Analysis
-
max time kernel
41s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 16:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe
-
Size
74KB
-
MD5
97c76365002554403b093886f7d574c0
-
SHA1
720ea74b383157157d40819f343a897fc540d79a
-
SHA256
813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5
-
SHA512
08d9a314e0873a4b900f8bd5b672ba39bbed2ed4ab98ddfe27aa5c727d2f33c13bb48a9e07d30551571177e82d94c45d46d66269e3c2f7ec46c4492b4583ed16
-
SSDEEP
1536:eWNM0FDlz7Ak9/zsh+a/HMBoNbTBcF6DHyNx14V4hq:W0FD9/zsh+akBoNXnDHyNx14V4hq
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jojloc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpoaheja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkaeob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biccfalm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gibkmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geilah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ockbdebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnpcpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcemnopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdnlcakk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqpebg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nanfqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpmdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfgbkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqllghon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfdpjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioefdpne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knaeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fheoiqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neibanod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjiljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clclhmin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdngip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefcmehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaplfinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfopnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nanfqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embkbdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abdeoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllaopcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcfoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knfopnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcacochk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naimepkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnnfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bggjjlnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhapocoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdepmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifbkgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmmffgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fefcmehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hchoop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgckoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ailqfooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igeddb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpldcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogaeieoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcmkhi32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2776 Blniinac.exe 2844 Bdinnqon.exe 2676 Bggjjlnb.exe 2556 Cppobaeb.exe 1664 Cgjgol32.exe 1948 Caokmd32.exe 804 Cdngip32.exe 2104 Ckhpejbf.exe 1436 Cnflae32.exe 3040 Cgnpjkhj.exe 3048 Cjmmffgn.exe 2600 Cnhhge32.exe 380 Cgqmpkfg.exe 2380 Chbihc32.exe 1120 Cpiaipmh.exe 1312 Ccgnelll.exe 1924 Djafaf32.exe 1164 Donojm32.exe 876 Dcjjkkji.exe 2512 Ddkgbc32.exe 2008 Dhgccbhp.exe 2296 Dkeoongd.exe 764 Dboglhna.exe 1620 Dkgldm32.exe 1724 Dochelmj.exe 1692 Dbadagln.exe 2664 Dhklna32.exe 888 Dqfabdaf.exe 2836 Dcemnopj.exe 2840 Dklepmal.exe 2080 Dmmbge32.exe 2044 Dqinhcoc.exe 2908 Ejabqi32.exe 3028 Enmnahnm.exe 2896 Ecjgio32.exe 2808 Eifobe32.exe 1236 Embkbdce.exe 592 Ejfllhao.exe 2324 Eiilge32.exe 2164 Ecnpdnho.exe 1280 Efmlqigc.exe 2188 Elieipej.exe 828 Epeajo32.exe 2876 Ebcmfj32.exe 1848 Eebibf32.exe 2004 Egpena32.exe 2312 Fllaopcg.exe 1468 Fnjnkkbk.exe 2284 Fbfjkj32.exe 2736 Fedfgejh.exe 2956 Fipbhd32.exe 2208 Fhbbcail.exe 2660 Fjaoplho.exe 792 Fnmjpk32.exe 2316 Fakglf32.exe 2988 Fefcmehe.exe 672 Fheoiqgi.exe 2916 Fnogfk32.exe 2820 Fmbgageq.exe 2348 Feipbefb.exe 2096 Fhglop32.exe 2232 Ffjljmla.exe 1484 Fjfhkl32.exe 1100 Fappgflg.exe -
Loads dropped DLL 64 IoCs
pid Process 2172 813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe 2172 813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe 2776 Blniinac.exe 2776 Blniinac.exe 2844 Bdinnqon.exe 2844 Bdinnqon.exe 2676 Bggjjlnb.exe 2676 Bggjjlnb.exe 2556 Cppobaeb.exe 2556 Cppobaeb.exe 1664 Cgjgol32.exe 1664 Cgjgol32.exe 1948 Caokmd32.exe 1948 Caokmd32.exe 804 Cdngip32.exe 804 Cdngip32.exe 2104 Ckhpejbf.exe 2104 Ckhpejbf.exe 1436 Cnflae32.exe 1436 Cnflae32.exe 3040 Cgnpjkhj.exe 3040 Cgnpjkhj.exe 3048 Cjmmffgn.exe 3048 Cjmmffgn.exe 2600 Cnhhge32.exe 2600 Cnhhge32.exe 380 Cgqmpkfg.exe 380 Cgqmpkfg.exe 2380 Chbihc32.exe 2380 Chbihc32.exe 1120 Cpiaipmh.exe 1120 Cpiaipmh.exe 1312 Ccgnelll.exe 1312 Ccgnelll.exe 1924 Djafaf32.exe 1924 Djafaf32.exe 1164 Donojm32.exe 1164 Donojm32.exe 876 Dcjjkkji.exe 876 Dcjjkkji.exe 2512 Ddkgbc32.exe 2512 Ddkgbc32.exe 2008 Dhgccbhp.exe 2008 Dhgccbhp.exe 2296 Dkeoongd.exe 2296 Dkeoongd.exe 764 Dboglhna.exe 764 Dboglhna.exe 1620 Dkgldm32.exe 1620 Dkgldm32.exe 1724 Dochelmj.exe 1724 Dochelmj.exe 1692 Dbadagln.exe 1692 Dbadagln.exe 2664 Dhklna32.exe 2664 Dhklna32.exe 888 Dqfabdaf.exe 888 Dqfabdaf.exe 2836 Dcemnopj.exe 2836 Dcemnopj.exe 2840 Dklepmal.exe 2840 Dklepmal.exe 2080 Dmmbge32.exe 2080 Dmmbge32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cenmfbml.exe Cabaec32.exe File created C:\Windows\SysWOW64\Djenbd32.dll Caenkc32.exe File created C:\Windows\SysWOW64\Fdbnboph.dll Dbadagln.exe File created C:\Windows\SysWOW64\Jfkloj32.dll Kmklak32.exe File created C:\Windows\SysWOW64\Lbmnea32.exe Ldjmidcj.exe File created C:\Windows\SysWOW64\Dknnijed.dll Mllhne32.exe File created C:\Windows\SysWOW64\Pnfpjc32.exe Pkhdnh32.exe File created C:\Windows\SysWOW64\Hnkffi32.exe Hkmjjn32.exe File opened for modification C:\Windows\SysWOW64\Iqllghon.exe Iojopp32.exe File created C:\Windows\SysWOW64\Jmdiahco.exe Jjfmem32.exe File created C:\Windows\SysWOW64\Oqepgk32.exe Ongckp32.exe File opened for modification C:\Windows\SysWOW64\Ahhchk32.exe Aejglo32.exe File opened for modification C:\Windows\SysWOW64\Celpqbon.exe Capdpcge.exe File opened for modification C:\Windows\SysWOW64\Chjmmnnb.exe Celpqbon.exe File opened for modification C:\Windows\SysWOW64\Gampaipe.exe Gbjpem32.exe File created C:\Windows\SysWOW64\Lchqcd32.exe Lpldcfmd.exe File created C:\Windows\SysWOW64\Nanfqo32.exe Noojdc32.exe File opened for modification C:\Windows\SysWOW64\Aljmbknm.exe Ailqfooi.exe File created C:\Windows\SysWOW64\Lmnhgjmp.exe Ljplkonl.exe File opened for modification C:\Windows\SysWOW64\Ljbipolj.exe Lffmpp32.exe File opened for modification C:\Windows\SysWOW64\Mohhea32.exe Lljkif32.exe File created C:\Windows\SysWOW64\Binikb32.exe Bfpmog32.exe File created C:\Windows\SysWOW64\Dmmbge32.exe Dklepmal.exe File created C:\Windows\SysWOW64\Fllaopcg.exe Egpena32.exe File created C:\Windows\SysWOW64\Gaplfinb.exe Goapjnoo.exe File opened for modification C:\Windows\SysWOW64\Jgjmoace.exe Jcoanb32.exe File created C:\Windows\SysWOW64\Abbhje32.exe Apclnj32.exe File created C:\Windows\SysWOW64\Eccjdobp.dll Ejfllhao.exe File created C:\Windows\SysWOW64\Fgpcof32.dll Jmgfgham.exe File opened for modification C:\Windows\SysWOW64\Lmbabj32.exe Lekjal32.exe File created C:\Windows\SysWOW64\Naimepkp.exe Ncfmjc32.exe File created C:\Windows\SysWOW64\Jqlidcln.dll Codeih32.exe File created C:\Windows\SysWOW64\Bdinnqon.exe Blniinac.exe File created C:\Windows\SysWOW64\Nlnlqk32.dll Ghidcceo.exe File created C:\Windows\SysWOW64\Monmegdp.dll Mkohjbah.exe File created C:\Windows\SysWOW64\Gaocdi32.dll Apclnj32.exe File created C:\Windows\SysWOW64\Aejglo32.exe Abkkpd32.exe File opened for modification C:\Windows\SysWOW64\Ejfllhao.exe Embkbdce.exe File opened for modification C:\Windows\SysWOW64\Kbpnkm32.exe Kndbko32.exe File opened for modification C:\Windows\SysWOW64\Lljkif32.exe Lhoohgdg.exe File created C:\Windows\SysWOW64\Occlcg32.exe Oqepgk32.exe File created C:\Windows\SysWOW64\Lidilk32.exe Ljbipolj.exe File created C:\Windows\SysWOW64\Gimpofjk.dll Ninhamne.exe File opened for modification C:\Windows\SysWOW64\Nipefmkb.exe Naimepkp.exe File created C:\Windows\SysWOW64\Qmepanje.exe Qijdqp32.exe File created C:\Windows\SysWOW64\Iagiph32.dll Ohjkcile.exe File created C:\Windows\SysWOW64\Fhglop32.exe Feipbefb.exe File created C:\Windows\SysWOW64\Goocenaa.exe Ghekhd32.exe File opened for modification C:\Windows\SysWOW64\Hoalia32.exe Hnppaill.exe File created C:\Windows\SysWOW64\Jqpebg32.exe Jmdiahco.exe File created C:\Windows\SysWOW64\Fappgflg.exe Fjfhkl32.exe File created C:\Windows\SysWOW64\Pchbmigj.exe Pajeanhf.exe File opened for modification C:\Windows\SysWOW64\Aegkfpah.exe Abinjdad.exe File opened for modification C:\Windows\SysWOW64\Bmgifa32.exe Bjiljf32.exe File created C:\Windows\SysWOW64\Kegmaomi.dll Oqepgk32.exe File created C:\Windows\SysWOW64\Cenancce.dll Igcgnbim.exe File opened for modification C:\Windows\SysWOW64\Kkefoc32.exe Kgjjndeq.exe File opened for modification C:\Windows\SysWOW64\Lbmnea32.exe Ldjmidcj.exe File opened for modification C:\Windows\SysWOW64\Noojdc32.exe Nlanhh32.exe File opened for modification C:\Windows\SysWOW64\Blniinac.exe 813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe File created C:\Windows\SysWOW64\Bggjjlnb.exe Bdinnqon.exe File created C:\Windows\SysWOW64\Hadfah32.exe Hmijajbd.exe File created C:\Windows\SysWOW64\Kipdmjne.dll Bhjpnj32.exe File opened for modification C:\Windows\SysWOW64\Cobhdhha.exe Clclhmin.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcopl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibgkjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffjljmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbgageq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohhea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohjbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnogfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghghnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekjal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgodcich.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchbmigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biccfalm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnpjkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gminbfoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gedbfimc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadbqlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgmbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcofid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjkcile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celpqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnkcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhhkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnofp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijimli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkbnibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clclhmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjnkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfoeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goocenaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neblqoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beldao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiaipmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjjndeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldpiifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdpjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mllhne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogaeieoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailqfooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjmmnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clhecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhglop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbnkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqhgmdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqgilnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpdnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglfcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqiiaih.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djafaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpgpkho.dll" Epeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjlfgfl.dll" Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nloachkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojdjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaocdi32.dll" Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfapgnji.dll" Capdpcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjjcdeh.dll" Ijimli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joebccpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldiiel.dll" Ljbipolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lilomj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqgilnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnpcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfjgc32.dll" Cobhdhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efmlqigc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iocioq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bldpiifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmkjgfmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpiaipmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdgkicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baealp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjmmffgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecllkodg.dll" Gedbfimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpbigma.dll" Bjiljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caokmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligleljk.dll" Mkfojakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgmoob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naimepkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojdjqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keiqlihp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maiqfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnkiebib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfacdqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmpgd32.dll" Ndjfgkha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kglfcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ollqllod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneibo32.dll" Fikelhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjigapme.dll" Ohengmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcoanb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbhhkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlanhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqddq32.dll" Bdinnqon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmgfgham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knfopnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncmib32.dll" Aiqjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll" Chhpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihnjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkedjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hadfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagiph32.dll" Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglhaeef.dll" Occlcg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2776 2172 813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe 30 PID 2172 wrote to memory of 2776 2172 813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe 30 PID 2172 wrote to memory of 2776 2172 813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe 30 PID 2172 wrote to memory of 2776 2172 813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe 30 PID 2776 wrote to memory of 2844 2776 Blniinac.exe 31 PID 2776 wrote to memory of 2844 2776 Blniinac.exe 31 PID 2776 wrote to memory of 2844 2776 Blniinac.exe 31 PID 2776 wrote to memory of 2844 2776 Blniinac.exe 31 PID 2844 wrote to memory of 2676 2844 Bdinnqon.exe 32 PID 2844 wrote to memory of 2676 2844 Bdinnqon.exe 32 PID 2844 wrote to memory of 2676 2844 Bdinnqon.exe 32 PID 2844 wrote to memory of 2676 2844 Bdinnqon.exe 32 PID 2676 wrote to memory of 2556 2676 Bggjjlnb.exe 33 PID 2676 wrote to memory of 2556 2676 Bggjjlnb.exe 33 PID 2676 wrote to memory of 2556 2676 Bggjjlnb.exe 33 PID 2676 wrote to memory of 2556 2676 Bggjjlnb.exe 33 PID 2556 wrote to memory of 1664 2556 Cppobaeb.exe 34 PID 2556 wrote to memory of 1664 2556 Cppobaeb.exe 34 PID 2556 wrote to memory of 1664 2556 Cppobaeb.exe 34 PID 2556 wrote to memory of 1664 2556 Cppobaeb.exe 34 PID 1664 wrote to memory of 1948 1664 Cgjgol32.exe 35 PID 1664 wrote to memory of 1948 1664 Cgjgol32.exe 35 PID 1664 wrote to memory of 1948 1664 Cgjgol32.exe 35 PID 1664 wrote to memory of 1948 1664 Cgjgol32.exe 35 PID 1948 wrote to memory of 804 1948 Caokmd32.exe 36 PID 1948 wrote to memory of 804 1948 Caokmd32.exe 36 PID 1948 wrote to memory of 804 1948 Caokmd32.exe 36 PID 1948 wrote to memory of 804 1948 Caokmd32.exe 36 PID 804 wrote to memory of 2104 804 Cdngip32.exe 37 PID 804 wrote to memory of 2104 804 Cdngip32.exe 37 PID 804 wrote to memory of 2104 804 Cdngip32.exe 37 PID 804 wrote to memory of 2104 804 Cdngip32.exe 37 PID 2104 wrote to memory of 1436 2104 Ckhpejbf.exe 38 PID 2104 wrote to memory of 1436 2104 Ckhpejbf.exe 38 PID 2104 wrote to memory of 1436 2104 Ckhpejbf.exe 38 PID 2104 wrote to memory of 1436 2104 Ckhpejbf.exe 38 PID 1436 wrote to memory of 3040 1436 Cnflae32.exe 39 PID 1436 wrote to memory of 3040 1436 Cnflae32.exe 39 PID 1436 wrote to memory of 3040 1436 Cnflae32.exe 39 PID 1436 wrote to memory of 3040 1436 Cnflae32.exe 39 PID 3040 wrote to memory of 3048 3040 Cgnpjkhj.exe 40 PID 3040 wrote to memory of 3048 3040 Cgnpjkhj.exe 40 PID 3040 wrote to memory of 3048 3040 Cgnpjkhj.exe 40 PID 3040 wrote to memory of 3048 3040 Cgnpjkhj.exe 40 PID 3048 wrote to memory of 2600 3048 Cjmmffgn.exe 41 PID 3048 wrote to memory of 2600 3048 Cjmmffgn.exe 41 PID 3048 wrote to memory of 2600 3048 Cjmmffgn.exe 41 PID 3048 wrote to memory of 2600 3048 Cjmmffgn.exe 41 PID 2600 wrote to memory of 380 2600 Cnhhge32.exe 42 PID 2600 wrote to memory of 380 2600 Cnhhge32.exe 42 PID 2600 wrote to memory of 380 2600 Cnhhge32.exe 42 PID 2600 wrote to memory of 380 2600 Cnhhge32.exe 42 PID 380 wrote to memory of 2380 380 Cgqmpkfg.exe 43 PID 380 wrote to memory of 2380 380 Cgqmpkfg.exe 43 PID 380 wrote to memory of 2380 380 Cgqmpkfg.exe 43 PID 380 wrote to memory of 2380 380 Cgqmpkfg.exe 43 PID 2380 wrote to memory of 1120 2380 Chbihc32.exe 44 PID 2380 wrote to memory of 1120 2380 Chbihc32.exe 44 PID 2380 wrote to memory of 1120 2380 Chbihc32.exe 44 PID 2380 wrote to memory of 1120 2380 Chbihc32.exe 44 PID 1120 wrote to memory of 1312 1120 Cpiaipmh.exe 45 PID 1120 wrote to memory of 1312 1120 Cpiaipmh.exe 45 PID 1120 wrote to memory of 1312 1120 Cpiaipmh.exe 45 PID 1120 wrote to memory of 1312 1120 Cpiaipmh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe"C:\Users\Admin\AppData\Local\Temp\813842ddf316f1ce8951d55455d6f445847fe4228adf950ca1fba4f2d545bdd5N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Blniinac.exeC:\Windows\system32\Blniinac.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bggjjlnb.exeC:\Windows\system32\Bggjjlnb.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Dcemnopj.exeC:\Windows\system32\Dcemnopj.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe33⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe34⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe35⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe36⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Eifobe32.exeC:\Windows\system32\Eifobe32.exe37⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe40⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Efmlqigc.exeC:\Windows\system32\Efmlqigc.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe43⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Epeajo32.exeC:\Windows\system32\Epeajo32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Ebcmfj32.exeC:\Windows\system32\Ebcmfj32.exe45⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe46⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe51⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe53⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe54⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe55⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe56⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Ffjljmla.exeC:\Windows\system32\Ffjljmla.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe67⤵PID:2372
-
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe68⤵PID:372
-
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe69⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe70⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe71⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Gimaah32.exeC:\Windows\system32\Gimaah32.exe74⤵PID:2192
-
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe75⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe76⤵PID:2884
-
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe78⤵PID:2460
-
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe80⤵PID:1768
-
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe81⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Glnkcc32.exeC:\Windows\system32\Glnkcc32.exe82⤵
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe83⤵PID:2472
-
C:\Windows\SysWOW64\Gfcopl32.exeC:\Windows\system32\Gfcopl32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe86⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe87⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe88⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe89⤵PID:2652
-
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe92⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1348 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe95⤵PID:376
-
C:\Windows\SysWOW64\Ghidcceo.exeC:\Windows\system32\Ghidcceo.exe96⤵
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe97⤵PID:2220
-
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe98⤵PID:816
-
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe99⤵PID:1628
-
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe100⤵PID:2356
-
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe101⤵PID:2756
-
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe102⤵PID:2708
-
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe104⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe105⤵PID:2944
-
C:\Windows\SysWOW64\Hkmjjn32.exeC:\Windows\system32\Hkmjjn32.exe106⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe107⤵PID:1080
-
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe108⤵PID:2272
-
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe111⤵
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe112⤵PID:644
-
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe113⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Hcjldp32.exeC:\Windows\system32\Hcjldp32.exe114⤵PID:2912
-
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe115⤵PID:2540
-
C:\Windows\SysWOW64\Hnppaill.exeC:\Windows\system32\Hnppaill.exe116⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Hoalia32.exeC:\Windows\system32\Hoalia32.exe117⤵PID:2880
-
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe118⤵PID:1984
-
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe119⤵PID:448
-
C:\Windows\SysWOW64\Iocioq32.exeC:\Windows\system32\Iocioq32.exe120⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe121⤵
- Modifies registry class
PID:2276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-