Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 02:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe
-
Size
74KB
-
MD5
3e8e5dcbe9cdf704f2544bd08431b77a
-
SHA1
83cc1b6c76a42bfcae98c38b9bb489a38806b74b
-
SHA256
5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac
-
SHA512
5a325fbd8ab2b8df92a43d5db4f6a11c0f2fb0d914c76e0e1de6b43156074eb4c1ca1c10d65f9f0a1cc64097e430d09d563cd973043399660a8c98725bc02c3f
-
SSDEEP
1536:7DTSIianicOY8NwHRZaKZW9hvJqXwwqYSP/Mqpw:7PSIywH/29zp
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhcmhdke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkleabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgjkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enkpahon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjbna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdecha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meoell32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaimopli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjmcpnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabcggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijklknbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqfemqod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihmpobck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egokonjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbfepmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinafkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffljlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkkija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mikjpiim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkoncdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcmoda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbaql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgdfdbhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edqocbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flqmbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbknkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioakoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehgbhbgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgaiobjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmmfaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfkbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iinmfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepmgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oanefo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2436 Bidlgdlk.exe 2416 Bmphhc32.exe 2740 Bbmapj32.exe 2884 Bekmle32.exe 2748 Bigimdjh.exe 2796 Bpqain32.exe 2676 Bbonei32.exe 2516 Bfkifhib.exe 1812 Chlfnp32.exe 1732 Clgbno32.exe 2812 Cofnjj32.exe 528 Cadjgf32.exe 480 Chnbcpmn.exe 2604 Cohkpj32.exe 2024 Cafgle32.exe 1132 Cdecha32.exe 1556 Chqoipkk.exe 3040 Cojhejbh.exe 1804 Caidaeak.exe 1212 Cedpbd32.exe 1340 Cdgpnqpo.exe 2480 Cffljlpc.exe 1744 Ckahkk32.exe 860 Cmpdgf32.exe 2132 Cpnaca32.exe 2756 Cdjmcpnl.exe 2936 Cmbalfem.exe 2272 Dpqnhadq.exe 2704 Ddliip32.exe 2104 Dkfbfjdf.exe 2836 Diibag32.exe 2700 Dlgnmb32.exe 2180 Ddnfop32.exe 1880 Dljkcb32.exe 2688 Dohgomgf.exe 2124 Dgoopkgh.exe 1932 Dinklffl.exe 1352 Dllhhaep.exe 1152 Dpgcip32.exe 304 Dcfpel32.exe 1164 Dedlag32.exe 1952 Dhbhmb32.exe 2224 Dlndnacm.exe 1988 Domqjm32.exe 2288 Dchmkkkj.exe 3028 Ddiibc32.exe 1612 Ekcaonhe.exe 2924 Eoompl32.exe 2228 Eamilh32.exe 2896 Edlfhc32.exe 2864 Ehgbhbgn.exe 2372 Ekfndmfb.exe 2196 Eoajel32.exe 1940 Eapfagno.exe 2832 Ehjona32.exe 2728 Egmojnlf.exe 2640 Ejkkfjkj.exe 1864 Enfgfh32.exe 2168 Eabcggll.exe 344 Edqocbkp.exe 1828 Egokonjc.exe 1528 Ekjgpm32.exe 2792 Eniclh32.exe 1964 Elldgehk.exe -
Loads dropped DLL 64 IoCs
pid Process 2972 5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe 2972 5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe 2436 Bidlgdlk.exe 2436 Bidlgdlk.exe 2416 Bmphhc32.exe 2416 Bmphhc32.exe 2740 Bbmapj32.exe 2740 Bbmapj32.exe 2884 Bekmle32.exe 2884 Bekmle32.exe 2748 Bigimdjh.exe 2748 Bigimdjh.exe 2796 Bpqain32.exe 2796 Bpqain32.exe 2676 Bbonei32.exe 2676 Bbonei32.exe 2516 Bfkifhib.exe 2516 Bfkifhib.exe 1812 Chlfnp32.exe 1812 Chlfnp32.exe 1732 Clgbno32.exe 1732 Clgbno32.exe 2812 Cofnjj32.exe 2812 Cofnjj32.exe 528 Cadjgf32.exe 528 Cadjgf32.exe 480 Chnbcpmn.exe 480 Chnbcpmn.exe 2604 Cohkpj32.exe 2604 Cohkpj32.exe 2024 Cafgle32.exe 2024 Cafgle32.exe 1132 Cdecha32.exe 1132 Cdecha32.exe 1556 Chqoipkk.exe 1556 Chqoipkk.exe 3040 Cojhejbh.exe 3040 Cojhejbh.exe 1804 Caidaeak.exe 1804 Caidaeak.exe 1212 Cedpbd32.exe 1212 Cedpbd32.exe 1340 Cdgpnqpo.exe 1340 Cdgpnqpo.exe 2480 Cffljlpc.exe 2480 Cffljlpc.exe 1744 Ckahkk32.exe 1744 Ckahkk32.exe 860 Cmpdgf32.exe 860 Cmpdgf32.exe 2132 Cpnaca32.exe 2132 Cpnaca32.exe 2756 Cdjmcpnl.exe 2756 Cdjmcpnl.exe 2936 Cmbalfem.exe 2936 Cmbalfem.exe 2272 Dpqnhadq.exe 2272 Dpqnhadq.exe 2704 Ddliip32.exe 2704 Ddliip32.exe 2104 Dkfbfjdf.exe 2104 Dkfbfjdf.exe 2836 Diibag32.exe 2836 Diibag32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Idkpganf.exe Ippdgc32.exe File created C:\Windows\SysWOW64\Iacpmi32.dll Oococb32.exe File opened for modification C:\Windows\SysWOW64\Diibag32.exe Dkfbfjdf.exe File created C:\Windows\SysWOW64\Nlnjab32.dll Fmcjhdbc.exe File created C:\Windows\SysWOW64\Idcacc32.exe Iphecepe.exe File created C:\Windows\SysWOW64\Pcdhbgoc.dll Clmdmm32.exe File opened for modification C:\Windows\SysWOW64\Ibcnojnp.exe Inhanl32.exe File created C:\Windows\SysWOW64\Lbhnia32.dll Bigkel32.exe File created C:\Windows\SysWOW64\Fbmfkkbm.exe Fcjeon32.exe File opened for modification C:\Windows\SysWOW64\Dphmloih.exe Dmjqpdje.exe File created C:\Windows\SysWOW64\Ngjhpb32.dll Dknajh32.exe File created C:\Windows\SysWOW64\Aplpbjee.dll Ieajkfmd.exe File opened for modification C:\Windows\SysWOW64\Bqlfaj32.exe Bmpkqklh.exe File opened for modification C:\Windows\SysWOW64\Hhejnc32.exe Hegnahjo.exe File created C:\Windows\SysWOW64\Ljieppcb.exe Lkfddc32.exe File opened for modification C:\Windows\SysWOW64\Peedka32.exe Poklngnf.exe File created C:\Windows\SysWOW64\Fejhndnn.dll Bofgii32.exe File created C:\Windows\SysWOW64\Chlfnp32.exe Bfkifhib.exe File created C:\Windows\SysWOW64\Jjqlic32.dll Dinklffl.exe File created C:\Windows\SysWOW64\Lpenkfbe.dll Egokonjc.exe File created C:\Windows\SysWOW64\Fkmqdpce.exe Findhdcb.exe File created C:\Windows\SysWOW64\Qlomqkmp.dll Inhanl32.exe File opened for modification C:\Windows\SysWOW64\Illbhp32.exe Ihpfgalh.exe File opened for modification C:\Windows\SysWOW64\Aficjnpm.exe Abmgjo32.exe File opened for modification C:\Windows\SysWOW64\Jniefm32.exe Jofejpmc.exe File opened for modification C:\Windows\SysWOW64\Kljabgnh.exe Khoebi32.exe File created C:\Windows\SysWOW64\Pcncbo32.dll Mkaghg32.exe File opened for modification C:\Windows\SysWOW64\Meabakda.exe Mbbfep32.exe File opened for modification C:\Windows\SysWOW64\Oeckfndj.exe Obdojcef.exe File opened for modification C:\Windows\SysWOW64\Oabkom32.exe Oococb32.exe File opened for modification C:\Windows\SysWOW64\Fpmbfbgo.exe Folfoj32.exe File created C:\Windows\SysWOW64\Pkjjaebl.dll Fgldnkkf.exe File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe Bkjdndjo.exe File created C:\Windows\SysWOW64\Lnnibe32.dll Ajnpecbj.exe File opened for modification C:\Windows\SysWOW64\Lhpglecl.exe Lqipkhbj.exe File created C:\Windows\SysWOW64\Hjjpmh32.dll Obdojcef.exe File created C:\Windows\SysWOW64\Ffjaickl.dll Ehkhaqpk.exe File created C:\Windows\SysWOW64\Fpoolael.exe Fnacpffh.exe File created C:\Windows\SysWOW64\Ogjknh32.dll Hebnlb32.exe File created C:\Windows\SysWOW64\Mclebc32.exe Mmbmeifk.exe File created C:\Windows\SysWOW64\Domqjm32.exe Dlndnacm.exe File created C:\Windows\SysWOW64\Edqocbkp.exe Eabcggll.exe File created C:\Windows\SysWOW64\Gjpqpl32.exe Fkmqdpce.exe File created C:\Windows\SysWOW64\Cgohil32.dll Iaeegh32.exe File opened for modification C:\Windows\SysWOW64\Nhlgmd32.exe Nenkqi32.exe File opened for modification C:\Windows\SysWOW64\Ojmpooah.exe Ohncbdbd.exe File created C:\Windows\SysWOW64\Cmpdgf32.exe Ckahkk32.exe File created C:\Windows\SysWOW64\Nhndalhm.dll Qhmcmk32.exe File created C:\Windows\SysWOW64\Helgmg32.exe Hapklimq.exe File created C:\Windows\SysWOW64\Jplkmgol.exe Jaijak32.exe File opened for modification C:\Windows\SysWOW64\Odchbe32.exe Omioekbo.exe File created C:\Windows\SysWOW64\Qppkfhlc.exe Pnbojmmp.exe File created C:\Windows\SysWOW64\Jqojeand.dll Gjdjklek.exe File created C:\Windows\SysWOW64\Jmfafgbd.exe Jfliim32.exe File opened for modification C:\Windows\SysWOW64\Bfkifhib.exe Bbonei32.exe File opened for modification C:\Windows\SysWOW64\Ddnfop32.exe Dlgnmb32.exe File opened for modification C:\Windows\SysWOW64\Ffibkj32.exe Fbmfkkbm.exe File created C:\Windows\SysWOW64\Mdkqhhpm.dll Knnkpobc.exe File created C:\Windows\SysWOW64\Ockglf32.dll Pgnjde32.exe File created C:\Windows\SysWOW64\Peedka32.exe Poklngnf.exe File created C:\Windows\SysWOW64\Bgibnj32.exe Baojapfj.exe File created C:\Windows\SysWOW64\Cicalakk.exe Cfeepelg.exe File opened for modification C:\Windows\SysWOW64\Flhmfbim.exe Fjjpjgjj.exe File created C:\Windows\SysWOW64\Epnhci32.dll Lhelbh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7432 7360 WerFault.exe 768 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjahd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbfep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkgkcpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfcpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihdgkpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjmpcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgbhbgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbojpna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeieced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnpecbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmapj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbcpmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjmcpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenpajfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkoncdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbbjpgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkffng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoqjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchijone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllhhaep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljpncgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogmcjef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjhdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfnopfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfaopoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oococb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpkflne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbeofpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbadjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcdjca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgphcqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdejhfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmodel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bccmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbonei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfghdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmbfbgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmifk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdfjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipehmebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobgihgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphmloih.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjplgd32.dll" Ihmpobck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqahmoc.dll" Plolgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgono32.dll" Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmcjhdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggkqmoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlkhpje.dll" Lfhhjklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eijdkcgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkapd32.dll" Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll" Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iiecgjba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejhndnn.dll" Bofgii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqfemqod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqpflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdoomf32.dll" Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecnoijbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedpjdfh.dll" Dgoopkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdkak32.dll" Ielclkhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baojapfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cadjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdgjmdh.dll" Ifampo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpmbfbgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjgoje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaghki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddnfop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amfognic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdjjag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flqmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnpflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjndlebb.dll" Jniefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajgbkbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apedah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afbqkf32.dll" Micklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oigemnhm.dll" Ogknoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eolmip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjdfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhpaf32.dll" Boidnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hedbmpnc.dll" Gceailog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbbbdcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppcbgkka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biliep32.dll" Cmbalfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbmfkkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aakepajf.dll" Fcmben32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2436 2972 5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe 30 PID 2972 wrote to memory of 2436 2972 5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe 30 PID 2972 wrote to memory of 2436 2972 5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe 30 PID 2972 wrote to memory of 2436 2972 5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe 30 PID 2436 wrote to memory of 2416 2436 Bidlgdlk.exe 31 PID 2436 wrote to memory of 2416 2436 Bidlgdlk.exe 31 PID 2436 wrote to memory of 2416 2436 Bidlgdlk.exe 31 PID 2436 wrote to memory of 2416 2436 Bidlgdlk.exe 31 PID 2416 wrote to memory of 2740 2416 Bmphhc32.exe 32 PID 2416 wrote to memory of 2740 2416 Bmphhc32.exe 32 PID 2416 wrote to memory of 2740 2416 Bmphhc32.exe 32 PID 2416 wrote to memory of 2740 2416 Bmphhc32.exe 32 PID 2740 wrote to memory of 2884 2740 Bbmapj32.exe 33 PID 2740 wrote to memory of 2884 2740 Bbmapj32.exe 33 PID 2740 wrote to memory of 2884 2740 Bbmapj32.exe 33 PID 2740 wrote to memory of 2884 2740 Bbmapj32.exe 33 PID 2884 wrote to memory of 2748 2884 Bekmle32.exe 34 PID 2884 wrote to memory of 2748 2884 Bekmle32.exe 34 PID 2884 wrote to memory of 2748 2884 Bekmle32.exe 34 PID 2884 wrote to memory of 2748 2884 Bekmle32.exe 34 PID 2748 wrote to memory of 2796 2748 Bigimdjh.exe 35 PID 2748 wrote to memory of 2796 2748 Bigimdjh.exe 35 PID 2748 wrote to memory of 2796 2748 Bigimdjh.exe 35 PID 2748 wrote to memory of 2796 2748 Bigimdjh.exe 35 PID 2796 wrote to memory of 2676 2796 Bpqain32.exe 36 PID 2796 wrote to memory of 2676 2796 Bpqain32.exe 36 PID 2796 wrote to memory of 2676 2796 Bpqain32.exe 36 PID 2796 wrote to memory of 2676 2796 Bpqain32.exe 36 PID 2676 wrote to memory of 2516 2676 Bbonei32.exe 37 PID 2676 wrote to memory of 2516 2676 Bbonei32.exe 37 PID 2676 wrote to memory of 2516 2676 Bbonei32.exe 37 PID 2676 wrote to memory of 2516 2676 Bbonei32.exe 37 PID 2516 wrote to memory of 1812 2516 Bfkifhib.exe 38 PID 2516 wrote to memory of 1812 2516 Bfkifhib.exe 38 PID 2516 wrote to memory of 1812 2516 Bfkifhib.exe 38 PID 2516 wrote to memory of 1812 2516 Bfkifhib.exe 38 PID 1812 wrote to memory of 1732 1812 Chlfnp32.exe 39 PID 1812 wrote to memory of 1732 1812 Chlfnp32.exe 39 PID 1812 wrote to memory of 1732 1812 Chlfnp32.exe 39 PID 1812 wrote to memory of 1732 1812 Chlfnp32.exe 39 PID 1732 wrote to memory of 2812 1732 Clgbno32.exe 40 PID 1732 wrote to memory of 2812 1732 Clgbno32.exe 40 PID 1732 wrote to memory of 2812 1732 Clgbno32.exe 40 PID 1732 wrote to memory of 2812 1732 Clgbno32.exe 40 PID 2812 wrote to memory of 528 2812 Cofnjj32.exe 41 PID 2812 wrote to memory of 528 2812 Cofnjj32.exe 41 PID 2812 wrote to memory of 528 2812 Cofnjj32.exe 41 PID 2812 wrote to memory of 528 2812 Cofnjj32.exe 41 PID 528 wrote to memory of 480 528 Cadjgf32.exe 42 PID 528 wrote to memory of 480 528 Cadjgf32.exe 42 PID 528 wrote to memory of 480 528 Cadjgf32.exe 42 PID 528 wrote to memory of 480 528 Cadjgf32.exe 42 PID 480 wrote to memory of 2604 480 Chnbcpmn.exe 43 PID 480 wrote to memory of 2604 480 Chnbcpmn.exe 43 PID 480 wrote to memory of 2604 480 Chnbcpmn.exe 43 PID 480 wrote to memory of 2604 480 Chnbcpmn.exe 43 PID 2604 wrote to memory of 2024 2604 Cohkpj32.exe 44 PID 2604 wrote to memory of 2024 2604 Cohkpj32.exe 44 PID 2604 wrote to memory of 2024 2604 Cohkpj32.exe 44 PID 2604 wrote to memory of 2024 2604 Cohkpj32.exe 44 PID 2024 wrote to memory of 1132 2024 Cafgle32.exe 45 PID 2024 wrote to memory of 1132 2024 Cafgle32.exe 45 PID 2024 wrote to memory of 1132 2024 Cafgle32.exe 45 PID 2024 wrote to memory of 1132 2024 Cafgle32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe"C:\Users\Admin\AppData\Local\Temp\5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe35⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe36⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe40⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe41⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe42⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe43⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe45⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe46⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe47⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe48⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe49⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe50⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe51⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe53⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe54⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe55⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe56⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe57⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe58⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe59⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe63⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe64⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe65⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe66⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe67⤵PID:1604
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe68⤵PID:2032
-
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe69⤵PID:1984
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe71⤵PID:1688
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe72⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe73⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe74⤵PID:2056
-
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe75⤵PID:1492
-
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe76⤵PID:2100
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe78⤵PID:1260
-
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe81⤵PID:2276
-
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe82⤵PID:2028
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe84⤵PID:2236
-
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe85⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe86⤵PID:2952
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe87⤵PID:1768
-
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe88⤵PID:2492
-
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe89⤵PID:1584
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe90⤵PID:2956
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe91⤵PID:1616
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe92⤵PID:2764
-
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe93⤵PID:308
-
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe94⤵PID:2188
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe95⤵PID:2940
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe96⤵PID:1796
-
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe97⤵PID:1764
-
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe98⤵PID:800
-
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe99⤵PID:1868
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe100⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe101⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe102⤵PID:1312
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe103⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe104⤵PID:2016
-
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe105⤵PID:1792
-
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe106⤵PID:884
-
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe107⤵PID:2040
-
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe109⤵PID:1392
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe110⤵PID:2084
-
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe112⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe113⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe114⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe115⤵PID:284
-
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe117⤵PID:2500
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe118⤵PID:1512
-
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe119⤵PID:2344
-
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe120⤵PID:2060
-
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe121⤵PID:1104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-