:2124
-
C:\Windows\SysWOW64\Hjmolp32.exeC:\Windows\system32\Hjmolp32.exe81⤵PID:2428
-
C:\Windows\SysWOW64\Hpjgdf32.exeC:\Windows\system32\Hpjgdf32.exe82⤵PID:2208
-
C:\Windows\SysWOW64\Hajdniep.exeC:\Windows\system32\Hajdniep.exe83⤵PID:1500
-
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe84⤵PID:936
-
C:\Windows\SysWOW64\Ipoqofjh.exeC:\Windows\system32\Ipoqofjh.exe85⤵PID:1696
-
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe86⤵PID:2028
-
C:\Windows\SysWOW64\Ibpjaagi.exeC:\Windows\system32\Ibpjaagi.exe87⤵PID:1612
-
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe88⤵PID:2952
-
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe89⤵PID:3020
-
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe90⤵PID:2752
-
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe91⤵PID:2608
-
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe92⤵PID:1116
-
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe93⤵PID:2368
-
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe94⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe95⤵PID:836
-
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe96⤵PID:2284
-
C:\Windows\SysWOW64\Kdjenkgh.exeC:\Windows\system32\Kdjenkgh.exe97⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe98⤵PID:1052
-
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe99⤵PID:2644
-
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe100⤵PID:1216
-
C:\Windows\SysWOW64\Kcdljghj.exeC:\Windows\system32\Kcdljghj.exe101⤵PID:2036
-
C:\Windows\SysWOW64\Lkkckdhm.exeC:\Windows\system32\Lkkckdhm.exe102⤵PID:1604
-
C:\Windows\SysWOW64\Lgbdpena.exeC:\Windows\system32\Lgbdpena.exe103⤵PID:1524
-
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe104⤵PID:3068
-
C:\Windows\SysWOW64\Lpjiik32.exeC:\Windows\system32\Lpjiik32.exe105⤵PID:2748
-
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe106⤵PID:2064
-
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe107⤵PID:2092
-
C:\Windows\SysWOW64\Lobbpg32.exeC:\Windows\system32\Lobbpg32.exe108⤵PID:1640
-
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe109⤵PID:1932
-
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe110⤵PID:2300
-
C:\Windows\SysWOW64\Mqhhbn32.exeC:\Windows\system32\Mqhhbn32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Mkmmpg32.exeC:\Windows\system32\Mkmmpg32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Mkpieggc.exeC:\Windows\system32\Mkpieggc.exe113⤵
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe114⤵PID:1716
-
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe115⤵PID:1584
-
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe116⤵PID:2096
-
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:964 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe120⤵PID:3024
-
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe121⤵PID:2704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-