Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/03/2025, 13:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe
-
Size
87KB
-
MD5
c2b7d63c5ac1add8c6f7d425412fd271
-
SHA1
ff1a4bd0085c92de8f3b43e38a1e7b91174fe846
-
SHA256
6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65
-
SHA512
c3e210ccf55928a1c06edd94496dd49012bb494843152a88c8d0b842a8f30b82c52da9676d209768fd43acd7c90ce9fb8a8779009fa6ba960fc02290a4f007c0
-
SSDEEP
1536:1XGAzClLbQ4uaXy3KoBpp666e7rifyKGi22moAXRQ4HRSRBDNrR0RVe7R6R8RPDQ:elvQlXA6c3e2mTeaAnDlmbGcGFDeT
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fljafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hojgfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ileiplhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclnemgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inifnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipgcaob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkacb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kklpekno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamimc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mooaljkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqijej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhehek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgojpjem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dccagcgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kebgia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iipgcaob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbaileio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcdafqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naimccpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nodgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fepiimfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnicmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceodnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glgaok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcefjgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lndohedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkbdiqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gebbnpfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcmjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefhhbef.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2712 Aadloj32.exe 2812 Bjlqhoba.exe 1708 Bafidiio.exe 2620 Bpiipf32.exe 1980 Bkommo32.exe 1432 Bfenbpec.exe 2180 Bidjnkdg.exe 2904 Bblogakg.exe 2864 Bifgdk32.exe 1724 Bocolb32.exe 3064 Baakhm32.exe 2120 Ccahbp32.exe 2212 Ceodnl32.exe 2264 Cohigamf.exe 2156 Ceaadk32.exe 1196 Cnmehnan.exe 2992 Cpkbdiqb.exe 352 Cjdfmo32.exe 1796 Cdikkg32.exe 2364 Cghggc32.exe 316 Cnaocmmi.exe 908 Dfmdho32.exe 2800 Dndlim32.exe 2564 Dlgldibq.exe 2820 Dglpbbbg.exe 2584 Dogefd32.exe 2572 Dccagcgk.exe 1220 Dbfabp32.exe 484 Dknekeef.exe 580 Dojald32.exe 868 Ddgjdk32.exe 2852 Dhbfdjdp.exe 1900 Dbkknojp.exe 1052 Ebmgcohn.exe 592 Edkcojga.exe 1748 Ejhlgaeh.exe 2984 Ebodiofk.exe 2220 Eqbddk32.exe 2400 Egllae32.exe 1704 Ekhhadmk.exe 1632 Enfenplo.exe 1116 Emieil32.exe 1908 Eqdajkkb.exe 2100 Egoife32.exe 1000 Efaibbij.exe 2316 Enhacojl.exe 1948 Emkaol32.exe 2592 Eqgnokip.exe 1256 Ecejkf32.exe 288 Efcfga32.exe 1064 Ejobhppq.exe 300 Eqijej32.exe 2336 Eplkpgnh.exe 2544 Eplkpgnh.exe 2932 Ebjglbml.exe 2184 Effcma32.exe 2372 Fmpkjkma.exe 1588 Fpngfgle.exe 2064 Fcjcfe32.exe 1636 Fbmcbbki.exe 1112 Fekpnn32.exe 2420 Figlolbf.exe 1556 Flehkhai.exe 2368 Fpqdkf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2764 6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe 2764 6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe 2712 Aadloj32.exe 2712 Aadloj32.exe 2812 Bjlqhoba.exe 2812 Bjlqhoba.exe 1708 Bafidiio.exe 1708 Bafidiio.exe 2620 Bpiipf32.exe 2620 Bpiipf32.exe 1980 Bkommo32.exe 1980 Bkommo32.exe 1432 Bfenbpec.exe 1432 Bfenbpec.exe 2180 Bidjnkdg.exe 2180 Bidjnkdg.exe 2904 Bblogakg.exe 2904 Bblogakg.exe 2864 Bifgdk32.exe 2864 Bifgdk32.exe 1724 Bocolb32.exe 1724 Bocolb32.exe 3064 Baakhm32.exe 3064 Baakhm32.exe 2120 Ccahbp32.exe 2120 Ccahbp32.exe 2212 Ceodnl32.exe 2212 Ceodnl32.exe 2264 Cohigamf.exe 2264 Cohigamf.exe 2156 Ceaadk32.exe 2156 Ceaadk32.exe 1196 Cnmehnan.exe 1196 Cnmehnan.exe 2992 Cpkbdiqb.exe 2992 Cpkbdiqb.exe 352 Cjdfmo32.exe 352 Cjdfmo32.exe 1796 Cdikkg32.exe 1796 Cdikkg32.exe 2364 Cghggc32.exe 2364 Cghggc32.exe 316 Cnaocmmi.exe 316 Cnaocmmi.exe 908 Dfmdho32.exe 908 Dfmdho32.exe 2800 Dndlim32.exe 2800 Dndlim32.exe 2564 Dlgldibq.exe 2564 Dlgldibq.exe 2820 Dglpbbbg.exe 2820 Dglpbbbg.exe 2584 Dogefd32.exe 2584 Dogefd32.exe 2572 Dccagcgk.exe 2572 Dccagcgk.exe 1220 Dbfabp32.exe 1220 Dbfabp32.exe 484 Dknekeef.exe 484 Dknekeef.exe 580 Dojald32.exe 580 Dojald32.exe 868 Ddgjdk32.exe 868 Ddgjdk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Geiiogja.dll Bjlqhoba.exe File created C:\Windows\SysWOW64\Eqijej32.exe Ejobhppq.exe File created C:\Windows\SysWOW64\Kneagg32.dll Fhqbkhch.exe File opened for modification C:\Windows\SysWOW64\Faigdn32.exe Fjongcbl.exe File created C:\Windows\SysWOW64\Jmianb32.dll Gjfdhbld.exe File created C:\Windows\SysWOW64\Cjgheann.dll Ilncom32.exe File created C:\Windows\SysWOW64\Bifgdk32.exe Bblogakg.exe File opened for modification C:\Windows\SysWOW64\Dojald32.exe Dknekeef.exe File opened for modification C:\Windows\SysWOW64\Kklpekno.exe Kincipnk.exe File created C:\Windows\SysWOW64\Lbfdaigg.exe Lphhenhc.exe File created C:\Windows\SysWOW64\Ejobhppq.exe Efcfga32.exe File opened for modification C:\Windows\SysWOW64\Gjdhbc32.exe Ghelfg32.exe File created C:\Windows\SysWOW64\Ganpomec.exe Gmbdnn32.exe File opened for modification C:\Windows\SysWOW64\Gfmemc32.exe Gbaileio.exe File created C:\Windows\SysWOW64\Lmgefl32.dll Homclekn.exe File created C:\Windows\SysWOW64\Hhgdkjol.exe Heihnoph.exe File opened for modification C:\Windows\SysWOW64\Keednado.exe Kbfhbeek.exe File created C:\Windows\SysWOW64\Mooaljkh.exe Mlaeonld.exe File created C:\Windows\SysWOW64\Khjjpi32.dll Bocolb32.exe File created C:\Windows\SysWOW64\Ampehe32.dll Efaibbij.exe File created C:\Windows\SysWOW64\Bdacap32.dll Eqgnokip.exe File created C:\Windows\SysWOW64\Fdilpjih.dll Ecejkf32.exe File created C:\Windows\SysWOW64\Gkdjlion.dll Gpejeihi.exe File opened for modification C:\Windows\SysWOW64\Hhehek32.exe Hdildlie.exe File opened for modification C:\Windows\SysWOW64\Kicmdo32.exe Kaldcb32.exe File created C:\Windows\SysWOW64\Ibebkc32.dll Kgemplap.exe File created C:\Windows\SysWOW64\Bgfgbaoo.dll Fiihdlpc.exe File created C:\Windows\SysWOW64\Jgojpjem.exe Jhljdm32.exe File opened for modification C:\Windows\SysWOW64\Jmbiipml.exe Jjdmmdnh.exe File created C:\Windows\SysWOW64\Eeieql32.dll Kiqpop32.exe File created C:\Windows\SysWOW64\Ancjqghh.dll Kkolkk32.exe File created C:\Windows\SysWOW64\Ceodnl32.exe Ccahbp32.exe File created C:\Windows\SysWOW64\Dglpbbbg.exe Dlgldibq.exe File created C:\Windows\SysWOW64\Papnde32.dll Kaldcb32.exe File created C:\Windows\SysWOW64\Lndohedg.exe Lfmffhde.exe File created C:\Windows\SysWOW64\Lfpclh32.exe Lcagpl32.exe File created C:\Windows\SysWOW64\Daifmohp.dll Mbkmlh32.exe File created C:\Windows\SysWOW64\Hendhe32.dll Mabgcd32.exe File created C:\Windows\SysWOW64\Ndemjoae.exe Mpjqiq32.exe File created C:\Windows\SysWOW64\Cohigamf.exe Ceodnl32.exe File opened for modification C:\Windows\SysWOW64\Cghggc32.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Mfacfkje.dll Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Fnhnbb32.exe Fljafg32.exe File created C:\Windows\SysWOW64\Gbaileio.exe Glgaok32.exe File created C:\Windows\SysWOW64\Hmfjha32.exe Hiknhbcg.exe File opened for modification C:\Windows\SysWOW64\Ikkjbe32.exe Igonafba.exe File created C:\Windows\SysWOW64\Modkfi32.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Fbamma32.exe Fnfamcoj.exe File opened for modification C:\Windows\SysWOW64\Fepiimfg.exe Fadminnn.exe File opened for modification C:\Windows\SysWOW64\Fhqbkhch.exe Fcefji32.exe File opened for modification C:\Windows\SysWOW64\Kjdilgpc.exe Kgemplap.exe File created C:\Windows\SysWOW64\Homclekn.exe Hkaglf32.exe File created C:\Windows\SysWOW64\Ghbaee32.dll Jmbiipml.exe File created C:\Windows\SysWOW64\Eeejnlhc.dll Nckjkl32.exe File created C:\Windows\SysWOW64\Dogefd32.exe Dglpbbbg.exe File opened for modification C:\Windows\SysWOW64\Jnicmdli.exe Jofbag32.exe File created C:\Windows\SysWOW64\Ncdbcl32.dll 6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe File created C:\Windows\SysWOW64\Dhhlgc32.dll Edkcojga.exe File created C:\Windows\SysWOW64\Fenmdm32.exe Fbopgb32.exe File created C:\Windows\SysWOW64\Kacgbnfl.dll Lphhenhc.exe File opened for modification C:\Windows\SysWOW64\Mlfojn32.exe Migbnb32.exe File created C:\Windows\SysWOW64\Gellaqbd.dll Cohigamf.exe File created C:\Windows\SysWOW64\Jfiilbkl.dll Dhbfdjdp.exe File created C:\Windows\SysWOW64\Eqdajkkb.exe Emieil32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3876 3828 WerFault.exe 289 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnaocmmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjongcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpefdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmikibio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bocolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagjnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpqdkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhehek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idnaoohk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dccagcgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hanlnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebgia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndemjoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfenbpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganpomec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giieco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcbenjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npagjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcfadgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocflgga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkmlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglpbbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Linphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojald32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iompkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlaeonld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naimccpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bifgdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceaadk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjglbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjhgdck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joaeeklp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liplnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkcojga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niebhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cghggc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbmcbbki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfamcoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gffoldhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchhkjhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdildlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhngjmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiqpop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidjnkdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlljjjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igonafba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipllekdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcagpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecejkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjfkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofbag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgemplap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhloponc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnace32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcokkak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libicbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mooaljkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmgcohn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egllae32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hedocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhgdkjol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jocflgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" Melfncqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpimg32.dll" Bblogakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maiooo32.dll" Fagjnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpngfgle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gffoldhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpnecca.dll" Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfknbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclgfa32.dll" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll" Efcfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcipd32.dll" Kjifhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll" Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddnkn32.dll" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopcmhp.dll" Kmefooki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll" Lbfdaigg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqelfddi.dll" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogbjdmj.dll" Ileiplhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll" Modkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Cjdfmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqdajkkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbkameaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaebnq32.dll" Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiiogja.dll" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgheann.dll" Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbadbn32.dll" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdjpeifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgafalg.dll" Jocflgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqgoiokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kincipnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll" Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdlklmn.dll" Gdjpeifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifkacb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kiijnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll" Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" Ngkogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll" Ebodiofk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2712 2764 6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe 30 PID 2764 wrote to memory of 2712 2764 6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe 30 PID 2764 wrote to memory of 2712 2764 6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe 30 PID 2764 wrote to memory of 2712 2764 6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe 30 PID 2712 wrote to memory of 2812 2712 Aadloj32.exe 31 PID 2712 wrote to memory of 2812 2712 Aadloj32.exe 31 PID 2712 wrote to memory of 2812 2712 Aadloj32.exe 31 PID 2712 wrote to memory of 2812 2712 Aadloj32.exe 31 PID 2812 wrote to memory of 1708 2812 Bjlqhoba.exe 32 PID 2812 wrote to memory of 1708 2812 Bjlqhoba.exe 32 PID 2812 wrote to memory of 1708 2812 Bjlqhoba.exe 32 PID 2812 wrote to memory of 1708 2812 Bjlqhoba.exe 32 PID 1708 wrote to memory of 2620 1708 Bafidiio.exe 33 PID 1708 wrote to memory of 2620 1708 Bafidiio.exe 33 PID 1708 wrote to memory of 2620 1708 Bafidiio.exe 33 PID 1708 wrote to memory of 2620 1708 Bafidiio.exe 33 PID 2620 wrote to memory of 1980 2620 Bpiipf32.exe 34 PID 2620 wrote to memory of 1980 2620 Bpiipf32.exe 34 PID 2620 wrote to memory of 1980 2620 Bpiipf32.exe 34 PID 2620 wrote to memory of 1980 2620 Bpiipf32.exe 34 PID 1980 wrote to memory of 1432 1980 Bkommo32.exe 35 PID 1980 wrote to memory of 1432 1980 Bkommo32.exe 35 PID 1980 wrote to memory of 1432 1980 Bkommo32.exe 35 PID 1980 wrote to memory of 1432 1980 Bkommo32.exe 35 PID 1432 wrote to memory of 2180 1432 Bfenbpec.exe 36 PID 1432 wrote to memory of 2180 1432 Bfenbpec.exe 36 PID 1432 wrote to memory of 2180 1432 Bfenbpec.exe 36 PID 1432 wrote to memory of 2180 1432 Bfenbpec.exe 36 PID 2180 wrote to memory of 2904 2180 Bidjnkdg.exe 37 PID 2180 wrote to memory of 2904 2180 Bidjnkdg.exe 37 PID 2180 wrote to memory of 2904 2180 Bidjnkdg.exe 37 PID 2180 wrote to memory of 2904 2180 Bidjnkdg.exe 37 PID 2904 wrote to memory of 2864 2904 Bblogakg.exe 38 PID 2904 wrote to memory of 2864 2904 Bblogakg.exe 38 PID 2904 wrote to memory of 2864 2904 Bblogakg.exe 38 PID 2904 wrote to memory of 2864 2904 Bblogakg.exe 38 PID 2864 wrote to memory of 1724 2864 Bifgdk32.exe 39 PID 2864 wrote to memory of 1724 2864 Bifgdk32.exe 39 PID 2864 wrote to memory of 1724 2864 Bifgdk32.exe 39 PID 2864 wrote to memory of 1724 2864 Bifgdk32.exe 39 PID 1724 wrote to memory of 3064 1724 Bocolb32.exe 40 PID 1724 wrote to memory of 3064 1724 Bocolb32.exe 40 PID 1724 wrote to memory of 3064 1724 Bocolb32.exe 40 PID 1724 wrote to memory of 3064 1724 Bocolb32.exe 40 PID 3064 wrote to memory of 2120 3064 Baakhm32.exe 41 PID 3064 wrote to memory of 2120 3064 Baakhm32.exe 41 PID 3064 wrote to memory of 2120 3064 Baakhm32.exe 41 PID 3064 wrote to memory of 2120 3064 Baakhm32.exe 41 PID 2120 wrote to memory of 2212 2120 Ccahbp32.exe 42 PID 2120 wrote to memory of 2212 2120 Ccahbp32.exe 42 PID 2120 wrote to memory of 2212 2120 Ccahbp32.exe 42 PID 2120 wrote to memory of 2212 2120 Ccahbp32.exe 42 PID 2212 wrote to memory of 2264 2212 Ceodnl32.exe 43 PID 2212 wrote to memory of 2264 2212 Ceodnl32.exe 43 PID 2212 wrote to memory of 2264 2212 Ceodnl32.exe 43 PID 2212 wrote to memory of 2264 2212 Ceodnl32.exe 43 PID 2264 wrote to memory of 2156 2264 Cohigamf.exe 44 PID 2264 wrote to memory of 2156 2264 Cohigamf.exe 44 PID 2264 wrote to memory of 2156 2264 Cohigamf.exe 44 PID 2264 wrote to memory of 2156 2264 Cohigamf.exe 44 PID 2156 wrote to memory of 1196 2156 Ceaadk32.exe 45 PID 2156 wrote to memory of 1196 2156 Ceaadk32.exe 45 PID 2156 wrote to memory of 1196 2156 Ceaadk32.exe 45 PID 2156 wrote to memory of 1196 2156 Ceaadk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe"C:\Users\Admin\AppData\Local\Temp\6b09e35a5b5372580d43af5a6e6e2966aa03c02e16958707d473e4679118df65.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:352 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe34⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:592 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe37⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe41⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe42⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe47⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Ecejkf32.exeC:\Windows\system32\Ecejkf32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe54⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe55⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe57⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe58⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe60⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe62⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe63⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe64⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe66⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe67⤵PID:2792
-
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe68⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe69⤵PID:2612
-
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:596 -
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe71⤵PID:3036
-
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe72⤵
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe75⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe77⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe78⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe79⤵PID:2196
-
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe81⤵PID:1308
-
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe82⤵PID:112
-
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe84⤵PID:556
-
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe85⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe86⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe87⤵PID:2552
-
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe88⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe90⤵PID:1992
-
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe96⤵PID:1380
-
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe97⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe98⤵PID:2284
-
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe99⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe100⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe102⤵PID:536
-
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe103⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe105⤵PID:1856
-
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe106⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe107⤵PID:848
-
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe108⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe109⤵
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe110⤵PID:2896
-
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe111⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe114⤵PID:1932
-
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe116⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe117⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe118⤵PID:2068
-
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe119⤵PID:1156
-
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe120⤵PID:2092
-
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe121⤵PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-