Analysis
-
max time kernel
140s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 23:31
Behavioral task
behavioral1
Sample
b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe
-
Size
276KB
-
MD5
f7fbbadf5073aaacdb5e85d301727978
-
SHA1
f9dd9b7933cc4372477e89574a2d4d0246c47b26
-
SHA256
b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a
-
SHA512
8ff3d91d6d8f7657e8385bf03ce44ad49302714c9555994f627122252ee505c57802411eefb706cc142be3ea10a818021bdc7db80b8460d6919116369fb8472a
-
SSDEEP
3072:LLnqiW9437ZRqn5F1ZieS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVDrM8d7w3:L7qU871ZidZMGXF5ahdt3rM8d7TtLa
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeeadi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmcimq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfqomom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmhncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hakani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjpehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aapkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gloppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gapbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jchjqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmdmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmimpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeeadi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnagehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laccdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memonbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nadpdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glmckikf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnngeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjgbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqninhmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgppdpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fajpdmgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlidplcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjmkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cekihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhgonj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingogcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdmekne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncplfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Algida32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aliejq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cekihh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdlgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcpcjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpekln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbdobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofmknifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbighojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnbjill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgichoqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqcmdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfpkbbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjfolmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgablmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idagdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfnpgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbppk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlebog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpogjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehfcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjqbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hojeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jepjpajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pildih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgdmkhnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mibeofaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfnmhnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dblcnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onhihepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjnfobi.exe -
Executes dropped EXE 64 IoCs
pid Process 2336 Jigmeagl.exe 2732 Jkeialfp.exe 2972 Jboanfmm.exe 2772 Jepjpajn.exe 408 Kceganoe.exe 2664 Kmnljc32.exe 1124 Kffpcilf.exe 1068 Kmphpc32.exe 1320 Kigidd32.exe 1652 Kbonmjph.exe 2872 Kofnbk32.exe 1824 Lljolodf.exe 2360 Lpekln32.exe 2036 Lojhmjag.exe 2384 Lhclfphg.exe 2208 Lkahbkgk.exe 2480 Looahi32.exe 1528 Lanmde32.exe 1268 Lmdnjf32.exe 3000 Mdnffpif.exe 2324 Mmgkoe32.exe 2140 Mpegka32.exe 2400 Mebpchmb.exe 940 Minldf32.exe 1564 Mojdlm32.exe 2824 Mgalnk32.exe 2860 Mlndfa32.exe 2836 Momqbm32.exe 2788 Mibeofaf.exe 2700 Moomgmpm.exe 2428 Mdlfpcnd.exe 2096 Nkfnln32.exe 2536 Ndnbeclb.exe 2876 Ngmoao32.exe 1740 Nabcog32.exe 2764 Ngolgn32.exe 1136 Nadpdg32.exe 2420 Npgppdpc.exe 1852 Nkmdmm32.exe 2172 Nqjmec32.exe 680 Ngcebnen.exe 2160 Njbanida.exe 1760 Nqlikc32.exe 1884 Ocjfgo32.exe 1984 Ombjpd32.exe 1752 Ooaflp32.exe 2224 Ojgkih32.exe 2944 Omeged32.exe 2192 Ooccap32.exe 2316 Ofmknifp.exe 2644 Okjdfq32.exe 2024 Oofpgolq.exe 2308 Oindpd32.exe 1388 Okmqlp32.exe 1632 Onkmhl32.exe 2648 Oqiidg32.exe 740 Oeeeeehe.exe 1208 Pjbnmm32.exe 988 Pqlfjfni.exe 2164 Pegaje32.exe 2284 Pnpfckmc.exe 2672 Panboflg.exe 772 Pjfghl32.exe 2092 Ppcoqbao.exe -
Loads dropped DLL 64 IoCs
pid Process 908 b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe 908 b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe 2336 Jigmeagl.exe 2336 Jigmeagl.exe 2732 Jkeialfp.exe 2732 Jkeialfp.exe 2972 Jboanfmm.exe 2972 Jboanfmm.exe 2772 Jepjpajn.exe 2772 Jepjpajn.exe 408 Kceganoe.exe 408 Kceganoe.exe 2664 Kmnljc32.exe 2664 Kmnljc32.exe 1124 Kffpcilf.exe 1124 Kffpcilf.exe 1068 Kmphpc32.exe 1068 Kmphpc32.exe 1320 Kigidd32.exe 1320 Kigidd32.exe 1652 Kbonmjph.exe 1652 Kbonmjph.exe 2872 Kofnbk32.exe 2872 Kofnbk32.exe 1824 Lljolodf.exe 1824 Lljolodf.exe 2360 Lpekln32.exe 2360 Lpekln32.exe 2036 Lojhmjag.exe 2036 Lojhmjag.exe 2384 Lhclfphg.exe 2384 Lhclfphg.exe 2208 Lkahbkgk.exe 2208 Lkahbkgk.exe 2480 Looahi32.exe 2480 Looahi32.exe 1528 Lanmde32.exe 1528 Lanmde32.exe 1268 Lmdnjf32.exe 1268 Lmdnjf32.exe 3000 Mdnffpif.exe 3000 Mdnffpif.exe 2324 Mmgkoe32.exe 2324 Mmgkoe32.exe 2140 Mpegka32.exe 2140 Mpegka32.exe 2400 Mebpchmb.exe 2400 Mebpchmb.exe 940 Minldf32.exe 940 Minldf32.exe 1564 Mojdlm32.exe 1564 Mojdlm32.exe 2824 Mgalnk32.exe 2824 Mgalnk32.exe 2860 Mlndfa32.exe 2860 Mlndfa32.exe 2836 Momqbm32.exe 2836 Momqbm32.exe 2788 Mibeofaf.exe 2788 Mibeofaf.exe 2700 Moomgmpm.exe 2700 Moomgmpm.exe 2428 Mdlfpcnd.exe 2428 Mdlfpcnd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lneghd32.exe Kfnpgg32.exe File created C:\Windows\SysWOW64\Ghgfppka.dll Pnhegi32.exe File created C:\Windows\SysWOW64\Inbobn32.exe Ikcbfb32.exe File opened for modification C:\Windows\SysWOW64\Hdonpjbi.exe Hpcbol32.exe File created C:\Windows\SysWOW64\Kemcookp.exe Kmeknakn.exe File opened for modification C:\Windows\SysWOW64\Edbonh32.exe Ebccal32.exe File created C:\Windows\SysWOW64\Ckgapo32.exe Cdnicemo.exe File opened for modification C:\Windows\SysWOW64\Gaiehjfb.exe Gjomlp32.exe File opened for modification C:\Windows\SysWOW64\Eiehilaa.exe Ejbhno32.exe File opened for modification C:\Windows\SysWOW64\Onhihepp.exe Ojlmgg32.exe File opened for modification C:\Windows\SysWOW64\Ofcnmh32.exe Oceaql32.exe File opened for modification C:\Windows\SysWOW64\Pmpcoabe.exe Pidgnc32.exe File created C:\Windows\SysWOW64\Aflmbj32.exe Algida32.exe File created C:\Windows\SysWOW64\Ccjpfmic.exe Clphjc32.exe File created C:\Windows\SysWOW64\Plkjobah.dll Biiljjnk.exe File opened for modification C:\Windows\SysWOW64\Dheljhof.exe Ddjpjj32.exe File created C:\Windows\SysWOW64\Nijdcdgn.exe Nglhghgj.exe File created C:\Windows\SysWOW64\Kadogppo.dll Edbonh32.exe File opened for modification C:\Windows\SysWOW64\Hafdbmjp.exe Hohhfbkl.exe File created C:\Windows\SysWOW64\Jeapek32.dll Afdjmo32.exe File opened for modification C:\Windows\SysWOW64\Feqbilcq.exe Fngjmb32.exe File created C:\Windows\SysWOW64\Gmejdm32.exe Gijncn32.exe File opened for modification C:\Windows\SysWOW64\Oqibjq32.exe Ohajic32.exe File created C:\Windows\SysWOW64\Jfffmo32.exe Jchjqc32.exe File created C:\Windows\SysWOW64\Cmgpnn32.dll Kofnbk32.exe File created C:\Windows\SysWOW64\Gmcmomjc.exe Gigano32.exe File created C:\Windows\SysWOW64\Hddgkj32.exe Hnjonpgg.exe File created C:\Windows\SysWOW64\Hobecd32.dll Djnbdlla.exe File opened for modification C:\Windows\SysWOW64\Ejnnbpol.exe Egobfdpi.exe File opened for modification C:\Windows\SysWOW64\Jmaedolh.exe Jjcigcmd.exe File created C:\Windows\SysWOW64\Oeeeeehe.exe Oqiidg32.exe File created C:\Windows\SysWOW64\Blelpeoa.exe Bigpdjpm.exe File created C:\Windows\SysWOW64\Jcbkhjjg.dll Cocnanmd.exe File created C:\Windows\SysWOW64\Bppljg32.dll Hafdbmjp.exe File created C:\Windows\SysWOW64\Baeanl32.exe Blhifemo.exe File opened for modification C:\Windows\SysWOW64\Hkdmaenk.exe Hhfqejoh.exe File created C:\Windows\SysWOW64\Gjingc32.dll Llpajmkq.exe File opened for modification C:\Windows\SysWOW64\Mbqpgf32.exe Mkihfi32.exe File created C:\Windows\SysWOW64\Cmfdmc32.dll Pneiaidn.exe File opened for modification C:\Windows\SysWOW64\Fmnmih32.exe Fefdhj32.exe File created C:\Windows\SysWOW64\Egcjkjmo.dll Hnllcoed.exe File opened for modification C:\Windows\SysWOW64\Liaenblm.exe Ljnebe32.exe File created C:\Windows\SysWOW64\Gdedoegh.exe Gaghcjhd.exe File created C:\Windows\SysWOW64\Lkpekajj.dll Oofpgolq.exe File opened for modification C:\Windows\SysWOW64\Fngjmb32.exe Fpdjaeei.exe File opened for modification C:\Windows\SysWOW64\Ckeekp32.exe Cidhcg32.exe File created C:\Windows\SysWOW64\Hcedjdom.dll Gjmpfp32.exe File created C:\Windows\SysWOW64\Docjpa32.exe Dhiacg32.exe File created C:\Windows\SysWOW64\Djddbkck.exe Dgehfodh.exe File opened for modification C:\Windows\SysWOW64\Hinlck32.exe Hafdbmjp.exe File created C:\Windows\SysWOW64\Kcpcjl32.exe Kemcookp.exe File created C:\Windows\SysWOW64\Ikafpbon.exe Ihcidgpj.exe File opened for modification C:\Windows\SysWOW64\Iegjnkod.exe Impblnna.exe File opened for modification C:\Windows\SysWOW64\Cgfcabeh.exe Cplkehnk.exe File created C:\Windows\SysWOW64\Lfehmgfd.dll Hjqpcq32.exe File created C:\Windows\SysWOW64\Aipbidbj.exe Aahkhgag.exe File opened for modification C:\Windows\SysWOW64\Aipbidbj.exe Aahkhgag.exe File opened for modification C:\Windows\SysWOW64\Echpaecj.exe Eqjceidf.exe File created C:\Windows\SysWOW64\Gdobqgpn.exe Gmejdm32.exe File created C:\Windows\SysWOW64\Dpnioi32.dll Ihfmdm32.exe File created C:\Windows\SysWOW64\Angohn32.dll Jmaedolh.exe File created C:\Windows\SysWOW64\Najbbepc.exe Nnofbg32.exe File created C:\Windows\SysWOW64\Lojhmjag.exe Lpekln32.exe File created C:\Windows\SysWOW64\Nagjpd32.dll Oceaql32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6180 6156 WerFault.exe 589 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okmqlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkakad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgppana.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjckcbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaiqfib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikibkhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecpipck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooncljom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmglfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iejnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoefea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egchocif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqpgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbilimn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkmeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adenqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkgkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbglgcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiaiooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclmlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlckoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklkkoqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmkhmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adadedjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopeagip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbcah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najbbepc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feqbilcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oceaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifpcfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlkakqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momqbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejbhno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpjjaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enomam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooaflp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dheljhof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdjaeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagcnmie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojmbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooccap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibehna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memonbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acldpojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Endmgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgknffcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcmipjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhdmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhaboi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icidlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afojgiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emcqpjhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmbmkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hikpnkme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikafpbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iackhb32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkookd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqliakm.dll" Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdedoegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhchnllb.dll" Ppcoqbao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgablmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebccal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idafbjna.dll" Lojhmjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocjfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cehlbihg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fffabman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejbhno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdobqgpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkdmaenk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjgoaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojjqbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfffmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkeialfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeapek32.dll" Afdjmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbebcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nppceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cidhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poenac32.dll" Dcaiqfib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egglnnil.dll" Gjhfkqdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nabcog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeikohgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djfagjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbonmjph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpcbol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peandcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keemfmgm.dll" Ikhlaaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcghffen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjclfmfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mibeofaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedcda32.dll" Gdobqgpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgkike32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimfik32.dll" Ejnnbpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjeblf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nceeaikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jboanfmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pllmkcdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qibjjgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aipickfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbighojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkqnghfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbmpe32.dll" Ilihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omeged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjglcmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknabn32.dll" Fdhlphff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kecpipck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbjmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijklmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nibgpjfq.dll" Bpokkdim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdejpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gboolneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ingogcke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmkkhfmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklhaimi.dll" Biecoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dndahokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfijmdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cidhcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhnoocab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcoimjn.dll" Ghlgdecf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 908 wrote to memory of 2336 908 b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe 29 PID 908 wrote to memory of 2336 908 b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe 29 PID 908 wrote to memory of 2336 908 b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe 29 PID 908 wrote to memory of 2336 908 b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe 29 PID 2336 wrote to memory of 2732 2336 Jigmeagl.exe 30 PID 2336 wrote to memory of 2732 2336 Jigmeagl.exe 30 PID 2336 wrote to memory of 2732 2336 Jigmeagl.exe 30 PID 2336 wrote to memory of 2732 2336 Jigmeagl.exe 30 PID 2732 wrote to memory of 2972 2732 Jkeialfp.exe 31 PID 2732 wrote to memory of 2972 2732 Jkeialfp.exe 31 PID 2732 wrote to memory of 2972 2732 Jkeialfp.exe 31 PID 2732 wrote to memory of 2972 2732 Jkeialfp.exe 31 PID 2972 wrote to memory of 2772 2972 Jboanfmm.exe 32 PID 2972 wrote to memory of 2772 2972 Jboanfmm.exe 32 PID 2972 wrote to memory of 2772 2972 Jboanfmm.exe 32 PID 2972 wrote to memory of 2772 2972 Jboanfmm.exe 32 PID 2772 wrote to memory of 408 2772 Jepjpajn.exe 33 PID 2772 wrote to memory of 408 2772 Jepjpajn.exe 33 PID 2772 wrote to memory of 408 2772 Jepjpajn.exe 33 PID 2772 wrote to memory of 408 2772 Jepjpajn.exe 33 PID 408 wrote to memory of 2664 408 Kceganoe.exe 34 PID 408 wrote to memory of 2664 408 Kceganoe.exe 34 PID 408 wrote to memory of 2664 408 Kceganoe.exe 34 PID 408 wrote to memory of 2664 408 Kceganoe.exe 34 PID 2664 wrote to memory of 1124 2664 Kmnljc32.exe 35 PID 2664 wrote to memory of 1124 2664 Kmnljc32.exe 35 PID 2664 wrote to memory of 1124 2664 Kmnljc32.exe 35 PID 2664 wrote to memory of 1124 2664 Kmnljc32.exe 35 PID 1124 wrote to memory of 1068 1124 Kffpcilf.exe 36 PID 1124 wrote to memory of 1068 1124 Kffpcilf.exe 36 PID 1124 wrote to memory of 1068 1124 Kffpcilf.exe 36 PID 1124 wrote to memory of 1068 1124 Kffpcilf.exe 36 PID 1068 wrote to memory of 1320 1068 Kmphpc32.exe 37 PID 1068 wrote to memory of 1320 1068 Kmphpc32.exe 37 PID 1068 wrote to memory of 1320 1068 Kmphpc32.exe 37 PID 1068 wrote to memory of 1320 1068 Kmphpc32.exe 37 PID 1320 wrote to memory of 1652 1320 Kigidd32.exe 38 PID 1320 wrote to memory of 1652 1320 Kigidd32.exe 38 PID 1320 wrote to memory of 1652 1320 Kigidd32.exe 38 PID 1320 wrote to memory of 1652 1320 Kigidd32.exe 38 PID 1652 wrote to memory of 2872 1652 Kbonmjph.exe 39 PID 1652 wrote to memory of 2872 1652 Kbonmjph.exe 39 PID 1652 wrote to memory of 2872 1652 Kbonmjph.exe 39 PID 1652 wrote to memory of 2872 1652 Kbonmjph.exe 39 PID 2872 wrote to memory of 1824 2872 Kofnbk32.exe 40 PID 2872 wrote to memory of 1824 2872 Kofnbk32.exe 40 PID 2872 wrote to memory of 1824 2872 Kofnbk32.exe 40 PID 2872 wrote to memory of 1824 2872 Kofnbk32.exe 40 PID 1824 wrote to memory of 2360 1824 Lljolodf.exe 41 PID 1824 wrote to memory of 2360 1824 Lljolodf.exe 41 PID 1824 wrote to memory of 2360 1824 Lljolodf.exe 41 PID 1824 wrote to memory of 2360 1824 Lljolodf.exe 41 PID 2360 wrote to memory of 2036 2360 Lpekln32.exe 42 PID 2360 wrote to memory of 2036 2360 Lpekln32.exe 42 PID 2360 wrote to memory of 2036 2360 Lpekln32.exe 42 PID 2360 wrote to memory of 2036 2360 Lpekln32.exe 42 PID 2036 wrote to memory of 2384 2036 Lojhmjag.exe 43 PID 2036 wrote to memory of 2384 2036 Lojhmjag.exe 43 PID 2036 wrote to memory of 2384 2036 Lojhmjag.exe 43 PID 2036 wrote to memory of 2384 2036 Lojhmjag.exe 43 PID 2384 wrote to memory of 2208 2384 Lhclfphg.exe 44 PID 2384 wrote to memory of 2208 2384 Lhclfphg.exe 44 PID 2384 wrote to memory of 2208 2384 Lhclfphg.exe 44 PID 2384 wrote to memory of 2208 2384 Lhclfphg.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe"C:\Users\Admin\AppData\Local\Temp\b230204be417aee240a16c118dea2c65e0f8445c17f1fa751e04c6b465d4612a.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Jigmeagl.exeC:\Windows\system32\Jigmeagl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Jepjpajn.exeC:\Windows\system32\Jepjpajn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Kceganoe.exeC:\Windows\system32\Kceganoe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Kmnljc32.exeC:\Windows\system32\Kmnljc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Kffpcilf.exeC:\Windows\system32\Kffpcilf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Kmphpc32.exeC:\Windows\system32\Kmphpc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Kigidd32.exeC:\Windows\system32\Kigidd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Kbonmjph.exeC:\Windows\system32\Kbonmjph.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Kofnbk32.exeC:\Windows\system32\Kofnbk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Lljolodf.exeC:\Windows\system32\Lljolodf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Lpekln32.exeC:\Windows\system32\Lpekln32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Lojhmjag.exeC:\Windows\system32\Lojhmjag.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Lhclfphg.exeC:\Windows\system32\Lhclfphg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Looahi32.exeC:\Windows\system32\Looahi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Lanmde32.exeC:\Windows\system32\Lanmde32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Lmdnjf32.exeC:\Windows\system32\Lmdnjf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Mdnffpif.exeC:\Windows\system32\Mdnffpif.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Mmgkoe32.exeC:\Windows\system32\Mmgkoe32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Mpegka32.exeC:\Windows\system32\Mpegka32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Mebpchmb.exeC:\Windows\system32\Mebpchmb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Minldf32.exeC:\Windows\system32\Minldf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Mojdlm32.exeC:\Windows\system32\Mojdlm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Mgalnk32.exeC:\Windows\system32\Mgalnk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Momqbm32.exeC:\Windows\system32\Momqbm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Mibeofaf.exeC:\Windows\system32\Mibeofaf.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Moomgmpm.exeC:\Windows\system32\Moomgmpm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Mdlfpcnd.exeC:\Windows\system32\Mdlfpcnd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Nkfnln32.exeC:\Windows\system32\Nkfnln32.exe33⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Ndnbeclb.exeC:\Windows\system32\Ndnbeclb.exe34⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ngmoao32.exeC:\Windows\system32\Ngmoao32.exe35⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Nabcog32.exeC:\Windows\system32\Nabcog32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Ngolgn32.exeC:\Windows\system32\Ngolgn32.exe37⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Nadpdg32.exeC:\Windows\system32\Nadpdg32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Npgppdpc.exeC:\Windows\system32\Npgppdpc.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Nkmdmm32.exeC:\Windows\system32\Nkmdmm32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe41⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ngcebnen.exeC:\Windows\system32\Ngcebnen.exe42⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe43⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Nqlikc32.exeC:\Windows\system32\Nqlikc32.exe44⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe46⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe48⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Omeged32.exeC:\Windows\system32\Omeged32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Ooccap32.exeC:\Windows\system32\Ooccap32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Okjdfq32.exeC:\Windows\system32\Okjdfq32.exe52⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Oofpgolq.exeC:\Windows\system32\Oofpgolq.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe54⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Okmqlp32.exeC:\Windows\system32\Okmqlp32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe56⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Oqiidg32.exeC:\Windows\system32\Oqiidg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe58⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe59⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Pqlfjfni.exeC:\Windows\system32\Pqlfjfni.exe60⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe61⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe62⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Panboflg.exeC:\Windows\system32\Panboflg.exe63⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Pjfghl32.exeC:\Windows\system32\Pjfghl32.exe64⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Ppcoqbao.exeC:\Windows\system32\Ppcoqbao.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Pgjgapaa.exeC:\Windows\system32\Pgjgapaa.exe66⤵PID:1104
-
C:\Windows\SysWOW64\Pildih32.exeC:\Windows\system32\Pildih32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1580 -
C:\Windows\SysWOW64\Paclje32.exeC:\Windows\system32\Paclje32.exe68⤵PID:2408
-
C:\Windows\SysWOW64\Pbdhbnnp.exeC:\Windows\system32\Pbdhbnnp.exe69⤵PID:2612
-
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Pllmkcdp.exeC:\Windows\system32\Pllmkcdp.exe71⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Qfbahldf.exeC:\Windows\system32\Qfbahldf.exe72⤵PID:2144
-
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe74⤵PID:1112
-
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe75⤵PID:2916
-
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe76⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Qlaffbqk.exeC:\Windows\system32\Qlaffbqk.exe77⤵PID:2568
-
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe78⤵PID:1216
-
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe79⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Aiegpg32.exeC:\Windows\system32\Aiegpg32.exe80⤵PID:2272
-
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe81⤵PID:1836
-
C:\Windows\SysWOW64\Abmkhmfe.exeC:\Windows\system32\Abmkhmfe.exe82⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Ahjcqcdm.exeC:\Windows\system32\Ahjcqcdm.exe84⤵PID:2728
-
C:\Windows\SysWOW64\Ajipmocp.exeC:\Windows\system32\Ajipmocp.exe85⤵PID:2748
-
C:\Windows\SysWOW64\Aabhiikm.exeC:\Windows\system32\Aabhiikm.exe86⤵PID:2600
-
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe87⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Afoqbpid.exeC:\Windows\system32\Afoqbpid.exe88⤵PID:3048
-
C:\Windows\SysWOW64\Amiioj32.exeC:\Windows\system32\Amiioj32.exe89⤵PID:3032
-
C:\Windows\SysWOW64\Aaeeoihj.exeC:\Windows\system32\Aaeeoihj.exe90⤵PID:1592
-
C:\Windows\SysWOW64\Ahomlb32.exeC:\Windows\system32\Ahomlb32.exe91⤵PID:2628
-
C:\Windows\SysWOW64\Aipickfe.exeC:\Windows\system32\Aipickfe.exe92⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe93⤵PID:2064
-
C:\Windows\SysWOW64\Adenqd32.exeC:\Windows\system32\Adenqd32.exe94⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Bmnbjill.exeC:\Windows\system32\Bmnbjill.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Bbkkbpjc.exeC:\Windows\system32\Bbkkbpjc.exe97⤵PID:2692
-
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe98⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe99⤵PID:1748
-
C:\Windows\SysWOW64\Bpokkdim.exeC:\Windows\system32\Bpokkdim.exe100⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Bgichoqj.exeC:\Windows\system32\Bgichoqj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Bigpdjpm.exeC:\Windows\system32\Bigpdjpm.exe102⤵
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Blelpeoa.exeC:\Windows\system32\Blelpeoa.exe103⤵PID:880
-
C:\Windows\SysWOW64\Bbpdmp32.exeC:\Windows\system32\Bbpdmp32.exe104⤵PID:3028
-
C:\Windows\SysWOW64\Biiljjnk.exeC:\Windows\system32\Biiljjnk.exe105⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Bhlmef32.exeC:\Windows\system32\Bhlmef32.exe106⤵PID:2768
-
C:\Windows\SysWOW64\Blhifemo.exeC:\Windows\system32\Blhifemo.exe107⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Baeanl32.exeC:\Windows\system32\Baeanl32.exe108⤵PID:2004
-
C:\Windows\SysWOW64\Bepmokco.exeC:\Windows\system32\Bepmokco.exe109⤵PID:3020
-
C:\Windows\SysWOW64\Bljeke32.exeC:\Windows\system32\Bljeke32.exe110⤵PID:664
-
C:\Windows\SysWOW64\Bkmegaaf.exeC:\Windows\system32\Bkmegaaf.exe111⤵PID:2288
-
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe112⤵PID:2784
-
C:\Windows\SysWOW64\Bebjdjal.exeC:\Windows\system32\Bebjdjal.exe113⤵PID:2908
-
C:\Windows\SysWOW64\Cdejpg32.exeC:\Windows\system32\Cdejpg32.exe114⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Coknmp32.exeC:\Windows\system32\Coknmp32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\Cplkehnk.exeC:\Windows\system32\Cplkehnk.exe116⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Cgfcabeh.exeC:\Windows\system32\Cgfcabeh.exe117⤵PID:1844
-
C:\Windows\SysWOW64\Cnpknl32.exeC:\Windows\system32\Cnpknl32.exe118⤵PID:1816
-
C:\Windows\SysWOW64\Cpogjh32.exeC:\Windows\system32\Cpogjh32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:852 -
C:\Windows\SysWOW64\Ckdlgq32.exeC:\Windows\system32\Ckdlgq32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Cjglcmbi.exeC:\Windows\system32\Cjglcmbi.exe121⤵
- Modifies registry class
PID:2756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-