Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe
Resource
win10v2004-20241007-en
General
-
Target
2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe
-
Size
1.1MB
-
MD5
b13ad2c608074e548b8f087aefa42105
-
SHA1
f410a8c4c036165546f963e5bd94e3268c2ad2e1
-
SHA256
2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41
-
SHA512
cefc33b6a0c2fc314bf5426e6d7153999643991172b03d078789561506e0c6d554d1a5431b5689d6a2328fda5f2ba34d1e3efbedaae67e0b703e88b62eb37c80
-
SSDEEP
12288:G2i5lvShLYcZrQg5Z/+zrWAIAqWim/+zrWAI5KFukEyDucEQX:GClBZrQg5ZmvFimm0HkEyDucEQX
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbobkol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjedmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnlkgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bknjfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edlafebn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjdhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanbdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijpdfhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcfemmna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aacmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfabnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbkpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffibceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndjmifj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcajhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmcjedcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnefhpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dadbdkld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emaijk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmckcmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdppqbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbmqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eafkhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olbogqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojglhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qldhkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpimq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnefhpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjicjbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlilqbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmcefmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkhbgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbfilffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkjdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijaaae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfemmna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jipaip32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3036 Hcajhi32.exe 2772 Hcdgmimg.exe 2812 Hbnmienj.exe 2332 Imgnjb32.exe 2608 Ijphofem.exe 2644 Jelfdc32.exe 2028 Jndjmifj.exe 572 Jmnqje32.exe 1916 Kmcjedcg.exe 2612 Kbbobkol.exe 1844 Kcdlhj32.exe 1076 Lanbdf32.exe 2380 Lgpdglhn.exe 2264 Mcfemmna.exe 632 Mlafkb32.exe 1684 Nnjicjbf.exe 2112 Nqmnjd32.exe 2148 Njeccjcd.exe 1616 Nijpdfhm.exe 588 Nlilqbgp.exe 1292 Oecmogln.exe 2004 Ohbikbkb.exe 3040 Onnnml32.exe 1576 Objjnkie.exe 2676 Oehgjfhi.exe 2700 Olbogqoe.exe 2680 Onqkclni.exe 2536 Oaogognm.exe 2480 Odmckcmq.exe 2216 Ojglhm32.exe 2960 Pdppqbkn.exe 2436 Peefcjlg.exe 1696 Pehcij32.exe 2460 Plbkfdba.exe 1656 Qldhkc32.exe 284 Qbnphngk.exe 2412 Qoeamo32.exe 2220 Aacmij32.exe 2124 Aphjjf32.exe 2240 Agbbgqhh.exe 1868 Apkgpf32.exe 1924 Ageompfe.exe 1680 Apmcefmf.exe 1280 Aejlnmkm.exe 2872 Aobpfb32.exe 2348 Agihgp32.exe 1736 Bpbmqe32.exe 2392 Bcpimq32.exe 2756 Blinefnd.exe 2568 Bcbfbp32.exe 2780 Bfabnl32.exe 2564 Bknjfb32.exe 3016 Bhbkpgbf.exe 1580 Bolcma32.exe 1296 Bgghac32.exe 1300 Bjedmo32.exe 680 Ccnifd32.exe 2836 Cjhabndo.exe 1644 Cglalbbi.exe 2128 Cnejim32.exe 2328 Cfanmogq.exe 2896 Ciokijfd.exe 784 Cbgobp32.exe 2364 Ciagojda.exe -
Loads dropped DLL 64 IoCs
pid Process 2956 2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe 2956 2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe 3036 Hcajhi32.exe 3036 Hcajhi32.exe 2772 Hcdgmimg.exe 2772 Hcdgmimg.exe 2812 Hbnmienj.exe 2812 Hbnmienj.exe 2332 Imgnjb32.exe 2332 Imgnjb32.exe 2608 Ijphofem.exe 2608 Ijphofem.exe 2644 Jelfdc32.exe 2644 Jelfdc32.exe 2028 Jndjmifj.exe 2028 Jndjmifj.exe 572 Jmnqje32.exe 572 Jmnqje32.exe 1916 Kmcjedcg.exe 1916 Kmcjedcg.exe 2612 Kbbobkol.exe 2612 Kbbobkol.exe 1844 Kcdlhj32.exe 1844 Kcdlhj32.exe 1076 Lanbdf32.exe 1076 Lanbdf32.exe 2380 Lgpdglhn.exe 2380 Lgpdglhn.exe 2264 Mcfemmna.exe 2264 Mcfemmna.exe 632 Mlafkb32.exe 632 Mlafkb32.exe 1684 Nnjicjbf.exe 1684 Nnjicjbf.exe 2112 Nqmnjd32.exe 2112 Nqmnjd32.exe 2148 Njeccjcd.exe 2148 Njeccjcd.exe 1616 Nijpdfhm.exe 1616 Nijpdfhm.exe 588 Nlilqbgp.exe 588 Nlilqbgp.exe 1292 Oecmogln.exe 1292 Oecmogln.exe 2004 Ohbikbkb.exe 2004 Ohbikbkb.exe 3040 Onnnml32.exe 3040 Onnnml32.exe 1576 Objjnkie.exe 1576 Objjnkie.exe 2676 Oehgjfhi.exe 2676 Oehgjfhi.exe 2700 Olbogqoe.exe 2700 Olbogqoe.exe 2680 Onqkclni.exe 2680 Onqkclni.exe 2536 Oaogognm.exe 2536 Oaogognm.exe 2480 Odmckcmq.exe 2480 Odmckcmq.exe 2216 Ojglhm32.exe 2216 Ojglhm32.exe 2960 Pdppqbkn.exe 2960 Pdppqbkn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Heloek32.dll Cfanmogq.exe File created C:\Windows\SysWOW64\Ifemminl.dll Flnlkgjq.exe File opened for modification C:\Windows\SysWOW64\Icncgf32.exe Hmdkjmip.exe File opened for modification C:\Windows\SysWOW64\Jbfilffm.exe Jjjdhc32.exe File created C:\Windows\SysWOW64\Aacmij32.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Pdjiflem.dll Djlfma32.exe File opened for modification C:\Windows\SysWOW64\Fkhbgbkc.exe Fdnjkh32.exe File created C:\Windows\SysWOW64\Hjfnnajl.exe Hclfag32.exe File created C:\Windows\SysWOW64\Kbbobkol.exe Kmcjedcg.exe File opened for modification C:\Windows\SysWOW64\Oecmogln.exe Nlilqbgp.exe File created C:\Windows\SysWOW64\Cdoime32.dll Fkcilc32.exe File opened for modification C:\Windows\SysWOW64\Gekfnoog.exe Glbaei32.exe File created C:\Windows\SysWOW64\Pehcij32.exe Peefcjlg.exe File opened for modification C:\Windows\SysWOW64\Cjhabndo.exe Ccnifd32.exe File created C:\Windows\SysWOW64\Ghdiokbq.exe Gajqbakc.exe File created C:\Windows\SysWOW64\Hgajdjlj.dll Jipaip32.exe File opened for modification C:\Windows\SysWOW64\Onnnml32.exe Ohbikbkb.exe File opened for modification C:\Windows\SysWOW64\Dnqlmq32.exe Cehhdkjf.exe File opened for modification C:\Windows\SysWOW64\Dadbdkld.exe Dnefhpma.exe File created C:\Windows\SysWOW64\Glnhjjml.exe Ggapbcne.exe File opened for modification C:\Windows\SysWOW64\Jnofgg32.exe Jfcabd32.exe File created C:\Windows\SysWOW64\Bokblhqh.dll Kmcjedcg.exe File created C:\Windows\SysWOW64\Nqmnjd32.exe Nnjicjbf.exe File created C:\Windows\SysWOW64\Faibdo32.dll Hmmdin32.exe File opened for modification C:\Windows\SysWOW64\Inhdgdmk.exe Icncgf32.exe File created C:\Windows\SysWOW64\Kndkfpje.dll Ikldqile.exe File opened for modification C:\Windows\SysWOW64\Agihgp32.exe Aobpfb32.exe File opened for modification C:\Windows\SysWOW64\Hgnokgcc.exe Gaagcpdl.exe File opened for modification C:\Windows\SysWOW64\Emaijk32.exe Efhqmadd.exe File created C:\Windows\SysWOW64\Chpmbe32.dll Hclfag32.exe File created C:\Windows\SysWOW64\Lanbdf32.exe Kcdlhj32.exe File opened for modification C:\Windows\SysWOW64\Aobpfb32.exe Aejlnmkm.exe File opened for modification C:\Windows\SysWOW64\Ojglhm32.exe Odmckcmq.exe File opened for modification C:\Windows\SysWOW64\Gaagcpdl.exe Ghibjjnk.exe File created C:\Windows\SysWOW64\Ciokijfd.exe Cfanmogq.exe File created C:\Windows\SysWOW64\Gocbagqd.dll Dcghkf32.exe File created C:\Windows\SysWOW64\Lddblcik.dll Ciagojda.exe File created C:\Windows\SysWOW64\Fbegbacp.exe Eknpadcn.exe File created C:\Windows\SysWOW64\Nijpdfhm.exe Njeccjcd.exe File created C:\Windows\SysWOW64\Oehgjfhi.exe Objjnkie.exe File created C:\Windows\SysWOW64\Nhpfip32.dll Gdkjdl32.exe File created C:\Windows\SysWOW64\Jmnqje32.exe Jndjmifj.exe File opened for modification C:\Windows\SysWOW64\Cfanmogq.exe Cnejim32.exe File created C:\Windows\SysWOW64\Diodocki.dll Igebkiof.exe File created C:\Windows\SysWOW64\Bhbkpgbf.exe Bknjfb32.exe File opened for modification C:\Windows\SysWOW64\Iknafhjb.exe Iogpag32.exe File opened for modification C:\Windows\SysWOW64\Eknpadcn.exe Eafkhn32.exe File opened for modification C:\Windows\SysWOW64\Jjfkmdlg.exe Iclbpj32.exe File created C:\Windows\SysWOW64\Jbhebfck.exe Jipaip32.exe File created C:\Windows\SysWOW64\Mfiema32.dll Hcdgmimg.exe File created C:\Windows\SysWOW64\Mlafkb32.exe Mcfemmna.exe File created C:\Windows\SysWOW64\Nedmeekj.dll Djocbqpb.exe File created C:\Windows\SysWOW64\Lpmdgf32.dll Ibcphc32.exe File opened for modification C:\Windows\SysWOW64\Jelfdc32.exe Ijphofem.exe File created C:\Windows\SysWOW64\Hagojlib.dll Qldhkc32.exe File created C:\Windows\SysWOW64\Acfgdc32.dll Bfabnl32.exe File created C:\Windows\SysWOW64\Cbjlhpkb.exe Ciagojda.exe File created C:\Windows\SysWOW64\Hclfag32.exe Hgeelf32.exe File opened for modification C:\Windows\SysWOW64\Hbnmienj.exe Hcdgmimg.exe File created C:\Windows\SysWOW64\Cdlfik32.dll Ojglhm32.exe File created C:\Windows\SysWOW64\Dmkcil32.exe Djlfma32.exe File opened for modification C:\Windows\SysWOW64\Gajqbakc.exe Glnhjjml.exe File opened for modification C:\Windows\SysWOW64\Lanbdf32.exe Kcdlhj32.exe File opened for modification C:\Windows\SysWOW64\Hgeelf32.exe Hqkmplen.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1048 1692 WerFault.exe 182 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnokgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhebfck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpdglhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaagcpdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqkclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcngenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijaaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbmqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkcilc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekfnoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmmlgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oecmogln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhdgdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bolcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agihgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeamo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcajhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldhkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnklmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmckcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folhgbid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknafhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfilffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjicjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehhdkjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klecfkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijphofem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbbgqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfkmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbkpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdgmimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqlmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kambcbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blinefnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcghkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelfdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnhjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlilqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefndikl.dll" Ccnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkehop32.dll" Kjeglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djlfma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hclfag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmnap32.dll" Hcajhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbnol32.dll" Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olbogqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjhabndo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncadjah.dll" Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diodocki.dll" Igebkiof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnjbnhn.dll" Glnhjjml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glpepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icncgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qldhkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldgnklmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbnmienj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedamakn.dll" Cbgobp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgfqf32.dll" Eafkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll" Hjfnnajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckqmd32.dll" Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklcci32.dll" Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhbkpgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Finlmjmi.dll" Cehhdkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpklelgo.dll" 2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdokbck.dll" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbolo32.dll" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfgdc32.dll" Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heloek32.dll" Cfanmogq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pehcij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkmmlgik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjqkek32.dll" Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlojnpb.dll" Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmgba32.dll" Hffibceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafdibdo.dll" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfndl32.dll" Ggapbcne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkhbgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iclbpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgcnahoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onnnml32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 3036 2956 2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe 31 PID 2956 wrote to memory of 3036 2956 2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe 31 PID 2956 wrote to memory of 3036 2956 2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe 31 PID 2956 wrote to memory of 3036 2956 2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe 31 PID 3036 wrote to memory of 2772 3036 Hcajhi32.exe 32 PID 3036 wrote to memory of 2772 3036 Hcajhi32.exe 32 PID 3036 wrote to memory of 2772 3036 Hcajhi32.exe 32 PID 3036 wrote to memory of 2772 3036 Hcajhi32.exe 32 PID 2772 wrote to memory of 2812 2772 Hcdgmimg.exe 33 PID 2772 wrote to memory of 2812 2772 Hcdgmimg.exe 33 PID 2772 wrote to memory of 2812 2772 Hcdgmimg.exe 33 PID 2772 wrote to memory of 2812 2772 Hcdgmimg.exe 33 PID 2812 wrote to memory of 2332 2812 Hbnmienj.exe 34 PID 2812 wrote to memory of 2332 2812 Hbnmienj.exe 34 PID 2812 wrote to memory of 2332 2812 Hbnmienj.exe 34 PID 2812 wrote to memory of 2332 2812 Hbnmienj.exe 34 PID 2332 wrote to memory of 2608 2332 Imgnjb32.exe 35 PID 2332 wrote to memory of 2608 2332 Imgnjb32.exe 35 PID 2332 wrote to memory of 2608 2332 Imgnjb32.exe 35 PID 2332 wrote to memory of 2608 2332 Imgnjb32.exe 35 PID 2608 wrote to memory of 2644 2608 Ijphofem.exe 36 PID 2608 wrote to memory of 2644 2608 Ijphofem.exe 36 PID 2608 wrote to memory of 2644 2608 Ijphofem.exe 36 PID 2608 wrote to memory of 2644 2608 Ijphofem.exe 36 PID 2644 wrote to memory of 2028 2644 Jelfdc32.exe 37 PID 2644 wrote to memory of 2028 2644 Jelfdc32.exe 37 PID 2644 wrote to memory of 2028 2644 Jelfdc32.exe 37 PID 2644 wrote to memory of 2028 2644 Jelfdc32.exe 37 PID 2028 wrote to memory of 572 2028 Jndjmifj.exe 38 PID 2028 wrote to memory of 572 2028 Jndjmifj.exe 38 PID 2028 wrote to memory of 572 2028 Jndjmifj.exe 38 PID 2028 wrote to memory of 572 2028 Jndjmifj.exe 38 PID 572 wrote to memory of 1916 572 Jmnqje32.exe 39 PID 572 wrote to memory of 1916 572 Jmnqje32.exe 39 PID 572 wrote to memory of 1916 572 Jmnqje32.exe 39 PID 572 wrote to memory of 1916 572 Jmnqje32.exe 39 PID 1916 wrote to memory of 2612 1916 Kmcjedcg.exe 40 PID 1916 wrote to memory of 2612 1916 Kmcjedcg.exe 40 PID 1916 wrote to memory of 2612 1916 Kmcjedcg.exe 40 PID 1916 wrote to memory of 2612 1916 Kmcjedcg.exe 40 PID 2612 wrote to memory of 1844 2612 Kbbobkol.exe 41 PID 2612 wrote to memory of 1844 2612 Kbbobkol.exe 41 PID 2612 wrote to memory of 1844 2612 Kbbobkol.exe 41 PID 2612 wrote to memory of 1844 2612 Kbbobkol.exe 41 PID 1844 wrote to memory of 1076 1844 Kcdlhj32.exe 42 PID 1844 wrote to memory of 1076 1844 Kcdlhj32.exe 42 PID 1844 wrote to memory of 1076 1844 Kcdlhj32.exe 42 PID 1844 wrote to memory of 1076 1844 Kcdlhj32.exe 42 PID 1076 wrote to memory of 2380 1076 Lanbdf32.exe 43 PID 1076 wrote to memory of 2380 1076 Lanbdf32.exe 43 PID 1076 wrote to memory of 2380 1076 Lanbdf32.exe 43 PID 1076 wrote to memory of 2380 1076 Lanbdf32.exe 43 PID 2380 wrote to memory of 2264 2380 Lgpdglhn.exe 44 PID 2380 wrote to memory of 2264 2380 Lgpdglhn.exe 44 PID 2380 wrote to memory of 2264 2380 Lgpdglhn.exe 44 PID 2380 wrote to memory of 2264 2380 Lgpdglhn.exe 44 PID 2264 wrote to memory of 632 2264 Mcfemmna.exe 45 PID 2264 wrote to memory of 632 2264 Mcfemmna.exe 45 PID 2264 wrote to memory of 632 2264 Mcfemmna.exe 45 PID 2264 wrote to memory of 632 2264 Mcfemmna.exe 45 PID 632 wrote to memory of 1684 632 Mlafkb32.exe 46 PID 632 wrote to memory of 1684 632 Mlafkb32.exe 46 PID 632 wrote to memory of 1684 632 Mlafkb32.exe 46 PID 632 wrote to memory of 1684 632 Mlafkb32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe"C:\Users\Admin\AppData\Local\Temp\2bbf7427ecdf3878053e1dc4b37d9057fd1b1f1727877d228182f23bc4dc1c41.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Nnjicjbf.exeC:\Windows\system32\Nnjicjbf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe37⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe40⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Agbbgqhh.exeC:\Windows\system32\Agbbgqhh.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe43⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Apmcefmf.exeC:\Windows\system32\Apmcefmf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Agihgp32.exeC:\Windows\system32\Agihgp32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Bcbfbp32.exeC:\Windows\system32\Bcbfbp32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Bgghac32.exeC:\Windows\system32\Bgghac32.exe56⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Bjedmo32.exeC:\Windows\system32\Bjedmo32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Cjhabndo.exeC:\Windows\system32\Cjhabndo.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe63⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Ciagojda.exeC:\Windows\system32\Ciagojda.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe66⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe69⤵PID:2300
-
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Demaoj32.exeC:\Windows\system32\Demaoj32.exe71⤵PID:2740
-
C:\Windows\SysWOW64\Dnefhpma.exeC:\Windows\system32\Dnefhpma.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Dadbdkld.exeC:\Windows\system32\Dadbdkld.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:292 -
C:\Windows\SysWOW64\Djlfma32.exeC:\Windows\system32\Djlfma32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Dcghkf32.exeC:\Windows\system32\Dcghkf32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Eicpcm32.exeC:\Windows\system32\Eicpcm32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1240 -
C:\Windows\SysWOW64\Efhqmadd.exeC:\Windows\system32\Efhqmadd.exe80⤵
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Emaijk32.exeC:\Windows\system32\Emaijk32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Edlafebn.exeC:\Windows\system32\Edlafebn.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1088 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe83⤵PID:1608
-
C:\Windows\SysWOW64\Epbbkf32.exeC:\Windows\system32\Epbbkf32.exe84⤵PID:1704
-
C:\Windows\SysWOW64\Efljhq32.exeC:\Windows\system32\Efljhq32.exe85⤵PID:1936
-
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Eafkhn32.exeC:\Windows\system32\Eafkhn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Eknpadcn.exeC:\Windows\system32\Eknpadcn.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe89⤵PID:2312
-
C:\Windows\SysWOW64\Flnlkgjq.exeC:\Windows\system32\Flnlkgjq.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Folhgbid.exeC:\Windows\system32\Folhgbid.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe92⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Fgjjad32.exeC:\Windows\system32\Fgjjad32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe95⤵PID:1332
-
C:\Windows\SysWOW64\Fdnjkh32.exeC:\Windows\system32\Fdnjkh32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Fdpgph32.exeC:\Windows\system32\Fdpgph32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Fccglehn.exeC:\Windows\system32\Fccglehn.exe99⤵PID:2284
-
C:\Windows\SysWOW64\Gpggei32.exeC:\Windows\system32\Gpggei32.exe100⤵PID:1308
-
C:\Windows\SysWOW64\Ggapbcne.exeC:\Windows\system32\Ggapbcne.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Glnhjjml.exeC:\Windows\system32\Glnhjjml.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Gajqbakc.exeC:\Windows\system32\Gajqbakc.exe103⤵
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Ghdiokbq.exeC:\Windows\system32\Ghdiokbq.exe104⤵PID:1996
-
C:\Windows\SysWOW64\Glpepj32.exeC:\Windows\system32\Glpepj32.exe105⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Gdkjdl32.exeC:\Windows\system32\Gdkjdl32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Glbaei32.exeC:\Windows\system32\Glbaei32.exe107⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Gekfnoog.exeC:\Windows\system32\Gekfnoog.exe108⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Ghibjjnk.exeC:\Windows\system32\Ghibjjnk.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Hgnokgcc.exeC:\Windows\system32\Hgnokgcc.exe111⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe112⤵PID:2524
-
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe113⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe114⤵PID:1336
-
C:\Windows\SysWOW64\Hffibceh.exeC:\Windows\system32\Hffibceh.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Hqkmplen.exeC:\Windows\system32\Hqkmplen.exe116⤵
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Hgeelf32.exeC:\Windows\system32\Hgeelf32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Hclfag32.exeC:\Windows\system32\Hclfag32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Hjfnnajl.exeC:\Windows\system32\Hjfnnajl.exe119⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Hmdkjmip.exeC:\Windows\system32\Hmdkjmip.exe120⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Icncgf32.exeC:\Windows\system32\Icncgf32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Inhdgdmk.exeC:\Windows\system32\Inhdgdmk.exe122⤵
- System Location Discovery: System Language Discovery
PID:1620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-