Analysis
-
max time kernel
58s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-02-2025 08:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe
-
Size
128KB
-
MD5
c20154a57160d784f60dd2fea67c0706
-
SHA1
a063a52c1ed64ddf23fcfe5af4f38d8948ac1104
-
SHA256
fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb
-
SHA512
2e502ee73e54ea40e23a0f77c01946053bd1130e9a881348613cff3a08833811a567d6f6bdd56ebb11a91e1e079feeae372bd3d4917f922b4b4550c5302f31eb
-
SSDEEP
1536:xS7ny75v54FcB66j6zX3hJTbvgOkOlPoytM1nxb4L2Ra8BtFQoXa+dJnEBctOPpB:xSKaIA3fuRxU83FQo7fnEBctcp
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jocdqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjodiep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcoioi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqcqli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdeonfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjbnmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppgfkpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqoafkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcahga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqqqokla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfnchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elgmbnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjqlbdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nchkjhdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klnpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmnbbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhfjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqonjmbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpkmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfkhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dalffg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmaialjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paojeafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnnecoah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeajcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfhgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqomai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkngbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hphljkfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mphfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifhinl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enajgllm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anpgdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imkbeqem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhlmef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doqmjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghjjoeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfpaqdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcidqlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepfoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmimpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bepmokco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baoahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnfoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkfkjemd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajibeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkhenlcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqgnmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbcaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfbhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqqqokla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epmcqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oljbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfpflenm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egaoldnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfnnmboa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeknakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dokmel32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2144 Ehgoaiml.exe 828 Ecnpgj32.exe 2948 Fpgmak32.exe 2716 Fefboabg.exe 2780 Foacmg32.exe 2700 Gemhpq32.exe 2872 Gklnmgic.exe 2164 Ggcnbh32.exe 2336 Gidgdcli.exe 2968 Hghhngjb.exe 1188 Hlgmkn32.exe 1588 Hadece32.exe 764 Hkngbj32.exe 1544 Hfdkoc32.exe 2536 Ihedan32.exe 2520 Idkdfo32.exe 2416 Iglngj32.exe 868 Iogbllfc.exe 688 Imkbeqem.exe 1464 Jjocoedg.exe 2740 Jmplqp32.exe 1984 Jbmdig32.exe 3008 Jboanfmm.exe 1976 Jkgfgl32.exe 1644 Jepjpajn.exe 2112 Kgqcam32.exe 1492 Kfhmhi32.exe 2496 Kbonmjph.exe 2836 Lepfoe32.exe 2368 Lojhmjag.exe 536 Lhclfphg.exe 2680 Lkahbkgk.exe 1968 Lpqnpacp.exe 2616 Mgmbbkij.exe 2044 Moomgmpm.exe 1684 Nndjhi32.exe 2040 Nhjofbdk.exe 2992 Ngahmngp.exe 1792 Nlnqeeeh.exe 1992 Ndeifbfj.exe 2216 Ofibcj32.exe 2500 Ojgkih32.exe 1072 Oofpgolq.exe 1216 Oohmmojn.exe 1760 Oeeeeehe.exe 1608 Pjbnmm32.exe 1948 Pgfnfq32.exe 2960 Pclolakk.exe 264 Pjfghl32.exe 2136 Pcokaa32.exe 2772 Pcahga32.exe 2888 Pmimpf32.exe 2704 Pccelqeb.exe 2676 Qmlief32.exe 2544 Qibjjgag.exe 1444 Qpmbgaid.exe 1292 Aiegpg32.exe 2312 Ahjcqcdm.exe 1232 Amglij32.exe 3028 Ahmpfc32.exe 2204 Aaeeoihj.exe 2412 Afamgpga.exe 1056 Apjbpemb.exe 1016 Akpfmnmh.exe -
Loads dropped DLL 64 IoCs
pid Process 1268 fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe 1268 fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe 2144 Ehgoaiml.exe 2144 Ehgoaiml.exe 828 Ecnpgj32.exe 828 Ecnpgj32.exe 2948 Fpgmak32.exe 2948 Fpgmak32.exe 2716 Fefboabg.exe 2716 Fefboabg.exe 2780 Foacmg32.exe 2780 Foacmg32.exe 2700 Gemhpq32.exe 2700 Gemhpq32.exe 2872 Gklnmgic.exe 2872 Gklnmgic.exe 2164 Ggcnbh32.exe 2164 Ggcnbh32.exe 2336 Gidgdcli.exe 2336 Gidgdcli.exe 2968 Hghhngjb.exe 2968 Hghhngjb.exe 1188 Hlgmkn32.exe 1188 Hlgmkn32.exe 1588 Hadece32.exe 1588 Hadece32.exe 764 Hkngbj32.exe 764 Hkngbj32.exe 1544 Hfdkoc32.exe 1544 Hfdkoc32.exe 2536 Ihedan32.exe 2536 Ihedan32.exe 2520 Idkdfo32.exe 2520 Idkdfo32.exe 2416 Iglngj32.exe 2416 Iglngj32.exe 868 Iogbllfc.exe 868 Iogbllfc.exe 688 Imkbeqem.exe 688 Imkbeqem.exe 1464 Jjocoedg.exe 1464 Jjocoedg.exe 2740 Jmplqp32.exe 2740 Jmplqp32.exe 1984 Jbmdig32.exe 1984 Jbmdig32.exe 3008 Jboanfmm.exe 3008 Jboanfmm.exe 1976 Jkgfgl32.exe 1976 Jkgfgl32.exe 1644 Jepjpajn.exe 1644 Jepjpajn.exe 2256 Kmphpc32.exe 2256 Kmphpc32.exe 1492 Kfhmhi32.exe 1492 Kfhmhi32.exe 2496 Kbonmjph.exe 2496 Kbonmjph.exe 2836 Lepfoe32.exe 2836 Lepfoe32.exe 2368 Lojhmjag.exe 2368 Lojhmjag.exe 536 Lhclfphg.exe 536 Lhclfphg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pkdiehca.exe Pokkkgpo.exe File created C:\Windows\SysWOW64\Nfeebf32.dll Iiablido.exe File created C:\Windows\SysWOW64\Japjfjgq.dll Oljbil32.exe File created C:\Windows\SysWOW64\Nioqmpcf.dll Pokkkgpo.exe File created C:\Windows\SysWOW64\Anjjjn32.exe Afbbiafj.exe File opened for modification C:\Windows\SysWOW64\Pccelqeb.exe Pmimpf32.exe File created C:\Windows\SysWOW64\Kjnkkn32.dll Gfnnmboa.exe File created C:\Windows\SysWOW64\Llglgkpc.dll Pgfbhb32.exe File created C:\Windows\SysWOW64\Milagp32.exe Mcoioi32.exe File opened for modification C:\Windows\SysWOW64\Aggbif32.exe Aoqjhiie.exe File created C:\Windows\SysWOW64\Pjeeqc32.dll Hggegknp.exe File created C:\Windows\SysWOW64\Jjdajc32.dll Dlomnp32.exe File created C:\Windows\SysWOW64\Meolcb32.exe Mlfgkleh.exe File created C:\Windows\SysWOW64\Nagobp32.exe Ndcnik32.exe File created C:\Windows\SysWOW64\Bahkggfo.dll Bgebcj32.exe File created C:\Windows\SysWOW64\Bbgnlkhf.dll Hjqpcq32.exe File opened for modification C:\Windows\SysWOW64\Gcpdip32.exe Gijplg32.exe File created C:\Windows\SysWOW64\Qbfpoaij.dll Kqomai32.exe File opened for modification C:\Windows\SysWOW64\Pcgqoech.exe Plnhbk32.exe File opened for modification C:\Windows\SysWOW64\Jbhlilip.exe Jokccnci.exe File opened for modification C:\Windows\SysWOW64\Lepfoe32.exe Kbonmjph.exe File created C:\Windows\SysWOW64\Ojgkih32.exe Ofibcj32.exe File opened for modification C:\Windows\SysWOW64\Edkbdf32.exe Enajgllm.exe File created C:\Windows\SysWOW64\Eefneh32.dll Hfdkoc32.exe File opened for modification C:\Windows\SysWOW64\Edahca32.exe Engpfgql.exe File opened for modification C:\Windows\SysWOW64\Ghdfhc32.exe Gioigf32.exe File created C:\Windows\SysWOW64\Klmghfio.exe Kcebpqcn.exe File opened for modification C:\Windows\SysWOW64\Ddjkhl32.exe Ddgnbl32.exe File created C:\Windows\SysWOW64\Ilcfjkgj.exe Iejnna32.exe File created C:\Windows\SysWOW64\Fcaankpf.exe Fkflii32.exe File opened for modification C:\Windows\SysWOW64\Mbdhinmf.exe Mmgoqg32.exe File created C:\Windows\SysWOW64\Nafbiphj.dll Gobnljhp.exe File created C:\Windows\SysWOW64\Coknmp32.exe Cdejpg32.exe File created C:\Windows\SysWOW64\Lfpllg32.exe Lmhhcaik.exe File opened for modification C:\Windows\SysWOW64\Dpggnfap.exe Ckjnfobi.exe File created C:\Windows\SysWOW64\Medobp32.exe Mphfji32.exe File created C:\Windows\SysWOW64\Qjleem32.exe Ppcplg32.exe File created C:\Windows\SysWOW64\Icbjjdmb.dll Gemhpq32.exe File created C:\Windows\SysWOW64\Gjjoob32.exe Gcpfbhof.exe File opened for modification C:\Windows\SysWOW64\Momckfid.exe Medobp32.exe File opened for modification C:\Windows\SysWOW64\Eqmbca32.exe Egdnjlcg.exe File created C:\Windows\SysWOW64\Ghdfhc32.exe Gioigf32.exe File created C:\Windows\SysWOW64\Nfpphp32.exe Nacgpi32.exe File created C:\Windows\SysWOW64\Gcpfbhof.exe Gjhbic32.exe File created C:\Windows\SysWOW64\Cioohh32.exe Blkoocfl.exe File created C:\Windows\SysWOW64\Fhdbgqke.dll Nppceo32.exe File created C:\Windows\SysWOW64\Mnnecoah.exe Mbgdonkd.exe File created C:\Windows\SysWOW64\Gjhlii32.dll Palgek32.exe File created C:\Windows\SysWOW64\Lfpjnb32.dll Jookedhp.exe File created C:\Windows\SysWOW64\Libmghda.dll Aiegpg32.exe File created C:\Windows\SysWOW64\Jjamhe32.dll Ckboba32.exe File created C:\Windows\SysWOW64\Ckanhf32.dll Cjiiim32.exe File created C:\Windows\SysWOW64\Kmeknakn.exe Kgibeklf.exe File opened for modification C:\Windows\SysWOW64\Ddgljced.exe Dkohanoc.exe File created C:\Windows\SysWOW64\Lfeegfkf.exe Lpkmkl32.exe File created C:\Windows\SysWOW64\Gepgni32.exe Gnfoao32.exe File created C:\Windows\SysWOW64\Himgmapn.dll Ohifch32.exe File created C:\Windows\SysWOW64\Klojje32.dll Ephkak32.exe File created C:\Windows\SysWOW64\Amhiahbd.dll Gjgpqjqa.exe File created C:\Windows\SysWOW64\Ggofcmih.exe Gkhenlcd.exe File opened for modification C:\Windows\SysWOW64\Qjnajl32.exe Qcdinbdk.exe File created C:\Windows\SysWOW64\Bqnpke32.dll Ilolol32.exe File created C:\Windows\SysWOW64\Lkhcil32.dll Egdnjlcg.exe File opened for modification C:\Windows\SysWOW64\Ijokcl32.exe Hebckd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3260 436 WerFault.exe 606 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihedan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgjbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfijmdbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqonjmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icidlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgibeklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogqlgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejnme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iglngj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aliejq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napibq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbqkqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmeaaboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkebejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijbnppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqklhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doflofbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhlilip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogdiqki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbbiafj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfdjphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamhdckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdlpklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfeoqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naedfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmajkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdeonfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmehlibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepffelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deegjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdejpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppgfkpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelbqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofibcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmeknakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehphdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchhholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjplj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amglij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfgkleh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfkde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnecoah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofnok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnqeeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blcokf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmmhmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbnmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoqjhiie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hembfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiebej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepfoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkgkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmfoodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikmkbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmjjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qokhjjbk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjlhcegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lejbhbpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhklibbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmeaaboe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdckgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doqmjaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jknnoppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pamnpahp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naedfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjocoedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klnpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angohn32.dll" Jmaedolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmeknakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojfkela.dll" Afmokbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjlcmm32.dll" Fndfmljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaicpepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfidhcbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddmaak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcmnbbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcelehb.dll" Bimnqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkjhoan.dll" Hcghffen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfeegfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjehflbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfippego.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlnqeeeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkcjlhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghcmedmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfnchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmimpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icidlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgdijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lepfoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iapjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egebhpjn.dll" Idkdfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilcfjkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofhmfe32.dll" Bdpjjaiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjdhpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcebpqcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljadqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjbophb.dll" Afebpmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkdhfdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbljmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdldmn32.dll" Mhegckpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmoaniqh.dll" Aejmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealejn32.dll" Hkngbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqmbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhhiqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlfgkleh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doqmjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imedjgph.dll" Oekaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mikjmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghqqpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkhoack.dll" Nppemgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ephkak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllpfdfe.dll" Kchhholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcfbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emadjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedcda32.dll" Gpdfph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcpdip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbfpoaij.dll" Kqomai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbgjbo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2144 1268 fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe 29 PID 1268 wrote to memory of 2144 1268 fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe 29 PID 1268 wrote to memory of 2144 1268 fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe 29 PID 1268 wrote to memory of 2144 1268 fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe 29 PID 2144 wrote to memory of 828 2144 Ehgoaiml.exe 30 PID 2144 wrote to memory of 828 2144 Ehgoaiml.exe 30 PID 2144 wrote to memory of 828 2144 Ehgoaiml.exe 30 PID 2144 wrote to memory of 828 2144 Ehgoaiml.exe 30 PID 828 wrote to memory of 2948 828 Ecnpgj32.exe 31 PID 828 wrote to memory of 2948 828 Ecnpgj32.exe 31 PID 828 wrote to memory of 2948 828 Ecnpgj32.exe 31 PID 828 wrote to memory of 2948 828 Ecnpgj32.exe 31 PID 2948 wrote to memory of 2716 2948 Fpgmak32.exe 32 PID 2948 wrote to memory of 2716 2948 Fpgmak32.exe 32 PID 2948 wrote to memory of 2716 2948 Fpgmak32.exe 32 PID 2948 wrote to memory of 2716 2948 Fpgmak32.exe 32 PID 2716 wrote to memory of 2780 2716 Fefboabg.exe 33 PID 2716 wrote to memory of 2780 2716 Fefboabg.exe 33 PID 2716 wrote to memory of 2780 2716 Fefboabg.exe 33 PID 2716 wrote to memory of 2780 2716 Fefboabg.exe 33 PID 2780 wrote to memory of 2700 2780 Foacmg32.exe 34 PID 2780 wrote to memory of 2700 2780 Foacmg32.exe 34 PID 2780 wrote to memory of 2700 2780 Foacmg32.exe 34 PID 2780 wrote to memory of 2700 2780 Foacmg32.exe 34 PID 2700 wrote to memory of 2872 2700 Gemhpq32.exe 35 PID 2700 wrote to memory of 2872 2700 Gemhpq32.exe 35 PID 2700 wrote to memory of 2872 2700 Gemhpq32.exe 35 PID 2700 wrote to memory of 2872 2700 Gemhpq32.exe 35 PID 2872 wrote to memory of 2164 2872 Gklnmgic.exe 36 PID 2872 wrote to memory of 2164 2872 Gklnmgic.exe 36 PID 2872 wrote to memory of 2164 2872 Gklnmgic.exe 36 PID 2872 wrote to memory of 2164 2872 Gklnmgic.exe 36 PID 2164 wrote to memory of 2336 2164 Ggcnbh32.exe 37 PID 2164 wrote to memory of 2336 2164 Ggcnbh32.exe 37 PID 2164 wrote to memory of 2336 2164 Ggcnbh32.exe 37 PID 2164 wrote to memory of 2336 2164 Ggcnbh32.exe 37 PID 2336 wrote to memory of 2968 2336 Gidgdcli.exe 38 PID 2336 wrote to memory of 2968 2336 Gidgdcli.exe 38 PID 2336 wrote to memory of 2968 2336 Gidgdcli.exe 38 PID 2336 wrote to memory of 2968 2336 Gidgdcli.exe 38 PID 2968 wrote to memory of 1188 2968 Hghhngjb.exe 39 PID 2968 wrote to memory of 1188 2968 Hghhngjb.exe 39 PID 2968 wrote to memory of 1188 2968 Hghhngjb.exe 39 PID 2968 wrote to memory of 1188 2968 Hghhngjb.exe 39 PID 1188 wrote to memory of 1588 1188 Hlgmkn32.exe 40 PID 1188 wrote to memory of 1588 1188 Hlgmkn32.exe 40 PID 1188 wrote to memory of 1588 1188 Hlgmkn32.exe 40 PID 1188 wrote to memory of 1588 1188 Hlgmkn32.exe 40 PID 1588 wrote to memory of 764 1588 Hadece32.exe 41 PID 1588 wrote to memory of 764 1588 Hadece32.exe 41 PID 1588 wrote to memory of 764 1588 Hadece32.exe 41 PID 1588 wrote to memory of 764 1588 Hadece32.exe 41 PID 764 wrote to memory of 1544 764 Hkngbj32.exe 42 PID 764 wrote to memory of 1544 764 Hkngbj32.exe 42 PID 764 wrote to memory of 1544 764 Hkngbj32.exe 42 PID 764 wrote to memory of 1544 764 Hkngbj32.exe 42 PID 1544 wrote to memory of 2536 1544 Hfdkoc32.exe 43 PID 1544 wrote to memory of 2536 1544 Hfdkoc32.exe 43 PID 1544 wrote to memory of 2536 1544 Hfdkoc32.exe 43 PID 1544 wrote to memory of 2536 1544 Hfdkoc32.exe 43 PID 2536 wrote to memory of 2520 2536 Ihedan32.exe 44 PID 2536 wrote to memory of 2520 2536 Ihedan32.exe 44 PID 2536 wrote to memory of 2520 2536 Ihedan32.exe 44 PID 2536 wrote to memory of 2520 2536 Ihedan32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe"C:\Users\Admin\AppData\Local\Temp\fd458031e85e378d7bfd0dce39b76f37b0c92c185b96b4c221e33378f782eddb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Ehgoaiml.exeC:\Windows\system32\Ehgoaiml.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Ecnpgj32.exeC:\Windows\system32\Ecnpgj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Fpgmak32.exeC:\Windows\system32\Fpgmak32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Fefboabg.exeC:\Windows\system32\Fefboabg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Foacmg32.exeC:\Windows\system32\Foacmg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Gemhpq32.exeC:\Windows\system32\Gemhpq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Gklnmgic.exeC:\Windows\system32\Gklnmgic.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Ggcnbh32.exeC:\Windows\system32\Ggcnbh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Gidgdcli.exeC:\Windows\system32\Gidgdcli.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Hghhngjb.exeC:\Windows\system32\Hghhngjb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Hlgmkn32.exeC:\Windows\system32\Hlgmkn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Hadece32.exeC:\Windows\system32\Hadece32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Hkngbj32.exeC:\Windows\system32\Hkngbj32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Ihedan32.exeC:\Windows\system32\Ihedan32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Idkdfo32.exeC:\Windows\system32\Idkdfo32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Iglngj32.exeC:\Windows\system32\Iglngj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Iogbllfc.exeC:\Windows\system32\Iogbllfc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Imkbeqem.exeC:\Windows\system32\Imkbeqem.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Jjocoedg.exeC:\Windows\system32\Jjocoedg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Jmplqp32.exeC:\Windows\system32\Jmplqp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Jkgfgl32.exeC:\Windows\system32\Jkgfgl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Jepjpajn.exeC:\Windows\system32\Jepjpajn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Kgqcam32.exeC:\Windows\system32\Kgqcam32.exe27⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Kmphpc32.exeC:\Windows\system32\Kmphpc32.exe28⤵
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Kfhmhi32.exeC:\Windows\system32\Kfhmhi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Kbonmjph.exeC:\Windows\system32\Kbonmjph.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Lepfoe32.exeC:\Windows\system32\Lepfoe32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Lojhmjag.exeC:\Windows\system32\Lojhmjag.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Lhclfphg.exeC:\Windows\system32\Lhclfphg.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe34⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Lpqnpacp.exeC:\Windows\system32\Lpqnpacp.exe35⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Mgmbbkij.exeC:\Windows\system32\Mgmbbkij.exe36⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Moomgmpm.exeC:\Windows\system32\Moomgmpm.exe37⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Nndjhi32.exeC:\Windows\system32\Nndjhi32.exe38⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Nhjofbdk.exeC:\Windows\system32\Nhjofbdk.exe39⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe40⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Nlnqeeeh.exeC:\Windows\system32\Nlnqeeeh.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Ndeifbfj.exeC:\Windows\system32\Ndeifbfj.exe42⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe44⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Oofpgolq.exeC:\Windows\system32\Oofpgolq.exe45⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe46⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe47⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Pgfnfq32.exeC:\Windows\system32\Pgfnfq32.exe49⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe50⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pjfghl32.exeC:\Windows\system32\Pjfghl32.exe51⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Pcokaa32.exeC:\Windows\system32\Pcokaa32.exe52⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Pccelqeb.exeC:\Windows\system32\Pccelqeb.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe56⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe57⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe58⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Aiegpg32.exeC:\Windows\system32\Aiegpg32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Ahjcqcdm.exeC:\Windows\system32\Ahjcqcdm.exe60⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Amglij32.exeC:\Windows\system32\Amglij32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Ahmpfc32.exeC:\Windows\system32\Ahmpfc32.exe62⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Aaeeoihj.exeC:\Windows\system32\Aaeeoihj.exe63⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Afamgpga.exeC:\Windows\system32\Afamgpga.exe64⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe65⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Akpfmnmh.exeC:\Windows\system32\Akpfmnmh.exe66⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Blabef32.exeC:\Windows\system32\Blabef32.exe67⤵PID:1616
-
C:\Windows\SysWOW64\Bffgbo32.exeC:\Windows\system32\Bffgbo32.exe68⤵PID:924
-
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Bigpdjpm.exeC:\Windows\system32\Bigpdjpm.exe70⤵PID:2308
-
C:\Windows\SysWOW64\Bbpdmp32.exeC:\Windows\system32\Bbpdmp32.exe71⤵PID:3012
-
C:\Windows\SysWOW64\Bhlmef32.exeC:\Windows\system32\Bhlmef32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Bepmokco.exeC:\Windows\system32\Bepmokco.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe74⤵PID:2816
-
C:\Windows\SysWOW64\Cdejpg32.exeC:\Windows\system32\Cdejpg32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Coknmp32.exeC:\Windows\system32\Coknmp32.exe76⤵PID:1184
-
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe77⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Cghpgbce.exeC:\Windows\system32\Cghpgbce.exe78⤵PID:2444
-
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe79⤵PID:900
-
C:\Windows\SysWOW64\Cjiiim32.exeC:\Windows\system32\Cjiiim32.exe80⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Cofaad32.exeC:\Windows\system32\Cofaad32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Cjlenm32.exeC:\Windows\system32\Cjlenm32.exe82⤵PID:1900
-
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe84⤵PID:2408
-
C:\Windows\SysWOW64\Dlokegib.exeC:\Windows\system32\Dlokegib.exe85⤵PID:1860
-
C:\Windows\SysWOW64\Dblcnngi.exeC:\Windows\system32\Dblcnngi.exe86⤵PID:1972
-
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe87⤵PID:2168
-
C:\Windows\SysWOW64\Dkdhfdnj.exeC:\Windows\system32\Dkdhfdnj.exe88⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Dqqqokla.exeC:\Windows\system32\Dqqqokla.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Djiegp32.exeC:\Windows\system32\Djiegp32.exe90⤵PID:2940
-
C:\Windows\SysWOW64\Ekiaac32.exeC:\Windows\system32\Ekiaac32.exe91⤵PID:2696
-
C:\Windows\SysWOW64\Ecdffe32.exeC:\Windows\system32\Ecdffe32.exe92⤵PID:2184
-
C:\Windows\SysWOW64\Epkgkfmd.exeC:\Windows\system32\Epkgkfmd.exe93⤵
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Egaoldnf.exeC:\Windows\system32\Egaoldnf.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Epmcqf32.exeC:\Windows\system32\Epmcqf32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe96⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Efihcpqk.exeC:\Windows\system32\Efihcpqk.exe97⤵PID:1596
-
C:\Windows\SysWOW64\Fnkchahn.exeC:\Windows\system32\Fnkchahn.exe98⤵PID:1744
-
C:\Windows\SysWOW64\Fjbdmbmb.exeC:\Windows\system32\Fjbdmbmb.exe99⤵PID:964
-
C:\Windows\SysWOW64\Gbpegdik.exeC:\Windows\system32\Gbpegdik.exe100⤵PID:524
-
C:\Windows\SysWOW64\Gpdfph32.exeC:\Windows\system32\Gpdfph32.exe101⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Gfnnmboa.exeC:\Windows\system32\Gfnnmboa.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Gmhfjm32.exeC:\Windows\system32\Gmhfjm32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe104⤵PID:2796
-
C:\Windows\SysWOW64\Ghagjj32.exeC:\Windows\system32\Ghagjj32.exe105⤵PID:2736
-
C:\Windows\SysWOW64\Gphokhco.exeC:\Windows\system32\Gphokhco.exe106⤵PID:2080
-
C:\Windows\SysWOW64\Giaddm32.exeC:\Windows\system32\Giaddm32.exe107⤵PID:1852
-
C:\Windows\SysWOW64\Gkbplepn.exeC:\Windows\system32\Gkbplepn.exe108⤵PID:2928
-
C:\Windows\SysWOW64\Hhfqejoh.exeC:\Windows\system32\Hhfqejoh.exe109⤵PID:2176
-
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe110⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Hgknffcp.exeC:\Windows\system32\Hgknffcp.exe111⤵PID:2624
-
C:\Windows\SysWOW64\Hmefcp32.exeC:\Windows\system32\Hmefcp32.exe112⤵PID:1844
-
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe113⤵PID:1928
-
C:\Windows\SysWOW64\Hgnjlfam.exeC:\Windows\system32\Hgnjlfam.exe114⤵PID:2320
-
C:\Windows\SysWOW64\Hilghaqq.exeC:\Windows\system32\Hilghaqq.exe115⤵PID:2912
-
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe116⤵PID:2684
-
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe118⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Hjqpcq32.exeC:\Windows\system32\Hjqpcq32.exe119⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Ilolol32.exeC:\Windows\system32\Ilolol32.exe120⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Icidlf32.exeC:\Windows\system32\Icidlf32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-