Analysis
-
max time kernel
20s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 23:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe
-
Size
565KB
-
MD5
a853975d2d2cb60f13e95f200836ff66
-
SHA1
f0304048b3f52a2e427ad90d229bee9c068d34f3
-
SHA256
8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b
-
SHA512
29ead8db731b336036c348545fa1cca25359540a07980ed59441590633299c5e86880a1f8743a5194f819009878d892d4935085daf99acaf3718b4e6ece6a7dd
-
SSDEEP
12288:opYuDPtuFjAh//+zrWAIAqWim/+zrWAI5KF8OX:oYGtuFjAh/mvFimm09OX
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geddla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhniijm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohlik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plqjilia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcndigpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgdgngml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hodbopmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcbndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcchoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iodnncol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malflk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piejbpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgbjigoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcddja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jialbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhkdch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgglpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhoqolhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loiqephm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdplcfoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjikafh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecghik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffjnpeen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhlonk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffpnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Innhkknc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijmanoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qimifn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldagoib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebmgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjejdhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiebljpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nachlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppbhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdilbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dojcci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kedcmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clqknppe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmqldee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofeneqcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkgqgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ealpmeme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldhih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lppjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adeadmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eenige32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklnog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpbnijic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcgmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfqen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegdkkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inbbfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfemkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bppqhjnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmabegde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcbno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncaokgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aillbbdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgejbao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdlbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alponiga.exe -
Executes dropped EXE 64 IoCs
pid Process 324 Jfecfb32.exe 2288 Jakhckdb.exe 2444 Jjfiap32.exe 2828 Kpbajggh.exe 2892 Kliboh32.exe 2952 Kpgkef32.exe 2592 Kedcmm32.exe 2644 Kheloh32.exe 1252 Kmaego32.exe 2364 Lpbnijic.exe 2484 Lglfed32.exe 2796 Lgobkdom.exe 2924 Ledplq32.exe 908 Lplqoiai.exe 1572 Mhgeckoc.exe 2420 Mdnfhldh.exe 1940 Mhlonk32.exe 1248 Mnhgga32.exe 2488 Mpgccm32.exe 2260 Mjohlb32.exe 2348 Mnkdlagc.exe 584 Mdelik32.exe 2980 Mkodfeem.exe 2312 Nlpamn32.exe 2520 Nfhefc32.exe 1632 Noajoihl.exe 2092 Nghbpfin.exe 2272 Nqpfil32.exe 2820 Ncobeg32.exe 2848 Nmggnm32.exe 2052 Ncaokgmp.exe 2640 Nkldoijk.exe 2224 Nnkpkdio.exe 2868 Oddhho32.exe 1988 Obiiacpe.exe 2956 Ojdnfemp.exe 840 Oeibcnmf.exe 2776 Omdfgq32.exe 1544 Oeloin32.exe 1640 Ofmkpfqa.exe 2572 Omgcmp32.exe 3012 Opepik32.exe 1584 Ofohfeoo.exe 924 Ojkcfdgh.exe 2144 Paelcn32.exe 2016 Pcchoj32.exe 1420 Pjmqldee.exe 2116 Pmlmhodi.exe 2120 Pceeei32.exe 1628 Pegalaad.exe 1948 Plqjilia.exe 2388 Pnofeghe.exe 2724 Pbkbff32.exe 2428 Piejbpgk.exe 1976 Pnabkgfb.exe 3064 Pekkga32.exe 2012 Plecdk32.exe 560 Pndoqf32.exe 2964 Pabkmb32.exe 2916 Qhldiljp.exe 912 Qjkpegic.exe 2372 Qadhba32.exe 2244 Qhoqolhm.exe 888 Qohilfpj.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe 2412 8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe 324 Jfecfb32.exe 324 Jfecfb32.exe 2288 Jakhckdb.exe 2288 Jakhckdb.exe 2444 Jjfiap32.exe 2444 Jjfiap32.exe 2828 Kpbajggh.exe 2828 Kpbajggh.exe 2892 Kliboh32.exe 2892 Kliboh32.exe 2952 Kpgkef32.exe 2952 Kpgkef32.exe 2592 Kedcmm32.exe 2592 Kedcmm32.exe 2644 Kheloh32.exe 2644 Kheloh32.exe 1252 Kmaego32.exe 1252 Kmaego32.exe 2364 Lpbnijic.exe 2364 Lpbnijic.exe 2484 Lglfed32.exe 2484 Lglfed32.exe 2796 Lgobkdom.exe 2796 Lgobkdom.exe 2924 Ledplq32.exe 2924 Ledplq32.exe 908 Lplqoiai.exe 908 Lplqoiai.exe 1572 Mhgeckoc.exe 1572 Mhgeckoc.exe 2420 Mdnfhldh.exe 2420 Mdnfhldh.exe 1940 Mhlonk32.exe 1940 Mhlonk32.exe 1248 Mnhgga32.exe 1248 Mnhgga32.exe 2488 Mpgccm32.exe 2488 Mpgccm32.exe 2260 Mjohlb32.exe 2260 Mjohlb32.exe 2348 Mnkdlagc.exe 2348 Mnkdlagc.exe 584 Mdelik32.exe 584 Mdelik32.exe 2980 Mkodfeem.exe 2980 Mkodfeem.exe 2312 Nlpamn32.exe 2312 Nlpamn32.exe 2520 Nfhefc32.exe 2520 Nfhefc32.exe 1632 Noajoihl.exe 1632 Noajoihl.exe 2092 Nghbpfin.exe 2092 Nghbpfin.exe 2272 Nqpfil32.exe 2272 Nqpfil32.exe 2820 Ncobeg32.exe 2820 Ncobeg32.exe 2848 Nmggnm32.exe 2848 Nmggnm32.exe 2052 Ncaokgmp.exe 2052 Ncaokgmp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Alponiga.exe Ahdcmj32.exe File created C:\Windows\SysWOW64\Bfkhopck.dll Pbkbff32.exe File created C:\Windows\SysWOW64\Finjag32.exe Ffpnek32.exe File created C:\Windows\SysWOW64\Llhgce32.exe Leoofkdo.exe File created C:\Windows\SysWOW64\Mhdace32.exe Ldhfcgea.exe File created C:\Windows\SysWOW64\Nobpjbcn.exe Nkgcic32.exe File created C:\Windows\SysWOW64\Pfjcocad.exe Pckgchbp.exe File created C:\Windows\SysWOW64\Gfdialbn.dll Lplqoiai.exe File created C:\Windows\SysWOW64\Jlinchae.dll Pcndigpn.exe File created C:\Windows\SysWOW64\Lqoaoiom.dll Fjlciihn.exe File created C:\Windows\SysWOW64\Igqebb32.dll Geadee32.exe File created C:\Windows\SysWOW64\Bkdokjdd.exe Bhecnndq.exe File created C:\Windows\SysWOW64\Fmgjmfod.exe Fjinqjpq.exe File created C:\Windows\SysWOW64\Helnfj32.exe Hobeipoc.exe File opened for modification C:\Windows\SysWOW64\Jcbgdafb.exe Jqckhffo.exe File opened for modification C:\Windows\SysWOW64\Pcndigpn.exe Ppbhhi32.exe File created C:\Windows\SysWOW64\Bbggdf32.exe Bafjlnnn.exe File created C:\Windows\SysWOW64\Hakapfnq.exe Hbhadi32.exe File created C:\Windows\SysWOW64\Lbidgjmi.dll Mdnfhldh.exe File created C:\Windows\SysWOW64\Oihclk32.exe Ojecaoga.exe File created C:\Windows\SysWOW64\Kbgqagng.dll Ahgpbj32.exe File created C:\Windows\SysWOW64\Caffkapi.exe Cogjofae.exe File created C:\Windows\SysWOW64\Pndoqf32.exe Plecdk32.exe File created C:\Windows\SysWOW64\Lobkifnl.dll Abadeh32.exe File created C:\Windows\SysWOW64\Dkkajlph.exe Dcciiope.exe File opened for modification C:\Windows\SysWOW64\Kfgfpoaj.exe Kajmhhcb.exe File created C:\Windows\SysWOW64\Nonfoc32.exe Nhdnbipf.exe File opened for modification C:\Windows\SysWOW64\Oqmohi32.exe Ohfggl32.exe File created C:\Windows\SysWOW64\Ofohfeoo.exe Opepik32.exe File opened for modification C:\Windows\SysWOW64\Dlkggn32.exe Dfaokckn.exe File opened for modification C:\Windows\SysWOW64\Kfeijocl.exe Kcfmnd32.exe File created C:\Windows\SysWOW64\Pogede32.exe Pgpmcg32.exe File created C:\Windows\SysWOW64\Nckmqnaa.dll Ckjaih32.exe File opened for modification C:\Windows\SysWOW64\Gohlik32.exe Gliomp32.exe File opened for modification C:\Windows\SysWOW64\Hikppghf.exe Hkhodk32.exe File created C:\Windows\SysWOW64\Kpgkef32.exe Kliboh32.exe File created C:\Windows\SysWOW64\Gmhamo32.dll Pekkga32.exe File created C:\Windows\SysWOW64\Jcddja32.exe Jioplhdj.exe File opened for modification C:\Windows\SysWOW64\Ldhfcgea.exe Lolmjpfj.exe File created C:\Windows\SysWOW64\Jkdkdbga.dll Nopcdbep.exe File created C:\Windows\SysWOW64\Biheapeq.exe Baampb32.exe File created C:\Windows\SysWOW64\Obiiacpe.exe Oddhho32.exe File opened for modification C:\Windows\SysWOW64\Jghfid32.exe Jejjlh32.exe File created C:\Windows\SysWOW64\Pcfmhn32.dll Hlpemo32.exe File created C:\Windows\SysWOW64\Djbkahcm.exe Dgdoemdi.exe File opened for modification C:\Windows\SysWOW64\Gbilpl32.exe Feekfh32.exe File opened for modification C:\Windows\SysWOW64\Idcgmf32.exe Iaekqk32.exe File opened for modification C:\Windows\SysWOW64\Kjllpopk.exe Kgmodcqg.exe File created C:\Windows\SysWOW64\Qimifn32.exe Qjjikafh.exe File created C:\Windows\SysWOW64\Edmblo32.exe Eqbflqad.exe File created C:\Windows\SysWOW64\Gcebjedc.dll Cccmjkmj.exe File opened for modification C:\Windows\SysWOW64\Cbkgqgpo.exe Ckaodmhb.exe File created C:\Windows\SysWOW64\Noljad32.dll Fmbigp32.exe File created C:\Windows\SysWOW64\Cfkngccd.dll Mjohlb32.exe File opened for modification C:\Windows\SysWOW64\Bppqhjnp.exe Bhiigmnn.exe File created C:\Windows\SysWOW64\Fhljgn32.exe Ffjnpeen.exe File created C:\Windows\SysWOW64\Flbmmm32.exe Fjaqeebm.exe File opened for modification C:\Windows\SysWOW64\Hbhadi32.exe Hhbmgp32.exe File opened for modification C:\Windows\SysWOW64\Dninfgol.exe Dkkajlph.exe File created C:\Windows\SysWOW64\Doojcjpq.dll Jejjlh32.exe File created C:\Windows\SysWOW64\Kgmodcqg.exe Kacggiij.exe File created C:\Windows\SysWOW64\Igblakfi.dll Qjjikafh.exe File opened for modification C:\Windows\SysWOW64\Aemmanjl.exe Ajgidejf.exe File created C:\Windows\SysWOW64\Hbobhheq.dll Bbggdf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5180 5188 WerFault.exe 496 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegalaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhecnndq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldagoib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeloin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkggkphi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojajfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cddcgmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfoacmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfqen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkkcdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkndda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkpdhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpmqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hodbopmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdpid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejjjef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbobog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfecfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leallkbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkggn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjliali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkdch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mioaalkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqdfbmmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmhodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkcqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfnlofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdpoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekplnlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgbgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qagehaon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenige32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcicapk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfccdele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjlij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfilfiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idedbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofeneqcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfllp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkegplp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnege32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkgqgpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domgcocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egqgdjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghfid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafjlnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clqknppe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgmidn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leciaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfemkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamgfpfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdnfemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adeadmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdoacc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opepik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqckhffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjllpopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kedcmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helnfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepkabjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodnncol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjjikafh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihnhkla.dll" Bebmgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inbbfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biclfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlkggn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkabejfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmddbgkm.dll" Cllaca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Innhkknc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhdace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cionkp32.dll" Ppbhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oagkod32.dll" Qimifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bppqhjnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cklnog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caffkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhedmkif.dll" Dojcci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flbmmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkodfeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjhqfo.dll" Qagehaon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkoepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkfmjndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcalgbk.dll" Nalbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckaodmhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feekfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqckhffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjeppb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baampb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmohhofn.dll" Fnebdhci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofohfeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coogjloi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnlpghmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpbgndfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ongijbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlfdfigm.dll" Nqfigjgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqhemjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcpbmhp.dll" Gakeable.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpehla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlpamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnbhj32.dll" Nkldoijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abjnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkmfmdk.dll" Dmnkgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfijcmho.dll" Hnlpghmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddclno32.dll" Llhgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfmepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmlmhodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnabkgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Finjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llehokkn.dll" Hcpnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kglqff32.dll" Gmbffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhgfbpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kheloh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlnkj32.dll" Pjmqldee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpqii32.dll" Abmkjiqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlopbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lodgja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbfbdfk.dll" Lkpaja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqhkhbnf.dll" Fjaqeebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhjhefb.dll" Pmlmhodi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aleoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdknole.dll" Ikbidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dffhfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocgbiedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghodm32.dll" Pgbjigoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alponiga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgpbjfa.dll" Dlfnlofp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 324 2412 8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe 29 PID 2412 wrote to memory of 324 2412 8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe 29 PID 2412 wrote to memory of 324 2412 8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe 29 PID 2412 wrote to memory of 324 2412 8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe 29 PID 324 wrote to memory of 2288 324 Jfecfb32.exe 30 PID 324 wrote to memory of 2288 324 Jfecfb32.exe 30 PID 324 wrote to memory of 2288 324 Jfecfb32.exe 30 PID 324 wrote to memory of 2288 324 Jfecfb32.exe 30 PID 2288 wrote to memory of 2444 2288 Jakhckdb.exe 31 PID 2288 wrote to memory of 2444 2288 Jakhckdb.exe 31 PID 2288 wrote to memory of 2444 2288 Jakhckdb.exe 31 PID 2288 wrote to memory of 2444 2288 Jakhckdb.exe 31 PID 2444 wrote to memory of 2828 2444 Jjfiap32.exe 32 PID 2444 wrote to memory of 2828 2444 Jjfiap32.exe 32 PID 2444 wrote to memory of 2828 2444 Jjfiap32.exe 32 PID 2444 wrote to memory of 2828 2444 Jjfiap32.exe 32 PID 2828 wrote to memory of 2892 2828 Kpbajggh.exe 33 PID 2828 wrote to memory of 2892 2828 Kpbajggh.exe 33 PID 2828 wrote to memory of 2892 2828 Kpbajggh.exe 33 PID 2828 wrote to memory of 2892 2828 Kpbajggh.exe 33 PID 2892 wrote to memory of 2952 2892 Kliboh32.exe 34 PID 2892 wrote to memory of 2952 2892 Kliboh32.exe 34 PID 2892 wrote to memory of 2952 2892 Kliboh32.exe 34 PID 2892 wrote to memory of 2952 2892 Kliboh32.exe 34 PID 2952 wrote to memory of 2592 2952 Kpgkef32.exe 35 PID 2952 wrote to memory of 2592 2952 Kpgkef32.exe 35 PID 2952 wrote to memory of 2592 2952 Kpgkef32.exe 35 PID 2952 wrote to memory of 2592 2952 Kpgkef32.exe 35 PID 2592 wrote to memory of 2644 2592 Kedcmm32.exe 36 PID 2592 wrote to memory of 2644 2592 Kedcmm32.exe 36 PID 2592 wrote to memory of 2644 2592 Kedcmm32.exe 36 PID 2592 wrote to memory of 2644 2592 Kedcmm32.exe 36 PID 2644 wrote to memory of 1252 2644 Kheloh32.exe 37 PID 2644 wrote to memory of 1252 2644 Kheloh32.exe 37 PID 2644 wrote to memory of 1252 2644 Kheloh32.exe 37 PID 2644 wrote to memory of 1252 2644 Kheloh32.exe 37 PID 1252 wrote to memory of 2364 1252 Kmaego32.exe 38 PID 1252 wrote to memory of 2364 1252 Kmaego32.exe 38 PID 1252 wrote to memory of 2364 1252 Kmaego32.exe 38 PID 1252 wrote to memory of 2364 1252 Kmaego32.exe 38 PID 2364 wrote to memory of 2484 2364 Lpbnijic.exe 39 PID 2364 wrote to memory of 2484 2364 Lpbnijic.exe 39 PID 2364 wrote to memory of 2484 2364 Lpbnijic.exe 39 PID 2364 wrote to memory of 2484 2364 Lpbnijic.exe 39 PID 2484 wrote to memory of 2796 2484 Lglfed32.exe 40 PID 2484 wrote to memory of 2796 2484 Lglfed32.exe 40 PID 2484 wrote to memory of 2796 2484 Lglfed32.exe 40 PID 2484 wrote to memory of 2796 2484 Lglfed32.exe 40 PID 2796 wrote to memory of 2924 2796 Lgobkdom.exe 41 PID 2796 wrote to memory of 2924 2796 Lgobkdom.exe 41 PID 2796 wrote to memory of 2924 2796 Lgobkdom.exe 41 PID 2796 wrote to memory of 2924 2796 Lgobkdom.exe 41 PID 2924 wrote to memory of 908 2924 Ledplq32.exe 42 PID 2924 wrote to memory of 908 2924 Ledplq32.exe 42 PID 2924 wrote to memory of 908 2924 Ledplq32.exe 42 PID 2924 wrote to memory of 908 2924 Ledplq32.exe 42 PID 908 wrote to memory of 1572 908 Lplqoiai.exe 43 PID 908 wrote to memory of 1572 908 Lplqoiai.exe 43 PID 908 wrote to memory of 1572 908 Lplqoiai.exe 43 PID 908 wrote to memory of 1572 908 Lplqoiai.exe 43 PID 1572 wrote to memory of 2420 1572 Mhgeckoc.exe 44 PID 1572 wrote to memory of 2420 1572 Mhgeckoc.exe 44 PID 1572 wrote to memory of 2420 1572 Mhgeckoc.exe 44 PID 1572 wrote to memory of 2420 1572 Mhgeckoc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe"C:\Users\Admin\AppData\Local\Temp\8e32766237500465da08a37f2e8150935fbb31a07509da117d472a80f19aa26b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Jfecfb32.exeC:\Windows\system32\Jfecfb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Jakhckdb.exeC:\Windows\system32\Jakhckdb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Jjfiap32.exeC:\Windows\system32\Jjfiap32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Kpbajggh.exeC:\Windows\system32\Kpbajggh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Kliboh32.exeC:\Windows\system32\Kliboh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Kpgkef32.exeC:\Windows\system32\Kpgkef32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Kedcmm32.exeC:\Windows\system32\Kedcmm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Kheloh32.exeC:\Windows\system32\Kheloh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kmaego32.exeC:\Windows\system32\Kmaego32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Lpbnijic.exeC:\Windows\system32\Lpbnijic.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Lglfed32.exeC:\Windows\system32\Lglfed32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Lgobkdom.exeC:\Windows\system32\Lgobkdom.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ledplq32.exeC:\Windows\system32\Ledplq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Lplqoiai.exeC:\Windows\system32\Lplqoiai.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Mhgeckoc.exeC:\Windows\system32\Mhgeckoc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Mdnfhldh.exeC:\Windows\system32\Mdnfhldh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Mhlonk32.exeC:\Windows\system32\Mhlonk32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Mnhgga32.exeC:\Windows\system32\Mnhgga32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Mpgccm32.exeC:\Windows\system32\Mpgccm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Mjohlb32.exeC:\Windows\system32\Mjohlb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Mnkdlagc.exeC:\Windows\system32\Mnkdlagc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Mdelik32.exeC:\Windows\system32\Mdelik32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Mkodfeem.exeC:\Windows\system32\Mkodfeem.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Nlpamn32.exeC:\Windows\system32\Nlpamn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Nfhefc32.exeC:\Windows\system32\Nfhefc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Noajoihl.exeC:\Windows\system32\Noajoihl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Nghbpfin.exeC:\Windows\system32\Nghbpfin.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Nqpfil32.exeC:\Windows\system32\Nqpfil32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Ncobeg32.exeC:\Windows\system32\Ncobeg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Nmggnm32.exeC:\Windows\system32\Nmggnm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Ncaokgmp.exeC:\Windows\system32\Ncaokgmp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Nkldoijk.exeC:\Windows\system32\Nkldoijk.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Nnkpkdio.exeC:\Windows\system32\Nnkpkdio.exe34⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Oddhho32.exeC:\Windows\system32\Oddhho32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Obiiacpe.exeC:\Windows\system32\Obiiacpe.exe36⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ojdnfemp.exeC:\Windows\system32\Ojdnfemp.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Oeibcnmf.exeC:\Windows\system32\Oeibcnmf.exe38⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Omdfgq32.exeC:\Windows\system32\Omdfgq32.exe39⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Oeloin32.exeC:\Windows\system32\Oeloin32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Ofmkpfqa.exeC:\Windows\system32\Ofmkpfqa.exe41⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Omgcmp32.exeC:\Windows\system32\Omgcmp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Opepik32.exeC:\Windows\system32\Opepik32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Ofohfeoo.exeC:\Windows\system32\Ofohfeoo.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Ojkcfdgh.exeC:\Windows\system32\Ojkcfdgh.exe45⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Paelcn32.exeC:\Windows\system32\Paelcn32.exe46⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Pcchoj32.exeC:\Windows\system32\Pcchoj32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Pjmqldee.exeC:\Windows\system32\Pjmqldee.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Pmlmhodi.exeC:\Windows\system32\Pmlmhodi.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Pceeei32.exeC:\Windows\system32\Pceeei32.exe50⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Pegalaad.exeC:\Windows\system32\Pegalaad.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\Plqjilia.exeC:\Windows\system32\Plqjilia.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Pnofeghe.exeC:\Windows\system32\Pnofeghe.exe53⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Pbkbff32.exeC:\Windows\system32\Pbkbff32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Piejbpgk.exeC:\Windows\system32\Piejbpgk.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Pnabkgfb.exeC:\Windows\system32\Pnabkgfb.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Pekkga32.exeC:\Windows\system32\Pekkga32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Plecdk32.exeC:\Windows\system32\Plecdk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Pndoqf32.exeC:\Windows\system32\Pndoqf32.exe59⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Pabkmb32.exeC:\Windows\system32\Pabkmb32.exe60⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Qhldiljp.exeC:\Windows\system32\Qhldiljp.exe61⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Qjkpegic.exeC:\Windows\system32\Qjkpegic.exe62⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Qadhba32.exeC:\Windows\system32\Qadhba32.exe63⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Qhoqolhm.exeC:\Windows\system32\Qhoqolhm.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Qohilfpj.exeC:\Windows\system32\Qohilfpj.exe65⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Qagehaon.exeC:\Windows\system32\Qagehaon.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Adeadmna.exeC:\Windows\system32\Adeadmna.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Ajoiqg32.exeC:\Windows\system32\Ajoiqg32.exe68⤵PID:1984
-
C:\Windows\SysWOW64\Amnemb32.exeC:\Windows\system32\Amnemb32.exe69⤵PID:880
-
C:\Windows\SysWOW64\Abjnei32.exeC:\Windows\system32\Abjnei32.exe70⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Affjehkb.exeC:\Windows\system32\Affjehkb.exe71⤵PID:836
-
C:\Windows\SysWOW64\Alcbno32.exeC:\Windows\system32\Alcbno32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Abmkjiqg.exeC:\Windows\system32\Abmkjiqg.exe73⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Aigcgc32.exeC:\Windows\system32\Aigcgc32.exe74⤵PID:2824
-
C:\Windows\SysWOW64\Aleoco32.exeC:\Windows\system32\Aleoco32.exe75⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Afkcqg32.exeC:\Windows\system32\Afkcqg32.exe76⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Aiipmb32.exeC:\Windows\system32\Aiipmb32.exe77⤵PID:2248
-
C:\Windows\SysWOW64\Apchim32.exeC:\Windows\system32\Apchim32.exe78⤵PID:1644
-
C:\Windows\SysWOW64\Abadeh32.exeC:\Windows\system32\Abadeh32.exe79⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Aillbbdn.exeC:\Windows\system32\Aillbbdn.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536 -
C:\Windows\SysWOW64\Bohejibe.exeC:\Windows\system32\Bohejibe.exe81⤵PID:2304
-
C:\Windows\SysWOW64\Bebmgc32.exeC:\Windows\system32\Bebmgc32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Bkoepj32.exeC:\Windows\system32\Bkoepj32.exe83⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Bainld32.exeC:\Windows\system32\Bainld32.exe84⤵PID:596
-
C:\Windows\SysWOW64\Bdgjhp32.exeC:\Windows\system32\Bdgjhp32.exe85⤵PID:608
-
C:\Windows\SysWOW64\Bkabejfg.exeC:\Windows\system32\Bkabejfg.exe86⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Bpnkmadn.exeC:\Windows\system32\Bpnkmadn.exe87⤵PID:2076
-
C:\Windows\SysWOW64\Bhecnndq.exeC:\Windows\system32\Bhecnndq.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Bkdokjdd.exeC:\Windows\system32\Bkdokjdd.exe89⤵PID:2732
-
C:\Windows\SysWOW64\Bnbkgech.exeC:\Windows\system32\Bnbkgech.exe90⤵PID:2876
-
C:\Windows\SysWOW64\Bpqgcq32.exeC:\Windows\system32\Bpqgcq32.exe91⤵PID:2728
-
C:\Windows\SysWOW64\Bcodol32.exeC:\Windows\system32\Bcodol32.exe92⤵PID:2256
-
C:\Windows\SysWOW64\Bkflpi32.exeC:\Windows\system32\Bkflpi32.exe93⤵PID:2308
-
C:\Windows\SysWOW64\Blghhahp.exeC:\Windows\system32\Blghhahp.exe94⤵PID:2044
-
C:\Windows\SysWOW64\Bdopiohb.exeC:\Windows\system32\Bdopiohb.exe95⤵PID:1740
-
C:\Windows\SysWOW64\Cfpmqg32.exeC:\Windows\system32\Cfpmqg32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Cpeanp32.exeC:\Windows\system32\Cpeanp32.exe97⤵PID:1384
-
C:\Windows\SysWOW64\Cccmjkmj.exeC:\Windows\system32\Cccmjkmj.exe98⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Cjnege32.exeC:\Windows\system32\Cjnege32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Cllaca32.exeC:\Windows\system32\Cllaca32.exe100⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Cojnol32.exeC:\Windows\system32\Cojnol32.exe101⤵PID:1620
-
C:\Windows\SysWOW64\Ccfjpkkg.exeC:\Windows\system32\Ccfjpkkg.exe102⤵PID:1352
-
C:\Windows\SysWOW64\Cfdflfjk.exeC:\Windows\system32\Cfdflfjk.exe103⤵PID:1724
-
C:\Windows\SysWOW64\Chcbhbio.exeC:\Windows\system32\Chcbhbio.exe104⤵PID:2888
-
C:\Windows\SysWOW64\Ckaodmhb.exeC:\Windows\system32\Ckaodmhb.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Cbkgqgpo.exeC:\Windows\system32\Cbkgqgpo.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\Cheoma32.exeC:\Windows\system32\Cheoma32.exe107⤵PID:1944
-
C:\Windows\SysWOW64\Clqknppe.exeC:\Windows\system32\Clqknppe.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Coogjloi.exeC:\Windows\system32\Coogjloi.exe109⤵
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Cfipgf32.exeC:\Windows\system32\Cfipgf32.exe110⤵PID:1208
-
C:\Windows\SysWOW64\Ckfhom32.exeC:\Windows\system32\Ckfhom32.exe111⤵PID:308
-
C:\Windows\SysWOW64\Cnddkh32.exeC:\Windows\system32\Cnddkh32.exe112⤵PID:1916
-
C:\Windows\SysWOW64\Dqcqgc32.exeC:\Windows\system32\Dqcqgc32.exe113⤵PID:1060
-
C:\Windows\SysWOW64\Dgmidn32.exeC:\Windows\system32\Dgmidn32.exe114⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Djkepi32.exeC:\Windows\system32\Djkepi32.exe115⤵PID:952
-
C:\Windows\SysWOW64\Dqemmcqb.exeC:\Windows\system32\Dqemmcqb.exe116⤵PID:2700
-
C:\Windows\SysWOW64\Dcciiope.exeC:\Windows\system32\Dcciiope.exe117⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Dkkajlph.exeC:\Windows\system32\Dkkajlph.exe118⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Dninfgol.exeC:\Windows\system32\Dninfgol.exe119⤵PID:2936
-
C:\Windows\SysWOW64\Dcffonnc.exeC:\Windows\system32\Dcffonnc.exe120⤵PID:1444
-
C:\Windows\SysWOW64\Dfdbkj32.exeC:\Windows\system32\Dfdbkj32.exe121⤵PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-