Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe
-
Size
295KB
-
MD5
b1f894651704fe4429f4918eb4901b10
-
SHA1
f21fce5154c6bda9626e2a12458cfce2a81401c2
-
SHA256
be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6baf
-
SHA512
5995fa480b411fd77fe12bf17152f474918d6bc472bbbdc89774dd95530c6aba859f89094b5a25cb7eb9bcca9f2b82f999ff7ada76aed6b123b8e3b49c0a3b5c
-
SSDEEP
6144:L7KJVqGVqM47KW1PY1PRe19V+tbFOLM77OLY:L7KJViD6fe0tsNM
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghmmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnphdceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhbmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fabaocfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bolcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfhfhbce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjqamme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpbmkan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfodfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljldnhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pddjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iieepbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcdlhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmqapci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kapohbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikqnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijcngenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdlhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpcokdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlhkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkpqlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjmfnok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqjefamk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejlnmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjmlhbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iieepbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnjicjbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfalqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbnphngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbpqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmaeho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcqjfeja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncpdbohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofcbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpabpcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilcalnii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnokgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikqnlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpacf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2340 Pojecajj.exe 1708 Paiaplin.exe 2680 Pdgmlhha.exe 2696 Qppkfhlc.exe 2832 Qlgkki32.exe 2804 Apedah32.exe 2616 Aebmjo32.exe 536 Aojabdlf.exe 1888 Akabgebj.exe 2776 Afffenbp.exe 1996 Aficjnpm.exe 348 Agjobffl.exe 2104 Aqbdkk32.exe 448 Bmlael32.exe 1948 Bqgmfkhg.exe 2168 Bchfhfeh.exe 752 Boogmgkl.exe 2248 Bkegah32.exe 1096 Cbblda32.exe 2100 Cfmhdpnc.exe 2860 Cebeem32.exe 1020 Cnkjnb32.exe 3016 Cgcnghpl.exe 2296 Cjakccop.exe 2228 Djdgic32.exe 2408 Dnpciaef.exe 2972 Diidjpbe.exe 2664 Daplkmbg.exe 2900 Dljmlj32.exe 2824 Dpeiligo.exe 3040 Debadpeg.exe 1440 Dphfbiem.exe 1432 Deenjpcd.exe 1652 Domccejd.exe 1496 Eibgpnjk.exe 1492 Elacliin.exe 2640 Ekdchf32.exe 2072 Ebklic32.exe 1156 Edoefl32.exe 980 Ekhmcelc.exe 1916 Emifeqid.exe 700 Ephbal32.exe 1420 Edcnakpa.exe 1900 Egajnfoe.exe 1944 Ekmfne32.exe 2320 Fgdgcfmb.exe 1180 Feggob32.exe 1368 Fmnopp32.exe 2440 Fplllkdc.exe 2736 Fgfdie32.exe 2656 Flclam32.exe 2596 Foahmh32.exe 2192 Fhjmfnok.exe 1120 Fkhibino.exe 2768 Fcpacf32.exe 1564 Fabaocfl.exe 1688 Fdqnkoep.exe 1600 Fkkfgi32.exe 1832 Fnibcd32.exe 1584 Gdcjpncm.exe 1292 Ghofam32.exe 1548 Goiongbc.exe 300 Gnkoid32.exe 1520 Gpjkeoha.exe -
Loads dropped DLL 64 IoCs
pid Process 2032 be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe 2032 be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe 2340 Pojecajj.exe 2340 Pojecajj.exe 1708 Paiaplin.exe 1708 Paiaplin.exe 2680 Pdgmlhha.exe 2680 Pdgmlhha.exe 2696 Qppkfhlc.exe 2696 Qppkfhlc.exe 2832 Qlgkki32.exe 2832 Qlgkki32.exe 2804 Apedah32.exe 2804 Apedah32.exe 2616 Aebmjo32.exe 2616 Aebmjo32.exe 536 Aojabdlf.exe 536 Aojabdlf.exe 1888 Akabgebj.exe 1888 Akabgebj.exe 2776 Afffenbp.exe 2776 Afffenbp.exe 1996 Aficjnpm.exe 1996 Aficjnpm.exe 348 Agjobffl.exe 348 Agjobffl.exe 2104 Aqbdkk32.exe 2104 Aqbdkk32.exe 448 Bmlael32.exe 448 Bmlael32.exe 1948 Bqgmfkhg.exe 1948 Bqgmfkhg.exe 2168 Bchfhfeh.exe 2168 Bchfhfeh.exe 752 Boogmgkl.exe 752 Boogmgkl.exe 2248 Bkegah32.exe 2248 Bkegah32.exe 1096 Cbblda32.exe 1096 Cbblda32.exe 2100 Cfmhdpnc.exe 2100 Cfmhdpnc.exe 2860 Cebeem32.exe 2860 Cebeem32.exe 1020 Cnkjnb32.exe 1020 Cnkjnb32.exe 3016 Cgcnghpl.exe 3016 Cgcnghpl.exe 2296 Cjakccop.exe 2296 Cjakccop.exe 2228 Djdgic32.exe 2228 Djdgic32.exe 2408 Dnpciaef.exe 2408 Dnpciaef.exe 2972 Diidjpbe.exe 2972 Diidjpbe.exe 2664 Daplkmbg.exe 2664 Daplkmbg.exe 2900 Dljmlj32.exe 2900 Dljmlj32.exe 2824 Dpeiligo.exe 2824 Dpeiligo.exe 3040 Debadpeg.exe 3040 Debadpeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Omckoi32.exe Onqkclni.exe File created C:\Windows\SysWOW64\Ajckilei.exe Ageompfe.exe File created C:\Windows\SysWOW64\Aobpfb32.exe Apppkekc.exe File opened for modification C:\Windows\SysWOW64\Hnmacpfj.exe Hgciff32.exe File created C:\Windows\SysWOW64\Qgejemnf.dll Cbblda32.exe File created C:\Windows\SysWOW64\Djdgic32.exe Cjakccop.exe File created C:\Windows\SysWOW64\Jjipagod.dll Emifeqid.exe File created C:\Windows\SysWOW64\Emljol32.dll Fgdgcfmb.exe File created C:\Windows\SysWOW64\Olbogqoe.exe Odkgec32.exe File opened for modification C:\Windows\SysWOW64\Ageompfe.exe Adfbpega.exe File created C:\Windows\SysWOW64\Bkknac32.exe Bjjaikoa.exe File created C:\Windows\SysWOW64\Fganph32.dll Fcqjfeja.exe File created C:\Windows\SysWOW64\Pcflap32.dll Debadpeg.exe File opened for modification C:\Windows\SysWOW64\Fkkfgi32.exe Fdqnkoep.exe File opened for modification C:\Windows\SysWOW64\Gfnjne32.exe Godaakic.exe File created C:\Windows\SysWOW64\Odkgec32.exe Objjnkie.exe File created C:\Windows\SysWOW64\Gkaobghp.dll Iknafhjb.exe File created C:\Windows\SysWOW64\Lplbjm32.exe Llpfjomf.exe File created C:\Windows\SysWOW64\Kbdjfk32.dll Pdgmlhha.exe File opened for modification C:\Windows\SysWOW64\Onlahm32.exe Ohbikbkb.exe File opened for modification C:\Windows\SysWOW64\Eknpadcn.exe Eimcjl32.exe File opened for modification C:\Windows\SysWOW64\Hjfnnajl.exe Hfjbmb32.exe File created C:\Windows\SysWOW64\Godaakic.exe Gqaafn32.exe File created C:\Windows\SysWOW64\Pdnfmn32.dll Kdnkdmec.exe File opened for modification C:\Windows\SysWOW64\Adaiee32.exe Qmhahkdj.exe File opened for modification C:\Windows\SysWOW64\Difqji32.exe Dfhdnn32.exe File created C:\Windows\SysWOW64\Fkqlgc32.exe Flnlkgjq.exe File opened for modification C:\Windows\SysWOW64\Hdpcokdo.exe Gqdgom32.exe File opened for modification C:\Windows\SysWOW64\Goiongbc.exe Ghofam32.exe File opened for modification C:\Windows\SysWOW64\Lgingm32.exe Legaoehg.exe File created C:\Windows\SysWOW64\Ojgidcjn.dll Omhhke32.exe File created C:\Windows\SysWOW64\Qdompf32.exe Qbnphngk.exe File created C:\Windows\SysWOW64\Iebldo32.exe Ibcphc32.exe File created C:\Windows\SysWOW64\Hjleia32.dll Fijbco32.exe File created C:\Windows\SysWOW64\Jllqplnp.exe Jimdcqom.exe File created C:\Windows\SysWOW64\Pcdapknb.dll Keioca32.exe File opened for modification C:\Windows\SysWOW64\Dphfbiem.exe Debadpeg.exe File created C:\Windows\SysWOW64\Hdecea32.exe Hbggif32.exe File created C:\Windows\SysWOW64\Kajiigba.exe Kcginj32.exe File opened for modification C:\Windows\SysWOW64\Oefjdgjk.exe Oajndh32.exe File created C:\Windows\SysWOW64\Dbkngi32.dll Onlahm32.exe File opened for modification C:\Windows\SysWOW64\Jggoqimd.exe Ieibdnnp.exe File opened for modification C:\Windows\SysWOW64\Edoefl32.exe Ebklic32.exe File opened for modification C:\Windows\SysWOW64\Jenbjc32.exe Jacfidem.exe File opened for modification C:\Windows\SysWOW64\Kcginj32.exe Kkpqlm32.exe File created C:\Windows\SysWOW64\Fniamd32.dll Mblbnj32.exe File created C:\Windows\SysWOW64\Hddgloho.dll Mnglnj32.exe File created C:\Windows\SysWOW64\Onnnml32.exe Olpbaa32.exe File created C:\Windows\SysWOW64\Piliii32.exe Pfnmmn32.exe File opened for modification C:\Windows\SysWOW64\Iakino32.exe Ijaaae32.exe File created C:\Windows\SysWOW64\Najopl32.dll Hdecea32.exe File created C:\Windows\SysWOW64\Jlhkgm32.exe Jenbjc32.exe File opened for modification C:\Windows\SysWOW64\Lgngbmjp.exe Ldokfakl.exe File opened for modification C:\Windows\SysWOW64\Lnjldf32.exe Lfbdci32.exe File created C:\Windows\SysWOW64\Aiaoclgl.exe Ahpbkd32.exe File created C:\Windows\SysWOW64\Mpbclcja.dll Fkcilc32.exe File opened for modification C:\Windows\SysWOW64\Iaimipjl.exe Iogpag32.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Lplbjm32.exe File created C:\Windows\SysWOW64\Jipaip32.exe Jfaeme32.exe File opened for modification C:\Windows\SysWOW64\Kadica32.exe Kmimcbja.exe File created C:\Windows\SysWOW64\Dpeiligo.exe Dljmlj32.exe File created C:\Windows\SysWOW64\Kibemb32.dll Fcpacf32.exe File created C:\Windows\SysWOW64\Jeqopcld.exe Joggci32.exe File opened for modification C:\Windows\SysWOW64\Odmckcmq.exe Omckoi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6084 6060 WerFault.exe 483 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhoklnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbmkan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmabjfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpaali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gockgdeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpeiligo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoldlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkknac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehiioaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooembgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Godaakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejlnmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkqlgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieibdnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcalnii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfepod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijaaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnqje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imlhebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhenjmbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoobhhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceogcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhleh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdhaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichmgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmcefmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobpfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojlbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egajnfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkcilc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeagimdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakino32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbdabog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfpgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfnangf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gghmmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kofcbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kajiigba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlgkki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqjaeeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhjoc32.dll" Bbhccm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjcjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olpbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkhibino.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpjkeoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhahanie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccgklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpoggldm.dll" Ebklic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibipmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbcdh32.dll" Khohkamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iediin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Domccejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phoogg32.dll" Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjfq32.dll" Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqaafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbggif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipalg32.dll" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikldqile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klecfkff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkpfm32.dll" Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbgjgomc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpggei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gncnmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnjjp32.dll" Imlhebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noockemb.dll" Lgingm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncpdbohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eikfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll" Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgojdj32.dll" Gnkoid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnapnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Cnkjnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laqojfli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nppofado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfhdnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efljhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daplkmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfieigio.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2340 2032 be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe 31 PID 2032 wrote to memory of 2340 2032 be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe 31 PID 2032 wrote to memory of 2340 2032 be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe 31 PID 2032 wrote to memory of 2340 2032 be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe 31 PID 2340 wrote to memory of 1708 2340 Pojecajj.exe 32 PID 2340 wrote to memory of 1708 2340 Pojecajj.exe 32 PID 2340 wrote to memory of 1708 2340 Pojecajj.exe 32 PID 2340 wrote to memory of 1708 2340 Pojecajj.exe 32 PID 1708 wrote to memory of 2680 1708 Paiaplin.exe 33 PID 1708 wrote to memory of 2680 1708 Paiaplin.exe 33 PID 1708 wrote to memory of 2680 1708 Paiaplin.exe 33 PID 1708 wrote to memory of 2680 1708 Paiaplin.exe 33 PID 2680 wrote to memory of 2696 2680 Pdgmlhha.exe 34 PID 2680 wrote to memory of 2696 2680 Pdgmlhha.exe 34 PID 2680 wrote to memory of 2696 2680 Pdgmlhha.exe 34 PID 2680 wrote to memory of 2696 2680 Pdgmlhha.exe 34 PID 2696 wrote to memory of 2832 2696 Qppkfhlc.exe 35 PID 2696 wrote to memory of 2832 2696 Qppkfhlc.exe 35 PID 2696 wrote to memory of 2832 2696 Qppkfhlc.exe 35 PID 2696 wrote to memory of 2832 2696 Qppkfhlc.exe 35 PID 2832 wrote to memory of 2804 2832 Qlgkki32.exe 36 PID 2832 wrote to memory of 2804 2832 Qlgkki32.exe 36 PID 2832 wrote to memory of 2804 2832 Qlgkki32.exe 36 PID 2832 wrote to memory of 2804 2832 Qlgkki32.exe 36 PID 2804 wrote to memory of 2616 2804 Apedah32.exe 37 PID 2804 wrote to memory of 2616 2804 Apedah32.exe 37 PID 2804 wrote to memory of 2616 2804 Apedah32.exe 37 PID 2804 wrote to memory of 2616 2804 Apedah32.exe 37 PID 2616 wrote to memory of 536 2616 Aebmjo32.exe 38 PID 2616 wrote to memory of 536 2616 Aebmjo32.exe 38 PID 2616 wrote to memory of 536 2616 Aebmjo32.exe 38 PID 2616 wrote to memory of 536 2616 Aebmjo32.exe 38 PID 536 wrote to memory of 1888 536 Aojabdlf.exe 39 PID 536 wrote to memory of 1888 536 Aojabdlf.exe 39 PID 536 wrote to memory of 1888 536 Aojabdlf.exe 39 PID 536 wrote to memory of 1888 536 Aojabdlf.exe 39 PID 1888 wrote to memory of 2776 1888 Akabgebj.exe 40 PID 1888 wrote to memory of 2776 1888 Akabgebj.exe 40 PID 1888 wrote to memory of 2776 1888 Akabgebj.exe 40 PID 1888 wrote to memory of 2776 1888 Akabgebj.exe 40 PID 2776 wrote to memory of 1996 2776 Afffenbp.exe 41 PID 2776 wrote to memory of 1996 2776 Afffenbp.exe 41 PID 2776 wrote to memory of 1996 2776 Afffenbp.exe 41 PID 2776 wrote to memory of 1996 2776 Afffenbp.exe 41 PID 1996 wrote to memory of 348 1996 Aficjnpm.exe 42 PID 1996 wrote to memory of 348 1996 Aficjnpm.exe 42 PID 1996 wrote to memory of 348 1996 Aficjnpm.exe 42 PID 1996 wrote to memory of 348 1996 Aficjnpm.exe 42 PID 348 wrote to memory of 2104 348 Agjobffl.exe 43 PID 348 wrote to memory of 2104 348 Agjobffl.exe 43 PID 348 wrote to memory of 2104 348 Agjobffl.exe 43 PID 348 wrote to memory of 2104 348 Agjobffl.exe 43 PID 2104 wrote to memory of 448 2104 Aqbdkk32.exe 44 PID 2104 wrote to memory of 448 2104 Aqbdkk32.exe 44 PID 2104 wrote to memory of 448 2104 Aqbdkk32.exe 44 PID 2104 wrote to memory of 448 2104 Aqbdkk32.exe 44 PID 448 wrote to memory of 1948 448 Bmlael32.exe 45 PID 448 wrote to memory of 1948 448 Bmlael32.exe 45 PID 448 wrote to memory of 1948 448 Bmlael32.exe 45 PID 448 wrote to memory of 1948 448 Bmlael32.exe 45 PID 1948 wrote to memory of 2168 1948 Bqgmfkhg.exe 46 PID 1948 wrote to memory of 2168 1948 Bqgmfkhg.exe 46 PID 1948 wrote to memory of 2168 1948 Bqgmfkhg.exe 46 PID 1948 wrote to memory of 2168 1948 Bqgmfkhg.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe"C:\Users\Admin\AppData\Local\Temp\be37808a50aa839e7545d683dede3d91b9e42e5571ff398222dbc5f4e5fd6bafN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Dljmlj32.exeC:\Windows\system32\Dljmlj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe33⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe34⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe36⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe37⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe38⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe40⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe41⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe43⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe44⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe46⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe48⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe49⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe50⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe52⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe53⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe59⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe60⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe61⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe63⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe66⤵PID:2176
-
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe68⤵PID:2688
-
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe73⤵PID:1232
-
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe74⤵PID:2584
-
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe77⤵
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe78⤵PID:1044
-
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe79⤵PID:2208
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe80⤵PID:2384
-
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe81⤵PID:2344
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe82⤵PID:1668
-
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe84⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe85⤵PID:2844
-
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe87⤵PID:2788
-
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe88⤵PID:2316
-
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe89⤵PID:1612
-
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe90⤵PID:708
-
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe91⤵PID:1644
-
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe92⤵PID:1092
-
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe93⤵PID:2400
-
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe94⤵PID:2516
-
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe95⤵PID:1016
-
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe96⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe97⤵PID:2840
-
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe98⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe100⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe101⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe103⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe105⤵PID:1588
-
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe108⤵PID:324
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe109⤵
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe110⤵
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe111⤵PID:1008
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe112⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe113⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe115⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe116⤵PID:2436
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe117⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe119⤵PID:2908
-
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe120⤵
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe121⤵PID:1528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-