Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 01:46
Behavioral task
behavioral1
Sample
b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe
-
Size
391KB
-
MD5
ab2fcc1686a441370384ce8c6f9def17
-
SHA1
71e081eb91ca5a7bc37137c8aa0746091e9612e3
-
SHA256
b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a
-
SHA512
c5fd040ceff520e440e6afa40de5b695c23c6397adbfabd215f94d655e8bd4ccf8ca4fc35666d80b1639a708387ef6bf2ec4bd055949c0593061bafa591fee5d
-
SSDEEP
6144:Aat+Sd2oyaAfbAfNtTAfMAfFAfNPUmKyIxLfYeOO9UmKyIxLm:4Sd2PmNtuhUNP3cOK3D
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnokgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djocbqpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgqlafap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkhbgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obbdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohipla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eafkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fggmldfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcedad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfmkbebl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblelb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebqngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfapfpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fihfnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqiqjlga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpimq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbllnlfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagcpdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkmeiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecpnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkojbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keqkofno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epbbkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeqga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiioin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhonjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkeohhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgngbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblhmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkihbho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onnnml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogfqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeagimdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnecigcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnofgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aklabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmaeho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghgfekpn.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1780 Kijkje32.exe 2660 Kpdcfoph.exe 2780 Keqkofno.exe 2736 Ldheebad.exe 2580 Legaoehg.exe 2524 Lkdjglfo.exe 2816 Lnecigcp.exe 1532 Lgngbmjp.exe 1296 Llmmpcfe.exe 2400 Mfeaiime.exe 1456 Mlafkb32.exe 2104 Mfjkdh32.exe 1736 Modlbmmn.exe 2424 Mimpkcdn.exe 832 Njpihk32.exe 1864 Ndfnecgp.exe 564 Nihcog32.exe 1816 Nflchkii.exe 2328 Nijpdfhm.exe 1000 Obbdml32.exe 2256 Ofqmcj32.exe 1844 Oioipf32.exe 1004 Oefjdgjk.exe 2316 Onnnml32.exe 1576 Ohfcfb32.exe 1596 Ojeobm32.exe 2612 Ohipla32.exe 2796 Pmehdh32.exe 2508 Pmhejhao.exe 808 Ppfafcpb.exe 2496 Pmjaohol.exe 2968 Ppinkcnp.exe 2004 Pfbfhm32.exe 1724 Plpopddd.exe 2252 Pbigmn32.exe 1628 Popgboae.exe 1800 Qiflohqk.exe 1952 Qkghgpfi.exe 3068 Qbnphngk.exe 2904 Qhkipdeb.exe 444 Aklabp32.exe 1688 Anjnnk32.exe 1316 Aknngo32.exe 1680 Anljck32.exe 2184 Ajckilei.exe 1028 Alageg32.exe 1760 Apmcefmf.exe 2924 Aejlnmkm.exe 2120 Apppkekc.exe 2716 Afliclij.exe 2532 Bhkeohhn.exe 2528 Blfapfpg.exe 2988 Bcpimq32.exe 2844 Bfoeil32.exe 2976 Bhmaeg32.exe 480 Blinefnd.exe 772 Bogjaamh.exe 2908 Baefnmml.exe 1312 Bhonjg32.exe 2488 Bknjfb32.exe 1096 Bfcodkcb.exe 980 Bhbkpgbf.exe 2284 Bkpglbaj.exe 688 Bbjpil32.exe -
Loads dropped DLL 64 IoCs
pid Process 2688 b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe 2688 b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe 1780 Kijkje32.exe 1780 Kijkje32.exe 2660 Kpdcfoph.exe 2660 Kpdcfoph.exe 2780 Keqkofno.exe 2780 Keqkofno.exe 2736 Ldheebad.exe 2736 Ldheebad.exe 2580 Legaoehg.exe 2580 Legaoehg.exe 2524 Lkdjglfo.exe 2524 Lkdjglfo.exe 2816 Lnecigcp.exe 2816 Lnecigcp.exe 1532 Lgngbmjp.exe 1532 Lgngbmjp.exe 1296 Llmmpcfe.exe 1296 Llmmpcfe.exe 2400 Mfeaiime.exe 2400 Mfeaiime.exe 1456 Mlafkb32.exe 1456 Mlafkb32.exe 2104 Mfjkdh32.exe 2104 Mfjkdh32.exe 1736 Modlbmmn.exe 1736 Modlbmmn.exe 2424 Mimpkcdn.exe 2424 Mimpkcdn.exe 832 Njpihk32.exe 832 Njpihk32.exe 1864 Ndfnecgp.exe 1864 Ndfnecgp.exe 564 Nihcog32.exe 564 Nihcog32.exe 1816 Nflchkii.exe 1816 Nflchkii.exe 2328 Nijpdfhm.exe 2328 Nijpdfhm.exe 1000 Obbdml32.exe 1000 Obbdml32.exe 2256 Ofqmcj32.exe 2256 Ofqmcj32.exe 1844 Oioipf32.exe 1844 Oioipf32.exe 1004 Oefjdgjk.exe 1004 Oefjdgjk.exe 2316 Onnnml32.exe 2316 Onnnml32.exe 1576 Ohfcfb32.exe 1576 Ohfcfb32.exe 1596 Ojeobm32.exe 1596 Ojeobm32.exe 2612 Ohipla32.exe 2612 Ohipla32.exe 2796 Pmehdh32.exe 2796 Pmehdh32.exe 2508 Pmhejhao.exe 2508 Pmhejhao.exe 808 Ppfafcpb.exe 808 Ppfafcpb.exe 2496 Pmjaohol.exe 2496 Pmjaohol.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Popgboae.exe Pbigmn32.exe File created C:\Windows\SysWOW64\Hailie32.dll Qbnphngk.exe File created C:\Windows\SysWOW64\Bbjpil32.exe Bkpglbaj.exe File opened for modification C:\Windows\SysWOW64\Cehhdkjf.exe Cbjlhpkb.exe File created C:\Windows\SysWOW64\Aonalffc.dll Iocgfhhc.exe File created C:\Windows\SysWOW64\Jnokbe32.dll Djlfma32.exe File opened for modification C:\Windows\SysWOW64\Ghgfekpn.exe Gdkjdl32.exe File created C:\Windows\SysWOW64\Ohfcfb32.exe Onnnml32.exe File created C:\Windows\SysWOW64\Alelkg32.dll Dboeco32.exe File opened for modification C:\Windows\SysWOW64\Iocgfhhc.exe Hiioin32.exe File opened for modification C:\Windows\SysWOW64\Iinhdmma.exe Ibcphc32.exe File created C:\Windows\SysWOW64\Kkmmlgik.exe Khnapkjg.exe File created C:\Windows\SysWOW64\Kpdcfoph.exe Kijkje32.exe File created C:\Windows\SysWOW64\Lkdjglfo.exe Legaoehg.exe File opened for modification C:\Windows\SysWOW64\Coicfd32.exe Cmkfji32.exe File created C:\Windows\SysWOW64\Fakdcnhh.exe Folhgbid.exe File created C:\Windows\SysWOW64\Hjleia32.dll Fkhbgbkc.exe File created C:\Windows\SysWOW64\Gncnmane.exe Goqnae32.exe File opened for modification C:\Windows\SysWOW64\Jfjolf32.exe Ieibdnnp.exe File opened for modification C:\Windows\SysWOW64\Ckeqga32.exe Bdkhjgeh.exe File opened for modification C:\Windows\SysWOW64\Cjjnhnbl.exe Cglalbbi.exe File opened for modification C:\Windows\SysWOW64\Eafkhn32.exe Epeoaffo.exe File created C:\Windows\SysWOW64\Iikkon32.exe Iikkon32.exe File created C:\Windows\SysWOW64\Bnnjlmid.dll Dkdmfe32.exe File opened for modification C:\Windows\SysWOW64\Fglfgd32.exe Fmdbnnlj.exe File opened for modification C:\Windows\SysWOW64\Gajqbakc.exe Gpidki32.exe File created C:\Windows\SysWOW64\Gefmcp32.exe Gajqbakc.exe File created C:\Windows\SysWOW64\Hmpaom32.exe Hffibceh.exe File opened for modification C:\Windows\SysWOW64\Ieibdnnp.exe Iamfdo32.exe File created C:\Windows\SysWOW64\Jpbcek32.exe Jnagmc32.exe File opened for modification C:\Windows\SysWOW64\Jmipdo32.exe Jbclgf32.exe File created C:\Windows\SysWOW64\Pihbeaea.dll Kmkihbho.exe File created C:\Windows\SysWOW64\Bmbhcoif.dll Aklabp32.exe File opened for modification C:\Windows\SysWOW64\Bfoeil32.exe Bcpimq32.exe File opened for modification C:\Windows\SysWOW64\Ejcmmp32.exe Eblelb32.exe File opened for modification C:\Windows\SysWOW64\Hnkdnqhm.exe Hgqlafap.exe File opened for modification C:\Windows\SysWOW64\Cmmcpi32.exe Ciagojda.exe File opened for modification C:\Windows\SysWOW64\Fhbpkh32.exe Feddombd.exe File created C:\Windows\SysWOW64\Cmojeo32.dll Jikhnaao.exe File created C:\Windows\SysWOW64\Ckmhkeef.dll Jllqplnp.exe File created C:\Windows\SysWOW64\Jefbnacn.exe Jnmiag32.exe File created C:\Windows\SysWOW64\Mlafkb32.exe Mfeaiime.exe File created C:\Windows\SysWOW64\Dcoaml32.dll Apmcefmf.exe File opened for modification C:\Windows\SysWOW64\Bknjfb32.exe Bhonjg32.exe File opened for modification C:\Windows\SysWOW64\Eeagimdf.exe Eafkhn32.exe File created C:\Windows\SysWOW64\Gnlnhm32.dll Gdkjdl32.exe File created C:\Windows\SysWOW64\Iinhdmma.exe Ibcphc32.exe File created C:\Windows\SysWOW64\Ipbkjl32.dll Kkojbf32.exe File opened for modification C:\Windows\SysWOW64\Kpdcfoph.exe Kijkje32.exe File created C:\Windows\SysWOW64\Ppinkcnp.exe Pmjaohol.exe File created C:\Windows\SysWOW64\Blinefnd.exe Bhmaeg32.exe File created C:\Windows\SysWOW64\Ocimkc32.dll Cjjnhnbl.exe File created C:\Windows\SysWOW64\Djlfma32.exe Dcbnpgkh.exe File created C:\Windows\SysWOW64\Jmfjecle.dll Fakdcnhh.exe File opened for modification C:\Windows\SysWOW64\Gnfkba32.exe Gglbfg32.exe File opened for modification C:\Windows\SysWOW64\Ojeobm32.exe Ohfcfb32.exe File created C:\Windows\SysWOW64\Qbnphngk.exe Qkghgpfi.exe File opened for modification C:\Windows\SysWOW64\Bhmaeg32.exe Bfoeil32.exe File created C:\Windows\SysWOW64\Jlnmel32.exe Jedehaea.exe File created C:\Windows\SysWOW64\Cmmcpi32.exe Ciagojda.exe File opened for modification C:\Windows\SysWOW64\Hfhfhbce.exe Honnki32.exe File opened for modification C:\Windows\SysWOW64\Jpbcek32.exe Jnagmc32.exe File created C:\Windows\SysWOW64\Faibdo32.dll Hnkdnqhm.exe File created C:\Windows\SysWOW64\Kbmome32.exe Klcgpkhh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3660 3636 WerFault.exe 247 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfanmogq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipejmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejlnmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfcgbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnhjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhdgdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmmpcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncnmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjkdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfnecgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdhefpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcekfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeaiime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejaphpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkofg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libjncnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebqngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggmldfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmome32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coicfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikhnaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnnml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmdbnnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhfhbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcedad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnecigcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckilei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeoaffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glklejoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhejhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deakjjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajqbakc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedehaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdmfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeagimdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmipdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpimq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaagcpdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgciff32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpdkpiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnlnhm32.dll" Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baajep32.dll" Gdnfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll" Jedehaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klcgpkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhgdb32.dll" Legaoehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npepbkgb.dll" Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cglalbbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmehdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhdhefpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elibpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpidki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll" Iikkon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jikhnaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciokijfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebqngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaihg32.dll" Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll" Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhigkm32.dll" Oioipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apppkekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfgdc32.dll" Bhonjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdkhjgeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggegqe32.dll" Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhkbcb32.dll" Njpihk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgglcg32.dll" Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llmmpcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mommgm32.dll" Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfhfhbce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjfnnajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjjnhnbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifemminl.dll" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfjecle.dll" Fakdcnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekliqn32.dll" Gkcekfad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jllqplnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iocgfhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmkid32.dll" Jcqlkjae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmnkd32.dll" Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmdbnnlj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2688 wrote to memory of 1780 2688 b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe 30 PID 2688 wrote to memory of 1780 2688 b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe 30 PID 2688 wrote to memory of 1780 2688 b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe 30 PID 2688 wrote to memory of 1780 2688 b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe 30 PID 1780 wrote to memory of 2660 1780 Kijkje32.exe 31 PID 1780 wrote to memory of 2660 1780 Kijkje32.exe 31 PID 1780 wrote to memory of 2660 1780 Kijkje32.exe 31 PID 1780 wrote to memory of 2660 1780 Kijkje32.exe 31 PID 2660 wrote to memory of 2780 2660 Kpdcfoph.exe 32 PID 2660 wrote to memory of 2780 2660 Kpdcfoph.exe 32 PID 2660 wrote to memory of 2780 2660 Kpdcfoph.exe 32 PID 2660 wrote to memory of 2780 2660 Kpdcfoph.exe 32 PID 2780 wrote to memory of 2736 2780 Keqkofno.exe 33 PID 2780 wrote to memory of 2736 2780 Keqkofno.exe 33 PID 2780 wrote to memory of 2736 2780 Keqkofno.exe 33 PID 2780 wrote to memory of 2736 2780 Keqkofno.exe 33 PID 2736 wrote to memory of 2580 2736 Ldheebad.exe 34 PID 2736 wrote to memory of 2580 2736 Ldheebad.exe 34 PID 2736 wrote to memory of 2580 2736 Ldheebad.exe 34 PID 2736 wrote to memory of 2580 2736 Ldheebad.exe 34 PID 2580 wrote to memory of 2524 2580 Legaoehg.exe 35 PID 2580 wrote to memory of 2524 2580 Legaoehg.exe 35 PID 2580 wrote to memory of 2524 2580 Legaoehg.exe 35 PID 2580 wrote to memory of 2524 2580 Legaoehg.exe 35 PID 2524 wrote to memory of 2816 2524 Lkdjglfo.exe 36 PID 2524 wrote to memory of 2816 2524 Lkdjglfo.exe 36 PID 2524 wrote to memory of 2816 2524 Lkdjglfo.exe 36 PID 2524 wrote to memory of 2816 2524 Lkdjglfo.exe 36 PID 2816 wrote to memory of 1532 2816 Lnecigcp.exe 37 PID 2816 wrote to memory of 1532 2816 Lnecigcp.exe 37 PID 2816 wrote to memory of 1532 2816 Lnecigcp.exe 37 PID 2816 wrote to memory of 1532 2816 Lnecigcp.exe 37 PID 1532 wrote to memory of 1296 1532 Lgngbmjp.exe 38 PID 1532 wrote to memory of 1296 1532 Lgngbmjp.exe 38 PID 1532 wrote to memory of 1296 1532 Lgngbmjp.exe 38 PID 1532 wrote to memory of 1296 1532 Lgngbmjp.exe 38 PID 1296 wrote to memory of 2400 1296 Llmmpcfe.exe 39 PID 1296 wrote to memory of 2400 1296 Llmmpcfe.exe 39 PID 1296 wrote to memory of 2400 1296 Llmmpcfe.exe 39 PID 1296 wrote to memory of 2400 1296 Llmmpcfe.exe 39 PID 2400 wrote to memory of 1456 2400 Mfeaiime.exe 40 PID 2400 wrote to memory of 1456 2400 Mfeaiime.exe 40 PID 2400 wrote to memory of 1456 2400 Mfeaiime.exe 40 PID 2400 wrote to memory of 1456 2400 Mfeaiime.exe 40 PID 1456 wrote to memory of 2104 1456 Mlafkb32.exe 41 PID 1456 wrote to memory of 2104 1456 Mlafkb32.exe 41 PID 1456 wrote to memory of 2104 1456 Mlafkb32.exe 41 PID 1456 wrote to memory of 2104 1456 Mlafkb32.exe 41 PID 2104 wrote to memory of 1736 2104 Mfjkdh32.exe 42 PID 2104 wrote to memory of 1736 2104 Mfjkdh32.exe 42 PID 2104 wrote to memory of 1736 2104 Mfjkdh32.exe 42 PID 2104 wrote to memory of 1736 2104 Mfjkdh32.exe 42 PID 1736 wrote to memory of 2424 1736 Modlbmmn.exe 43 PID 1736 wrote to memory of 2424 1736 Modlbmmn.exe 43 PID 1736 wrote to memory of 2424 1736 Modlbmmn.exe 43 PID 1736 wrote to memory of 2424 1736 Modlbmmn.exe 43 PID 2424 wrote to memory of 832 2424 Mimpkcdn.exe 44 PID 2424 wrote to memory of 832 2424 Mimpkcdn.exe 44 PID 2424 wrote to memory of 832 2424 Mimpkcdn.exe 44 PID 2424 wrote to memory of 832 2424 Mimpkcdn.exe 44 PID 832 wrote to memory of 1864 832 Njpihk32.exe 45 PID 832 wrote to memory of 1864 832 Njpihk32.exe 45 PID 832 wrote to memory of 1864 832 Njpihk32.exe 45 PID 832 wrote to memory of 1864 832 Njpihk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe"C:\Users\Admin\AppData\Local\Temp\b01b30af93f2d65766bc816da7479c191b53417233a8a59e13700360ca7f8f9a.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Ndfnecgp.exeC:\Windows\system32\Ndfnecgp.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Nflchkii.exeC:\Windows\system32\Nflchkii.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe33⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe34⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe35⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe37⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Qiflohqk.exeC:\Windows\system32\Qiflohqk.exe38⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Anjnnk32.exeC:\Windows\system32\Anjnnk32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe44⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe45⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe47⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Apmcefmf.exeC:\Windows\system32\Apmcefmf.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Acnlgajg.exeC:\Windows\system32\Acnlgajg.exe51⤵PID:2700
-
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe52⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Bhkeohhn.exeC:\Windows\system32\Bhkeohhn.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Bhmaeg32.exeC:\Windows\system32\Bhmaeg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe58⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Bogjaamh.exeC:\Windows\system32\Bogjaamh.exe59⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe60⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe63⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe64⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Bkpglbaj.exeC:\Windows\system32\Bkpglbaj.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe66⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Bhdhefpc.exeC:\Windows\system32\Bhdhefpc.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe68⤵PID:1948
-
C:\Windows\SysWOW64\Bbllnlfd.exeC:\Windows\system32\Bbllnlfd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Ckeqga32.exeC:\Windows\system32\Ckeqga32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe72⤵PID:2640
-
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe73⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe77⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe78⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Cmkfji32.exeC:\Windows\system32\Cmkfji32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Coicfd32.exeC:\Windows\system32\Coicfd32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Ciagojda.exeC:\Windows\system32\Ciagojda.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Cmmcpi32.exeC:\Windows\system32\Cmmcpi32.exe82⤵PID:1556
-
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe84⤵PID:2416
-
C:\Windows\SysWOW64\Ckbpqe32.exeC:\Windows\system32\Ckbpqe32.exe85⤵PID:888
-
C:\Windows\SysWOW64\Dblhmoio.exeC:\Windows\system32\Dblhmoio.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Difqji32.exeC:\Windows\system32\Difqji32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe88⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Dkdmfe32.exeC:\Windows\system32\Dkdmfe32.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe90⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Dihmpinj.exeC:\Windows\system32\Dihmpinj.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1060 -
C:\Windows\SysWOW64\Dlgjldnm.exeC:\Windows\system32\Dlgjldnm.exe92⤵PID:1632
-
C:\Windows\SysWOW64\Dnefhpma.exeC:\Windows\system32\Dnefhpma.exe93⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Dcbnpgkh.exeC:\Windows\system32\Dcbnpgkh.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Djlfma32.exeC:\Windows\system32\Djlfma32.exe95⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Deakjjbk.exeC:\Windows\system32\Deakjjbk.exe96⤵
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Dfcgbb32.exeC:\Windows\system32\Dfcgbb32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Dcghkf32.exeC:\Windows\system32\Dcghkf32.exe99⤵PID:1980
-
C:\Windows\SysWOW64\Ejaphpnp.exeC:\Windows\system32\Ejaphpnp.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Emoldlmc.exeC:\Windows\system32\Emoldlmc.exe101⤵PID:336
-
C:\Windows\SysWOW64\Edidqf32.exeC:\Windows\system32\Edidqf32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Eblelb32.exeC:\Windows\system32\Eblelb32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Ejcmmp32.exeC:\Windows\system32\Ejcmmp32.exe104⤵PID:2820
-
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe105⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Epbbkf32.exeC:\Windows\system32\Epbbkf32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Ebqngb32.exeC:\Windows\system32\Ebqngb32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe108⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Epeoaffo.exeC:\Windows\system32\Epeoaffo.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Eafkhn32.exeC:\Windows\system32\Eafkhn32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Eeagimdf.exeC:\Windows\system32\Eeagimdf.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:464 -
C:\Windows\SysWOW64\Elkofg32.exeC:\Windows\system32\Elkofg32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Eojlbb32.exeC:\Windows\system32\Eojlbb32.exe113⤵PID:2428
-
C:\Windows\SysWOW64\Feddombd.exeC:\Windows\system32\Feddombd.exe114⤵
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Fhbpkh32.exeC:\Windows\system32\Fhbpkh32.exe115⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Folhgbid.exeC:\Windows\system32\Folhgbid.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Fakdcnhh.exeC:\Windows\system32\Fakdcnhh.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe118⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\SysWOW64\Fmaeho32.exeC:\Windows\system32\Fmaeho32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Fppaej32.exeC:\Windows\system32\Fppaej32.exe121⤵
- System Location Discovery: System Language Discovery
PID:264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-