Analysis
-
max time kernel
45s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 14:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe
-
Size
74KB
-
MD5
4d023c2e264442fc8c53ba9144fa5ae0
-
SHA1
33174c3d5984fa49413272cbaf90f78a25d3d71c
-
SHA256
afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0b
-
SHA512
1789ea6264bca5b17f683a486e6d005322d60e00fcbfc87f68c6652a458ff0fd1ded7e90a3a51a8a8df96c1c91c97053196a03748f0928de4e82f46b54cf1ddc
-
SSDEEP
1536:rUapZ+Lxcb9LBdplEIP86BJZ7K1CNT+K8:r7yG9LBdjfEqhx8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdlkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khkdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqqbgoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bncboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebmaoed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnicemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcehpbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpledf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngiiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjndca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilaieljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jblbpnhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcehngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkjfhile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmihn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqomkimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okomappb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjbfbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fajpdmgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlifjjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pebbeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjdmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccoplcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpgmak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkohanoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickoimie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obilip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgefmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meolcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jchjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jficbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acfonhgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjjdijo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfehq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdoaackf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcjbfbmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiichkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpigeblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocoobngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgbhibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcmeogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpfehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hinlck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblbpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkbjmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pinqoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgqcam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdnffpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkakad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdpfiekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhlgnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnekcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efllcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koeeoljm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcedbefd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkheal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehphdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeihfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlnmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oamohenq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighfecdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qibhao32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2028 Gemfghek.exe 2172 Gnhkkjbf.exe 2912 Ghmohcbl.exe 2888 Gjolpkhj.exe 2936 Gnoaliln.exe 2736 Hhhblgim.exe 2296 Hkiknb32.exe 1152 Hnjdpm32.exe 2120 Hgbhibio.exe 948 Iclfccmq.exe 1208 Ifloeo32.exe 1072 Ijjgkmqh.exe 2568 Ijmdql32.exe 2204 Jiaaaicm.exe 1748 Jbjejojn.exe 1932 Jblbpnhk.exe 1652 Jocceo32.exe 2232 Jhlgnd32.exe 2364 Jdbhcfjd.exe 772 Khpaidpk.exe 1820 Kaieai32.exe 828 Kghkppbp.exe 576 Kldchgag.exe 1512 Khkdmh32.exe 2620 Khnqbhdi.exe 2656 Leaallcb.exe 1608 Lnaokn32.exe 2880 Lgjcdc32.exe 2976 Lndlamke.exe 2876 Mccaodgj.exe 2728 Mlkegimk.exe 2720 Mkconepp.exe 2236 Mfhcknpf.exe 1036 Nqbdllld.exe 2868 Nqdaal32.exe 872 Ndbjgjqh.exe 2676 Olgehh32.exe 3020 Opennf32.exe 1640 Obffpa32.exe 1908 Ohcohh32.exe 2508 Ompgqonl.exe 1996 Phhhchlp.exe 2436 Piiekp32.exe 1828 Ppejmj32.exe 2496 Pebbeq32.exe 1728 Qlnghj32.exe 1096 Qbhpddbf.exe 928 Qibhao32.exe 2040 Qeihfp32.exe 2608 Akfaof32.exe 432 Aekelo32.exe 2800 Anfjpa32.exe 1736 Ahlnmjkf.exe 2440 Aniffaim.exe 2972 Acfonhgd.exe 2712 Ankckagj.exe 2292 Agchdfmk.exe 1032 Annpaq32.exe 1680 Boolhikf.exe 3052 Bhgaan32.exe 2500 Bcmeogam.exe 1408 Bjgmka32.exe 2128 Bkhjcing.exe 2600 Bfnnpbnn.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe 2412 afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe 2028 Gemfghek.exe 2028 Gemfghek.exe 2172 Gnhkkjbf.exe 2172 Gnhkkjbf.exe 2912 Ghmohcbl.exe 2912 Ghmohcbl.exe 2888 Gjolpkhj.exe 2888 Gjolpkhj.exe 2936 Gnoaliln.exe 2936 Gnoaliln.exe 2736 Hhhblgim.exe 2736 Hhhblgim.exe 2296 Hkiknb32.exe 2296 Hkiknb32.exe 1152 Hnjdpm32.exe 1152 Hnjdpm32.exe 2120 Hgbhibio.exe 2120 Hgbhibio.exe 948 Iclfccmq.exe 948 Iclfccmq.exe 1208 Ifloeo32.exe 1208 Ifloeo32.exe 1072 Ijjgkmqh.exe 1072 Ijjgkmqh.exe 2568 Ijmdql32.exe 2568 Ijmdql32.exe 2204 Jiaaaicm.exe 2204 Jiaaaicm.exe 1748 Jbjejojn.exe 1748 Jbjejojn.exe 1932 Jblbpnhk.exe 1932 Jblbpnhk.exe 1652 Jocceo32.exe 1652 Jocceo32.exe 2232 Jhlgnd32.exe 2232 Jhlgnd32.exe 2364 Jdbhcfjd.exe 2364 Jdbhcfjd.exe 772 Khpaidpk.exe 772 Khpaidpk.exe 1820 Kaieai32.exe 1820 Kaieai32.exe 828 Kghkppbp.exe 828 Kghkppbp.exe 576 Kldchgag.exe 576 Kldchgag.exe 1512 Khkdmh32.exe 1512 Khkdmh32.exe 2620 Khnqbhdi.exe 2620 Khnqbhdi.exe 2424 Ldgnmhhj.exe 2424 Ldgnmhhj.exe 1608 Lnaokn32.exe 1608 Lnaokn32.exe 2880 Lgjcdc32.exe 2880 Lgjcdc32.exe 2976 Lndlamke.exe 2976 Lndlamke.exe 2876 Mccaodgj.exe 2876 Mccaodgj.exe 2728 Mlkegimk.exe 2728 Mlkegimk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Anfjpa32.exe Aekelo32.exe File created C:\Windows\SysWOW64\Ponfcl32.dll Khdgabih.exe File opened for modification C:\Windows\SysWOW64\Akpmhdqd.exe Qmomelml.exe File created C:\Windows\SysWOW64\Dbgqnm32.dll Efllcf32.exe File created C:\Windows\SysWOW64\Ocoobngl.exe Ojgkih32.exe File created C:\Windows\SysWOW64\Dhaboi32.exe Dcdjgbed.exe File created C:\Windows\SysWOW64\Gnhkkjbf.exe Gemfghek.exe File opened for modification C:\Windows\SysWOW64\Bbdoec32.exe Bkjfhile.exe File opened for modification C:\Windows\SysWOW64\Nogjbbma.exe Njjbjk32.exe File opened for modification C:\Windows\SysWOW64\Oqomkimg.exe Nidhfgpl.exe File created C:\Windows\SysWOW64\Ppejmj32.exe Piiekp32.exe File created C:\Windows\SysWOW64\Lpbmcd32.dll Fpojlp32.exe File created C:\Windows\SysWOW64\Mkiemqdo.exe Lhkiae32.exe File opened for modification C:\Windows\SysWOW64\Mahgejhf.exe Meafpibb.exe File created C:\Windows\SysWOW64\Pacbel32.exe Pembpkfi.exe File created C:\Windows\SysWOW64\Jpigjb32.dll Fplgljbm.exe File opened for modification C:\Windows\SysWOW64\Gnocdb32.exe Gcjogidl.exe File created C:\Windows\SysWOW64\Qeengo32.dll Bmahbhei.exe File created C:\Windows\SysWOW64\Pjgqkp32.dll Cadfbi32.exe File created C:\Windows\SysWOW64\Iiicjf32.dll Ieohfemq.exe File created C:\Windows\SysWOW64\Ikmjnnah.exe Iaheqe32.exe File created C:\Windows\SysWOW64\Oafclh32.exe Oqcffi32.exe File created C:\Windows\SysWOW64\Djhldahb.exe Dpbgghhl.exe File created C:\Windows\SysWOW64\Hdgjdhmg.dll Gmcmomjc.exe File opened for modification C:\Windows\SysWOW64\Mpmfoodb.exe Micnbe32.exe File created C:\Windows\SysWOW64\Cefpmiji.exe Cpigeblb.exe File opened for modification C:\Windows\SysWOW64\Emdjbi32.exe Eclejclg.exe File created C:\Windows\SysWOW64\Fgibijkb.exe Fpojlp32.exe File opened for modification C:\Windows\SysWOW64\Koeeoljm.exe Kfnmnojj.exe File opened for modification C:\Windows\SysWOW64\Eibbqmhd.exe Elnagijk.exe File opened for modification C:\Windows\SysWOW64\Gkjahg32.exe Gdpikmci.exe File created C:\Windows\SysWOW64\Qhjdoo32.dll Klgbfo32.exe File created C:\Windows\SysWOW64\Nnidchqp.exe Nabcog32.exe File opened for modification C:\Windows\SysWOW64\Dcdjgbed.exe Cjlenm32.exe File created C:\Windows\SysWOW64\Pjlifjjb.exe Pneiaidn.exe File opened for modification C:\Windows\SysWOW64\Acfonhgd.exe Aniffaim.exe File created C:\Windows\SysWOW64\Ankckagj.exe Acfonhgd.exe File opened for modification C:\Windows\SysWOW64\Cilfka32.exe Cgjjdijo.exe File created C:\Windows\SysWOW64\Cnekcblk.exe Cclkcdpl.exe File created C:\Windows\SysWOW64\Fadcae32.dll Ocjfgo32.exe File created C:\Windows\SysWOW64\Fmqpinlf.exe Fajpdmgb.exe File created C:\Windows\SysWOW64\Mccaodgj.exe Lndlamke.exe File created C:\Windows\SysWOW64\Bkhjcing.exe Bjgmka32.exe File created C:\Windows\SysWOW64\Fmbkgfki.dll Dkohanoc.exe File opened for modification C:\Windows\SysWOW64\Hhhblgim.exe Gnoaliln.exe File created C:\Windows\SysWOW64\Eecipl32.dll Enagnc32.exe File created C:\Windows\SysWOW64\Gjoiokgo.dll Gdedoegh.exe File created C:\Windows\SysWOW64\Gogbanaf.dll Lgjcdc32.exe File opened for modification C:\Windows\SysWOW64\Bohoogbk.exe Bhngbm32.exe File created C:\Windows\SysWOW64\Emilqb32.exe Denglpkc.exe File opened for modification C:\Windows\SysWOW64\Odbhofjh.exe Onipbl32.exe File created C:\Windows\SysWOW64\Gqebij32.dll Fmqpinlf.exe File created C:\Windows\SysWOW64\Hkdmaenk.exe Hhfqejoh.exe File created C:\Windows\SysWOW64\Kknjeong.dll Jchjqc32.exe File created C:\Windows\SysWOW64\Cclkcdpl.exe Cblniaii.exe File created C:\Windows\SysWOW64\Hnmcne32.exe Hhpjfoji.exe File opened for modification C:\Windows\SysWOW64\Pmecdgbk.exe Pghklq32.exe File created C:\Windows\SysWOW64\Idnpdn32.dll Enjcfm32.exe File created C:\Windows\SysWOW64\Hfkdpp32.dll Emdjbi32.exe File opened for modification C:\Windows\SysWOW64\Iapghlbe.exe Iankbldh.exe File created C:\Windows\SysWOW64\Kononm32.exe Khdgabih.exe File created C:\Windows\SysWOW64\Hjhaob32.exe Hpplfm32.exe File created C:\Windows\SysWOW64\Canhcacd.dll Pmecdgbk.exe File opened for modification C:\Windows\SysWOW64\Lbncbgoh.exe Lblflgqk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2712 4972 WerFault.exe 494 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Annpaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmgpjgph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaeeoihj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieaekdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooiepnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoefea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpeajjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edbonh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdaal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eodknifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajpdmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnagehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbiggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjmec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmqpinlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbohmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejmljg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpndkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmecdgbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpfiekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfaof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqamaeii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohkhjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheekb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmjjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadfbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhgaan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnljkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnhdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foacmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekqqea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcehpbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpedmhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odbhofjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoekhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpfoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcjbfbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnmnojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidhfgpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmamliin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jficbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfigdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnaokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcedbefd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpndlobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjolpkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjcncak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpiffngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laidie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpogjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkiknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhfcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplgljbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heedbbdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abejlj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icnealbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mchmblji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekcdegqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abaaakob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpigeblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekqqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hghhngjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgpjpnhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afojgiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdpfiekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfpndkel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikmjnnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndgbohdn.dll" Jbhkngcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohdkop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqaliabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjdmee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhgbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igpcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhahmqom.dll" Glgcec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjgmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkhjcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khdgabih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpjcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdkecohk.dll" Lfbibfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbhgbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khpaidpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhlmef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koeeoljm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiccle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebjfiboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbgqnm32.dll" Efllcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbgdcapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqaliabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glgcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajkmmb32.dll" Dmllgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieohfemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmlofhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbpmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjlmpk32.dll" Ohfgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoaan32.dll" Khkdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbgnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpolb32.dll" Dcffmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hobfgcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajpci32.dll" Micnbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abehhc32.dll" Amalcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjndif32.dll" Iankbldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jiaaaicm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieaekdkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lanmde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahjcqcdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camepc32.dll" Glmckikf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljjkgfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lblflgqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdbhcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aihmhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogbanaf.dll" Lgjcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbilgok.dll" Bkjfhile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlfbck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdpikmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blplkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqhoo32.dll" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koiohb32.dll" Iclfccmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klmfmacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhfnf32.dll" Ndclpb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2028 2412 afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe 29 PID 2412 wrote to memory of 2028 2412 afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe 29 PID 2412 wrote to memory of 2028 2412 afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe 29 PID 2412 wrote to memory of 2028 2412 afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe 29 PID 2028 wrote to memory of 2172 2028 Gemfghek.exe 30 PID 2028 wrote to memory of 2172 2028 Gemfghek.exe 30 PID 2028 wrote to memory of 2172 2028 Gemfghek.exe 30 PID 2028 wrote to memory of 2172 2028 Gemfghek.exe 30 PID 2172 wrote to memory of 2912 2172 Gnhkkjbf.exe 31 PID 2172 wrote to memory of 2912 2172 Gnhkkjbf.exe 31 PID 2172 wrote to memory of 2912 2172 Gnhkkjbf.exe 31 PID 2172 wrote to memory of 2912 2172 Gnhkkjbf.exe 31 PID 2912 wrote to memory of 2888 2912 Ghmohcbl.exe 32 PID 2912 wrote to memory of 2888 2912 Ghmohcbl.exe 32 PID 2912 wrote to memory of 2888 2912 Ghmohcbl.exe 32 PID 2912 wrote to memory of 2888 2912 Ghmohcbl.exe 32 PID 2888 wrote to memory of 2936 2888 Gjolpkhj.exe 33 PID 2888 wrote to memory of 2936 2888 Gjolpkhj.exe 33 PID 2888 wrote to memory of 2936 2888 Gjolpkhj.exe 33 PID 2888 wrote to memory of 2936 2888 Gjolpkhj.exe 33 PID 2936 wrote to memory of 2736 2936 Gnoaliln.exe 34 PID 2936 wrote to memory of 2736 2936 Gnoaliln.exe 34 PID 2936 wrote to memory of 2736 2936 Gnoaliln.exe 34 PID 2936 wrote to memory of 2736 2936 Gnoaliln.exe 34 PID 2736 wrote to memory of 2296 2736 Hhhblgim.exe 35 PID 2736 wrote to memory of 2296 2736 Hhhblgim.exe 35 PID 2736 wrote to memory of 2296 2736 Hhhblgim.exe 35 PID 2736 wrote to memory of 2296 2736 Hhhblgim.exe 35 PID 2296 wrote to memory of 1152 2296 Hkiknb32.exe 36 PID 2296 wrote to memory of 1152 2296 Hkiknb32.exe 36 PID 2296 wrote to memory of 1152 2296 Hkiknb32.exe 36 PID 2296 wrote to memory of 1152 2296 Hkiknb32.exe 36 PID 1152 wrote to memory of 2120 1152 Hnjdpm32.exe 37 PID 1152 wrote to memory of 2120 1152 Hnjdpm32.exe 37 PID 1152 wrote to memory of 2120 1152 Hnjdpm32.exe 37 PID 1152 wrote to memory of 2120 1152 Hnjdpm32.exe 37 PID 2120 wrote to memory of 948 2120 Hgbhibio.exe 38 PID 2120 wrote to memory of 948 2120 Hgbhibio.exe 38 PID 2120 wrote to memory of 948 2120 Hgbhibio.exe 38 PID 2120 wrote to memory of 948 2120 Hgbhibio.exe 38 PID 948 wrote to memory of 1208 948 Iclfccmq.exe 39 PID 948 wrote to memory of 1208 948 Iclfccmq.exe 39 PID 948 wrote to memory of 1208 948 Iclfccmq.exe 39 PID 948 wrote to memory of 1208 948 Iclfccmq.exe 39 PID 1208 wrote to memory of 1072 1208 Ifloeo32.exe 40 PID 1208 wrote to memory of 1072 1208 Ifloeo32.exe 40 PID 1208 wrote to memory of 1072 1208 Ifloeo32.exe 40 PID 1208 wrote to memory of 1072 1208 Ifloeo32.exe 40 PID 1072 wrote to memory of 2568 1072 Ijjgkmqh.exe 41 PID 1072 wrote to memory of 2568 1072 Ijjgkmqh.exe 41 PID 1072 wrote to memory of 2568 1072 Ijjgkmqh.exe 41 PID 1072 wrote to memory of 2568 1072 Ijjgkmqh.exe 41 PID 2568 wrote to memory of 2204 2568 Ijmdql32.exe 42 PID 2568 wrote to memory of 2204 2568 Ijmdql32.exe 42 PID 2568 wrote to memory of 2204 2568 Ijmdql32.exe 42 PID 2568 wrote to memory of 2204 2568 Ijmdql32.exe 42 PID 2204 wrote to memory of 1748 2204 Jiaaaicm.exe 43 PID 2204 wrote to memory of 1748 2204 Jiaaaicm.exe 43 PID 2204 wrote to memory of 1748 2204 Jiaaaicm.exe 43 PID 2204 wrote to memory of 1748 2204 Jiaaaicm.exe 43 PID 1748 wrote to memory of 1932 1748 Jbjejojn.exe 44 PID 1748 wrote to memory of 1932 1748 Jbjejojn.exe 44 PID 1748 wrote to memory of 1932 1748 Jbjejojn.exe 44 PID 1748 wrote to memory of 1932 1748 Jbjejojn.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe"C:\Users\Admin\AppData\Local\Temp\afb3185563241c8415d546483485f3ee118896762c6421ebe0ad254d29425a0bN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Gemfghek.exeC:\Windows\system32\Gemfghek.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Gnhkkjbf.exeC:\Windows\system32\Gnhkkjbf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Gjolpkhj.exeC:\Windows\system32\Gjolpkhj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Gnoaliln.exeC:\Windows\system32\Gnoaliln.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Hhhblgim.exeC:\Windows\system32\Hhhblgim.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Hgbhibio.exeC:\Windows\system32\Hgbhibio.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Iclfccmq.exeC:\Windows\system32\Iclfccmq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Ijjgkmqh.exeC:\Windows\system32\Ijjgkmqh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Ijmdql32.exeC:\Windows\system32\Ijmdql32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Jiaaaicm.exeC:\Windows\system32\Jiaaaicm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Jocceo32.exeC:\Windows\system32\Jocceo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Jhlgnd32.exeC:\Windows\system32\Jhlgnd32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Jdbhcfjd.exeC:\Windows\system32\Jdbhcfjd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Khpaidpk.exeC:\Windows\system32\Khpaidpk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Kaieai32.exeC:\Windows\system32\Kaieai32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Kghkppbp.exeC:\Windows\system32\Kghkppbp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Kldchgag.exeC:\Windows\system32\Kldchgag.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Khnqbhdi.exeC:\Windows\system32\Khnqbhdi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe27⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Ldgnmhhj.exeC:\Windows\system32\Ldgnmhhj.exe28⤵
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Lnaokn32.exeC:\Windows\system32\Lnaokn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Lgjcdc32.exeC:\Windows\system32\Lgjcdc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Lndlamke.exeC:\Windows\system32\Lndlamke.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Mccaodgj.exeC:\Windows\system32\Mccaodgj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Mlkegimk.exeC:\Windows\system32\Mlkegimk.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe34⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe35⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Nqbdllld.exeC:\Windows\system32\Nqbdllld.exe36⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Nqdaal32.exeC:\Windows\system32\Nqdaal32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Ndbjgjqh.exeC:\Windows\system32\Ndbjgjqh.exe38⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Olgehh32.exeC:\Windows\system32\Olgehh32.exe39⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe40⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe41⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ohcohh32.exeC:\Windows\system32\Ohcohh32.exe42⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Ompgqonl.exeC:\Windows\system32\Ompgqonl.exe43⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe44⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Piiekp32.exeC:\Windows\system32\Piiekp32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe46⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Pebbeq32.exeC:\Windows\system32\Pebbeq32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe48⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe49⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Qibhao32.exeC:\Windows\system32\Qibhao32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Qeihfp32.exeC:\Windows\system32\Qeihfp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Akfaof32.exeC:\Windows\system32\Akfaof32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Aekelo32.exeC:\Windows\system32\Aekelo32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe55⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Ankckagj.exeC:\Windows\system32\Ankckagj.exe58⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe59⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Annpaq32.exeC:\Windows\system32\Annpaq32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Boolhikf.exeC:\Windows\system32\Boolhikf.exe61⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Bjgmka32.exeC:\Windows\system32\Bjgmka32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe66⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Bbdoec32.exeC:\Windows\system32\Bbdoec32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Bhngbm32.exeC:\Windows\system32\Bhngbm32.exe69⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe70⤵PID:2484
-
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe71⤵PID:472
-
C:\Windows\SysWOW64\Cjbpoeoj.exeC:\Windows\system32\Cjbpoeoj.exe72⤵PID:2064
-
C:\Windows\SysWOW64\Ccjehkek.exeC:\Windows\system32\Ccjehkek.exe73⤵PID:1600
-
C:\Windows\SysWOW64\Cjdmee32.exeC:\Windows\system32\Cjdmee32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2228 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Cilfka32.exeC:\Windows\system32\Cilfka32.exe78⤵PID:1576
-
C:\Windows\SysWOW64\Cbdkdffm.exeC:\Windows\system32\Cbdkdffm.exe79⤵PID:1788
-
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe80⤵PID:1476
-
C:\Windows\SysWOW64\Deedfacn.exeC:\Windows\system32\Deedfacn.exe81⤵PID:1816
-
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe82⤵
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Degqka32.exeC:\Windows\system32\Degqka32.exe83⤵PID:2536
-
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe84⤵PID:2136
-
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe85⤵PID:2592
-
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe86⤵PID:960
-
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe87⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Denglpkc.exeC:\Windows\system32\Denglpkc.exe88⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe89⤵PID:2344
-
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Epjdbn32.exeC:\Windows\system32\Epjdbn32.exe91⤵PID:2808
-
C:\Windows\SysWOW64\Emnelbdi.exeC:\Windows\system32\Emnelbdi.exe92⤵PID:844
-
C:\Windows\SysWOW64\Effidg32.exeC:\Windows\system32\Effidg32.exe93⤵PID:1644
-
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe94⤵PID:1524
-
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe95⤵PID:2504
-
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe96⤵
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe97⤵PID:2248
-
C:\Windows\SysWOW64\Fofhdidp.exeC:\Windows\system32\Fofhdidp.exe98⤵PID:2132
-
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe99⤵PID:1144
-
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe100⤵PID:1700
-
C:\Windows\SysWOW64\Fagqed32.exeC:\Windows\system32\Fagqed32.exe101⤵PID:368
-
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe102⤵PID:2316
-
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe104⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe105⤵PID:2892
-
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe106⤵PID:2684
-
C:\Windows\SysWOW64\Ggkoojip.exeC:\Windows\system32\Ggkoojip.exe107⤵PID:2780
-
C:\Windows\SysWOW64\Gdophn32.exeC:\Windows\system32\Gdophn32.exe108⤵PID:1732
-
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe109⤵PID:552
-
C:\Windows\SysWOW64\Hopgikop.exeC:\Windows\system32\Hopgikop.exe110⤵PID:2448
-
C:\Windows\SysWOW64\Hkfgnldd.exeC:\Windows\system32\Hkfgnldd.exe111⤵PID:952
-
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe113⤵PID:752
-
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:456 -
C:\Windows\SysWOW64\Ijegeg32.exeC:\Windows\system32\Ijegeg32.exe115⤵PID:2460
-
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Ieohfemq.exeC:\Windows\system32\Ieohfemq.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Ingmoj32.exeC:\Windows\system32\Ingmoj32.exe118⤵PID:2820
-
C:\Windows\SysWOW64\Ieaekdkn.exeC:\Windows\system32\Ieaekdkn.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Ikkmho32.exeC:\Windows\system32\Ikkmho32.exe120⤵PID:3000
-
C:\Windows\SysWOW64\Iaheqe32.exeC:\Windows\system32\Iaheqe32.exe121⤵
- Drops file in System32 directory
PID:3044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-