Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07/03/2025, 04:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe
-
Size
1000KB
-
MD5
0d9b169198dc6765b7db40b1e2d30c69
-
SHA1
48e89a9a06c1caa7799ee69547e6702c9cacb6c2
-
SHA256
421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120
-
SHA512
30916b5f86e12dc98698eeb7eaae7006af75fc19d99123c52dae93b32a5561ab0e82f9996b1286886a80af228ef37c85f4bf1741ff712e78dedca2f55aa85f62
-
SSDEEP
6144:o9114oqxDHBFLqWjjgwTgZLnSnLrTSxJ2JrYXklSu9lIhBBJKQh31GTYUCIIYyy8:oz18tHBFLPj3TmLnWrOxNuxC97hFq9o7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfkfkopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aalofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fichqckn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmipmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjbjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcjmkbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnofp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmibmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhopjqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekcffem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelmbifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgfkchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baqhapdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgkiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmaqgaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gahpkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iopeoknn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdmld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmmigjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clclhmin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnlnpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodahk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddobpbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inebpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcppgbjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npppaejj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnimpcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cabaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjboeenh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbejjfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gngfjicn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idbgbahq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokhcodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iokhcodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laidgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcebj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgfkchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amjiln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehaolpke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egkehllh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlgdhcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbfkeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naimepkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnimpcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjgcecja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahcjmkbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmaqgaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbnnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpena32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcleiclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkaeob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfjnkne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabaec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbfcjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkblohek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjeedhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljhhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ollqllod.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2320 Egpena32.exe 2700 Fbfjkj32.exe 2728 Fmddgg32.exe 2624 Fpbqcb32.exe 2832 Ffmipmjn.exe 2068 Fmfalg32.exe 1120 Fpemhb32.exe 2460 Fdqiiaih.exe 1956 Hibgkjee.exe 2060 Ikjjda32.exe 2492 Iadbqlmh.exe 2580 Jcleiclo.exe 3028 Jnbifl32.exe 2456 Jbfkeo32.exe 2392 Jjmcfl32.exe 1724 Kelmbifm.exe 2852 Kndbko32.exe 2812 Kaggbihl.exe 1660 Kpjhnfof.exe 820 Lhapocoi.exe 2200 Laidgi32.exe 1440 Lmpeljkm.exe 2508 Ldjmidcj.exe 1996 Lfkfkopk.exe 880 Liibgkoo.exe 2172 Lljkif32.exe 2816 Mohhea32.exe 1596 Mmndfnpl.exe 2864 Mhcicf32.exe 2376 Mkaeob32.exe 404 Mdjihgef.exe 3016 Mcofid32.exe 2608 Mkfojakp.exe 2092 Nljhhi32.exe 2324 Ncdpdcfh.exe 1960 Naimepkp.exe 2256 Nhcebj32.exe 1420 Nlanhh32.exe 1492 Nanfqo32.exe 2364 Nhhominh.exe 2196 Noagjc32.exe 2088 Ojkhjabc.exe 840 Oabplobe.exe 2348 Okkddd32.exe 1748 Ollqllod.exe 2372 Odcimipf.exe 1368 Ojpaeq32.exe 2300 Omnmal32.exe 3000 Ochenfdn.exe 2504 Ooofcg32.exe 2820 Obnbpb32.exe 1720 Poacighp.exe 2872 Pbpoebgc.exe 2532 Podpoffm.exe 2620 Pfnhkq32.exe 2072 Peqhgmdd.exe 2424 Pnimpcke.exe 2484 Pkmmigjo.exe 684 Pbgefa32.exe 3040 Pajeanhf.exe 2156 Pjbjjc32.exe 632 Qgfkchmp.exe 1504 Qjdgpcmd.exe 1004 Qpaohjkk.exe -
Loads dropped DLL 64 IoCs
pid Process 1496 421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe 1496 421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe 2320 Egpena32.exe 2320 Egpena32.exe 2700 Fbfjkj32.exe 2700 Fbfjkj32.exe 2728 Fmddgg32.exe 2728 Fmddgg32.exe 2624 Fpbqcb32.exe 2624 Fpbqcb32.exe 2832 Ffmipmjn.exe 2832 Ffmipmjn.exe 2068 Fmfalg32.exe 2068 Fmfalg32.exe 1120 Fpemhb32.exe 1120 Fpemhb32.exe 2460 Fdqiiaih.exe 2460 Fdqiiaih.exe 1956 Hibgkjee.exe 1956 Hibgkjee.exe 2060 Ikjjda32.exe 2060 Ikjjda32.exe 2492 Iadbqlmh.exe 2492 Iadbqlmh.exe 2580 Jcleiclo.exe 2580 Jcleiclo.exe 3028 Jnbifl32.exe 3028 Jnbifl32.exe 2456 Jbfkeo32.exe 2456 Jbfkeo32.exe 2392 Jjmcfl32.exe 2392 Jjmcfl32.exe 1724 Kelmbifm.exe 1724 Kelmbifm.exe 2852 Kndbko32.exe 2852 Kndbko32.exe 2812 Kaggbihl.exe 2812 Kaggbihl.exe 1660 Kpjhnfof.exe 1660 Kpjhnfof.exe 820 Lhapocoi.exe 820 Lhapocoi.exe 2200 Laidgi32.exe 2200 Laidgi32.exe 1440 Lmpeljkm.exe 1440 Lmpeljkm.exe 2508 Ldjmidcj.exe 2508 Ldjmidcj.exe 1996 Lfkfkopk.exe 1996 Lfkfkopk.exe 880 Liibgkoo.exe 880 Liibgkoo.exe 2172 Lljkif32.exe 2172 Lljkif32.exe 2816 Mohhea32.exe 2816 Mohhea32.exe 1596 Mmndfnpl.exe 1596 Mmndfnpl.exe 2864 Mhcicf32.exe 2864 Mhcicf32.exe 2376 Mkaeob32.exe 2376 Mkaeob32.exe 404 Mdjihgef.exe 404 Mdjihgef.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fbfjkj32.exe Egpena32.exe File opened for modification C:\Windows\SysWOW64\Qjgcecja.exe Qpaohjkk.exe File created C:\Windows\SysWOW64\Jkfapl32.dll Dkblohek.exe File created C:\Windows\SysWOW64\Gihnkejd.exe Gfiaojkq.exe File opened for modification C:\Windows\SysWOW64\Jkllnn32.exe Jgppmpjp.exe File created C:\Windows\SysWOW64\Kimlqfeq.exe Kfopdk32.exe File created C:\Windows\SysWOW64\Nhpabdqd.exe Nogmin32.exe File created C:\Windows\SysWOW64\Ojoppamn.dll Ikjjda32.exe File opened for modification C:\Windows\SysWOW64\Mmndfnpl.exe Mohhea32.exe File created C:\Windows\SysWOW64\Pnimpcke.exe Peqhgmdd.exe File created C:\Windows\SysWOW64\Egihcl32.exe Ehfhgogp.exe File opened for modification C:\Windows\SysWOW64\Hechkfkc.exe Hahljg32.exe File created C:\Windows\SysWOW64\Becaniab.dll Hlmphp32.exe File created C:\Windows\SysWOW64\Lgiobadq.exe Lekcffem.exe File created C:\Windows\SysWOW64\Mlnbgj32.dll Ffmipmjn.exe File opened for modification C:\Windows\SysWOW64\Ooofcg32.exe Ochenfdn.exe File created C:\Windows\SysWOW64\Qjdgpcmd.exe Qgfkchmp.exe File opened for modification C:\Windows\SysWOW64\Alofnj32.exe Ahcjmkbo.exe File opened for modification C:\Windows\SysWOW64\Bmlbaqfh.exe Bdcnhk32.exe File created C:\Windows\SysWOW64\Djjeedhp.exe Dgkiih32.exe File opened for modification C:\Windows\SysWOW64\Mohhea32.exe Lljkif32.exe File created C:\Windows\SysWOW64\Bdkcbpni.dll Qpaohjkk.exe File created C:\Windows\SysWOW64\Jqlidcln.dll Chjmmnnb.exe File created C:\Windows\SysWOW64\Libmacbm.dll Inebpgbf.exe File created C:\Windows\SysWOW64\Mfceom32.exe Mmkafhnb.exe File created C:\Windows\SysWOW64\Mifkfhpa.exe Mpngmb32.exe File created C:\Windows\SysWOW64\Jbfkeo32.exe Jnbifl32.exe File created C:\Windows\SysWOW64\Mkfojakp.exe Mcofid32.exe File created C:\Windows\SysWOW64\Noagjc32.exe Nhhominh.exe File created C:\Windows\SysWOW64\Hbglqg32.dll Pnimpcke.exe File created C:\Windows\SysWOW64\Alofnj32.exe Ahcjmkbo.exe File created C:\Windows\SysWOW64\Jmddhe32.dll Dnqhkcdo.exe File opened for modification C:\Windows\SysWOW64\Hahljg32.exe Hilgfe32.exe File opened for modification C:\Windows\SysWOW64\Kaggbihl.exe Kndbko32.exe File created C:\Windows\SysWOW64\Bbjkmi32.dll Cpjklo32.exe File opened for modification C:\Windows\SysWOW64\Dgfpni32.exe Cjboeenh.exe File opened for modification C:\Windows\SysWOW64\Dflmpebj.exe Dnqhkcdo.exe File created C:\Windows\SysWOW64\Cpkdfb32.dll Jbakpi32.exe File created C:\Windows\SysWOW64\Pgcacc32.dll Mbjfcnkg.exe File created C:\Windows\SysWOW64\Mpngmb32.exe Mfebdm32.exe File created C:\Windows\SysWOW64\Kndbko32.exe Kelmbifm.exe File created C:\Windows\SysWOW64\Ijcbdhqk.dll Kfopdk32.exe File created C:\Windows\SysWOW64\Nhclfogi.dll Nmhqokcq.exe File created C:\Windows\SysWOW64\Dmddik32.dll Mkaeob32.exe File created C:\Windows\SysWOW64\Lpjqnpjb.dll Ooofcg32.exe File created C:\Windows\SysWOW64\Gmgnmlma.dll Ghddnnfi.exe File created C:\Windows\SysWOW64\Gaegla32.dll Npnclf32.exe File created C:\Windows\SysWOW64\Jeapidjc.dll Lmpeljkm.exe File created C:\Windows\SysWOW64\Pkmmigjo.exe Pnimpcke.exe File created C:\Windows\SysWOW64\Ajipkb32.exe Abbhje32.exe File created C:\Windows\SysWOW64\Dmknff32.dll Alofnj32.exe File created C:\Windows\SysWOW64\Emdpcf32.dll Hiockd32.exe File created C:\Windows\SysWOW64\Jhfjadim.exe Jjcieg32.exe File created C:\Windows\SysWOW64\Ohomgb32.dll Jkioho32.exe File opened for modification C:\Windows\SysWOW64\Mkfojakp.exe Mcofid32.exe File opened for modification C:\Windows\SysWOW64\Qpaohjkk.exe Qjdgpcmd.exe File created C:\Windows\SysWOW64\Fiakkcma.exe Ffboohnm.exe File created C:\Windows\SysWOW64\Jkllnn32.exe Jgppmpjp.exe File opened for modification C:\Windows\SysWOW64\Kkilgb32.exe Kjhopjqi.exe File created C:\Windows\SysWOW64\Ahmjfimi.dll Ohkdfhge.exe File opened for modification C:\Windows\SysWOW64\Aalofa32.exe Anmbje32.exe File opened for modification C:\Windows\SysWOW64\Lljkif32.exe Liibgkoo.exe File created C:\Windows\SysWOW64\Qjgcecja.exe Qpaohjkk.exe File created C:\Windows\SysWOW64\Bpfebmia.exe Bmgifa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3816 3776 WerFault.exe 252 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmndfnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlnpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokhcodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknnnoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmacej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpemhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaggbihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enngdgim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfhgogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiedfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmoekf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhdph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmddgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollqllod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnhkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnejdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngfjicn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfebdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjmmnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dofnnkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjjkhhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbopon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfebmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmibmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodahk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fladmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaqgaae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpaohjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfgkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkdfhge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opblgehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimpcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admgglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcnhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inebpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgppmpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knoaeimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdfgbhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehaolpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feobac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaljjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhqokcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpabdqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmmigjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiobadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgdhcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjbba32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anpmohcl.dll" Pkmmigjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipippm32.dll" Anmbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aalofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fladmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcnpfgn.dll" Gaebfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhcebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okkddd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkmmigjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhofe32.dll" Dgfpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgikjgo.dll" Dodahk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okfimp32.dll" Qjdgpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mencqhni.dll" Enenef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iokhcodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipkema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipkema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gihnkejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakjdp32.dll" Fiedfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfhlhbn.dll" Fmaqgaae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gddobpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igkjcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inebpgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmfgkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egpena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcleiclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkclkc32.dll" Enpdjfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egkehllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkbnmhi.dll" Gnlpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hijjpeha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icgdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgidb32.dll" Lmhdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkaeob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pilkle32.dll" Omnmal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emjjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnejdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijpfnpij.dll" Ngencpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikjjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpbigma.dll" Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edalmn32.dll" Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll" Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffmipmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokalbod.dll" Mdjihgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkckf32.dll" Naimepkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjkmi32.dll" Cpjklo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiakkcma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icbkhnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnlnf32.dll" Lgdfgbhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncdpdcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphkcaig.dll" Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmoekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnddck32.dll" Kimlqfeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Limhpihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcofid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alofnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojoppamn.dll" Ikjjda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eomdoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffojn32.dll" Lekcffem.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1496 wrote to memory of 2320 1496 421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe 30 PID 1496 wrote to memory of 2320 1496 421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe 30 PID 1496 wrote to memory of 2320 1496 421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe 30 PID 1496 wrote to memory of 2320 1496 421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe 30 PID 2320 wrote to memory of 2700 2320 Egpena32.exe 31 PID 2320 wrote to memory of 2700 2320 Egpena32.exe 31 PID 2320 wrote to memory of 2700 2320 Egpena32.exe 31 PID 2320 wrote to memory of 2700 2320 Egpena32.exe 31 PID 2700 wrote to memory of 2728 2700 Fbfjkj32.exe 32 PID 2700 wrote to memory of 2728 2700 Fbfjkj32.exe 32 PID 2700 wrote to memory of 2728 2700 Fbfjkj32.exe 32 PID 2700 wrote to memory of 2728 2700 Fbfjkj32.exe 32 PID 2728 wrote to memory of 2624 2728 Fmddgg32.exe 33 PID 2728 wrote to memory of 2624 2728 Fmddgg32.exe 33 PID 2728 wrote to memory of 2624 2728 Fmddgg32.exe 33 PID 2728 wrote to memory of 2624 2728 Fmddgg32.exe 33 PID 2624 wrote to memory of 2832 2624 Fpbqcb32.exe 34 PID 2624 wrote to memory of 2832 2624 Fpbqcb32.exe 34 PID 2624 wrote to memory of 2832 2624 Fpbqcb32.exe 34 PID 2624 wrote to memory of 2832 2624 Fpbqcb32.exe 34 PID 2832 wrote to memory of 2068 2832 Ffmipmjn.exe 35 PID 2832 wrote to memory of 2068 2832 Ffmipmjn.exe 35 PID 2832 wrote to memory of 2068 2832 Ffmipmjn.exe 35 PID 2832 wrote to memory of 2068 2832 Ffmipmjn.exe 35 PID 2068 wrote to memory of 1120 2068 Fmfalg32.exe 36 PID 2068 wrote to memory of 1120 2068 Fmfalg32.exe 36 PID 2068 wrote to memory of 1120 2068 Fmfalg32.exe 36 PID 2068 wrote to memory of 1120 2068 Fmfalg32.exe 36 PID 1120 wrote to memory of 2460 1120 Fpemhb32.exe 37 PID 1120 wrote to memory of 2460 1120 Fpemhb32.exe 37 PID 1120 wrote to memory of 2460 1120 Fpemhb32.exe 37 PID 1120 wrote to memory of 2460 1120 Fpemhb32.exe 37 PID 2460 wrote to memory of 1956 2460 Fdqiiaih.exe 38 PID 2460 wrote to memory of 1956 2460 Fdqiiaih.exe 38 PID 2460 wrote to memory of 1956 2460 Fdqiiaih.exe 38 PID 2460 wrote to memory of 1956 2460 Fdqiiaih.exe 38 PID 1956 wrote to memory of 2060 1956 Hibgkjee.exe 39 PID 1956 wrote to memory of 2060 1956 Hibgkjee.exe 39 PID 1956 wrote to memory of 2060 1956 Hibgkjee.exe 39 PID 1956 wrote to memory of 2060 1956 Hibgkjee.exe 39 PID 2060 wrote to memory of 2492 2060 Ikjjda32.exe 40 PID 2060 wrote to memory of 2492 2060 Ikjjda32.exe 40 PID 2060 wrote to memory of 2492 2060 Ikjjda32.exe 40 PID 2060 wrote to memory of 2492 2060 Ikjjda32.exe 40 PID 2492 wrote to memory of 2580 2492 Iadbqlmh.exe 41 PID 2492 wrote to memory of 2580 2492 Iadbqlmh.exe 41 PID 2492 wrote to memory of 2580 2492 Iadbqlmh.exe 41 PID 2492 wrote to memory of 2580 2492 Iadbqlmh.exe 41 PID 2580 wrote to memory of 3028 2580 Jcleiclo.exe 42 PID 2580 wrote to memory of 3028 2580 Jcleiclo.exe 42 PID 2580 wrote to memory of 3028 2580 Jcleiclo.exe 42 PID 2580 wrote to memory of 3028 2580 Jcleiclo.exe 42 PID 3028 wrote to memory of 2456 3028 Jnbifl32.exe 43 PID 3028 wrote to memory of 2456 3028 Jnbifl32.exe 43 PID 3028 wrote to memory of 2456 3028 Jnbifl32.exe 43 PID 3028 wrote to memory of 2456 3028 Jnbifl32.exe 43 PID 2456 wrote to memory of 2392 2456 Jbfkeo32.exe 44 PID 2456 wrote to memory of 2392 2456 Jbfkeo32.exe 44 PID 2456 wrote to memory of 2392 2456 Jbfkeo32.exe 44 PID 2456 wrote to memory of 2392 2456 Jbfkeo32.exe 44 PID 2392 wrote to memory of 1724 2392 Jjmcfl32.exe 45 PID 2392 wrote to memory of 1724 2392 Jjmcfl32.exe 45 PID 2392 wrote to memory of 1724 2392 Jjmcfl32.exe 45 PID 2392 wrote to memory of 1724 2392 Jjmcfl32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe"C:\Users\Admin\AppData\Local\Temp\421c67ebb42ffa8acbf4f5af7edafbecadce24bc2f3ef6eb4d4a577b6679e120.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Fpemhb32.exeC:\Windows\system32\Fpemhb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Jjmcfl32.exeC:\Windows\system32\Jjmcfl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Kndbko32.exeC:\Windows\system32\Kndbko32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Kpjhnfof.exeC:\Windows\system32\Kpjhnfof.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Laidgi32.exeC:\Windows\system32\Laidgi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Lmpeljkm.exeC:\Windows\system32\Lmpeljkm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Lljkif32.exeC:\Windows\system32\Lljkif32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Mohhea32.exeC:\Windows\system32\Mohhea32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Mmndfnpl.exeC:\Windows\system32\Mmndfnpl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Mdjihgef.exeC:\Windows\system32\Mdjihgef.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe34⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Nljhhi32.exeC:\Windows\system32\Nljhhi32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe39⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe40⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Ojkhjabc.exeC:\Windows\system32\Ojkhjabc.exe43⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe44⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Okkddd32.exeC:\Windows\system32\Okkddd32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Ollqllod.exeC:\Windows\system32\Ollqllod.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Odcimipf.exeC:\Windows\system32\Odcimipf.exe47⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ojpaeq32.exeC:\Windows\system32\Ojpaeq32.exe48⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Ooofcg32.exeC:\Windows\system32\Ooofcg32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Obnbpb32.exeC:\Windows\system32\Obnbpb32.exe52⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Poacighp.exeC:\Windows\system32\Poacighp.exe53⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe54⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Podpoffm.exeC:\Windows\system32\Podpoffm.exe55⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Peqhgmdd.exeC:\Windows\system32\Peqhgmdd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Pnimpcke.exeC:\Windows\system32\Pnimpcke.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Pbgefa32.exeC:\Windows\system32\Pbgefa32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Pjbjjc32.exeC:\Windows\system32\Pjbjjc32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Qgfkchmp.exeC:\Windows\system32\Qgfkchmp.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Qjdgpcmd.exeC:\Windows\system32\Qjdgpcmd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Qjgcecja.exeC:\Windows\system32\Qjgcecja.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe67⤵PID:2920
-
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Acadchoo.exeC:\Windows\system32\Acadchoo.exe70⤵PID:2704
-
C:\Windows\SysWOW64\Amjiln32.exeC:\Windows\system32\Amjiln32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Aphehidc.exeC:\Windows\system32\Aphehidc.exe72⤵PID:2764
-
C:\Windows\SysWOW64\Ahcjmkbo.exeC:\Windows\system32\Ahcjmkbo.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Alofnj32.exeC:\Windows\system32\Alofnj32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Aalofa32.exeC:\Windows\system32\Aalofa32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Aankkqfl.exeC:\Windows\system32\Aankkqfl.exe77⤵PID:2576
-
C:\Windows\SysWOW64\Admgglep.exeC:\Windows\system32\Admgglep.exe78⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Baqhapdj.exeC:\Windows\system32\Baqhapdj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe80⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Bmgifa32.exeC:\Windows\system32\Bmgifa32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Bpfebmia.exeC:\Windows\system32\Bpfebmia.exe82⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Baealp32.exeC:\Windows\system32\Baealp32.exe83⤵PID:2912
-
C:\Windows\SysWOW64\Bdcnhk32.exeC:\Windows\system32\Bdcnhk32.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\Bmlbaqfh.exeC:\Windows\system32\Bmlbaqfh.exe85⤵PID:1316
-
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Bmnofp32.exeC:\Windows\system32\Bmnofp32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe88⤵PID:1036
-
C:\Windows\SysWOW64\Chhpgn32.exeC:\Windows\system32\Chhpgn32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Celpqbon.exeC:\Windows\system32\Celpqbon.exe91⤵PID:1032
-
C:\Windows\SysWOW64\Chjmmnnb.exeC:\Windows\system32\Chjmmnnb.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Cabaec32.exeC:\Windows\system32\Cabaec32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe96⤵PID:1212
-
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Cpjklo32.exeC:\Windows\system32\Cpjklo32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Dgfpni32.exeC:\Windows\system32\Dgfpni32.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Dkblohek.exeC:\Windows\system32\Dkblohek.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe103⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Dflmpebj.exeC:\Windows\system32\Dflmpebj.exe104⤵PID:1984
-
C:\Windows\SysWOW64\Dodahk32.exeC:\Windows\system32\Dodahk32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Dgkiih32.exeC:\Windows\system32\Dgkiih32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Djjeedhp.exeC:\Windows\system32\Djjeedhp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1924 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe108⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe110⤵PID:1080
-
C:\Windows\SysWOW64\Ehaolpke.exeC:\Windows\system32\Ehaolpke.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Enngdgim.exeC:\Windows\system32\Enngdgim.exe112⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe113⤵PID:1708
-
C:\Windows\SysWOW64\Eomdoj32.exeC:\Windows\system32\Eomdoj32.exe114⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe115⤵
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe117⤵PID:2168
-
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe118⤵PID:2432
-
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe120⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Ejlnjg32.exeC:\Windows\system32\Ejlnjg32.exe121⤵PID:3012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-