Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 20:01
Behavioral task
behavioral1
Sample
8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe
-
Size
208KB
-
MD5
e866ae4f2f856259acaa2d6653d409a0
-
SHA1
e599353b16320d9097ebc4611d7359130419d466
-
SHA256
8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fd
-
SHA512
4138a0864832ea2252b8dad5b7d26c2f779003e947c9258153a05d298fd0b72041f75eab5ebb82ffa23ccf736b7dcb67b4831501226bed85ab135fbf7303d0d9
-
SSDEEP
3072:qcGZ+6TuC/6+oXO56hKpi9poF5aY6+oocpGHHQnNJuIb:qc6TJy+Eu6QnFw5+0pU8b
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbkhabp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djeljd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnlpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddcimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plndcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdpohodn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anecfgdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjlgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjjkhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jngkdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmfgkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffboohnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fppmcmah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckjmpko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcncbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfchqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpehd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdepmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clclhmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcimhpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obcffefa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmklak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liblfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alofnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gckfpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijidfpci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inplqlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjpmdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomdoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbkmdah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnokdaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbqjqehd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdbbnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qncfphff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebicee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knaeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhfjadim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boobki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnlndkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekghcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikokf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkjgckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfekec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmddgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hclhjpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiecgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppgcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnhhge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceapl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjhbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liblfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhmmcjjd.exe -
Executes dropped EXE 64 IoCs
pid Process 2808 Cgdqpq32.exe 2568 Dgfmep32.exe 2772 Djgfgkbo.exe 2548 Dfngll32.exe 2044 Dfpcblfp.exe 732 Dphhka32.exe 632 Enneln32.exe 2212 Eejjnhgc.exe 2960 Ejioln32.exe 2872 Ehmpeb32.exe 1248 Ephdjeol.exe 1464 Fiqibj32.exe 2232 Flabdecn.exe 1072 Fpokjd32.exe 3056 Fhjoof32.exe 1596 Fhmldfdm.exe 2404 Geqlnjcf.exe 812 Goiafp32.exe 1824 Gibbgmfe.exe 1744 Gckfpc32.exe 776 Gieommdc.exe 2080 Gdjcjf32.exe 2180 Gncgbkki.exe 852 Hijhhl32.exe 1592 Haemloni.exe 1316 Hljaigmo.exe 2784 Hajfgnjc.exe 2836 Hgfooe32.exe 2556 Hhfkihon.exe 2100 Ijidfpci.exe 2468 Idohdhbo.exe 3028 Ijlaloaf.exe 2948 Iianmlfn.exe 2392 Ijqjgo32.exe 2800 Ikagogco.exe 2940 Iejkhlip.exe 2852 Jfjhbo32.exe 1924 Jnemfa32.exe 2224 Jijacjnc.exe 3044 Jbcelp32.exe 968 Jnifaajh.exe 2328 Jfekec32.exe 612 Jajocl32.exe 2132 Kiecgo32.exe 1856 Kbnhpdke.exe 2396 Mehpga32.exe 1208 Maoalb32.exe 1936 Mkibjgli.exe 1928 Ngpcohbm.exe 2720 Njnokdaq.exe 2596 Nddcimag.exe 2696 Nknkeg32.exe 1228 Ndfpnl32.exe 1672 Njchfc32.exe 2448 Nqpmimbe.exe 2276 Nbqjqehd.exe 2972 Nhkbmo32.exe 2280 Obcffefa.exe 832 Ooggpiek.exe 2464 Ofaolcmh.exe 2024 Onldqejb.exe 1888 Ogdhik32.exe 1804 Objmgd32.exe 1732 Ockinl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2692 8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe 2692 8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe 2808 Cgdqpq32.exe 2808 Cgdqpq32.exe 2568 Dgfmep32.exe 2568 Dgfmep32.exe 2772 Djgfgkbo.exe 2772 Djgfgkbo.exe 2548 Dfngll32.exe 2548 Dfngll32.exe 2044 Dfpcblfp.exe 2044 Dfpcblfp.exe 732 Dphhka32.exe 732 Dphhka32.exe 632 Enneln32.exe 632 Enneln32.exe 2212 Eejjnhgc.exe 2212 Eejjnhgc.exe 2960 Ejioln32.exe 2960 Ejioln32.exe 2872 Ehmpeb32.exe 2872 Ehmpeb32.exe 1248 Ephdjeol.exe 1248 Ephdjeol.exe 1464 Fiqibj32.exe 1464 Fiqibj32.exe 2232 Flabdecn.exe 2232 Flabdecn.exe 1072 Fpokjd32.exe 1072 Fpokjd32.exe 3056 Fhjoof32.exe 3056 Fhjoof32.exe 1596 Fhmldfdm.exe 1596 Fhmldfdm.exe 2404 Geqlnjcf.exe 2404 Geqlnjcf.exe 812 Goiafp32.exe 812 Goiafp32.exe 1824 Gibbgmfe.exe 1824 Gibbgmfe.exe 1744 Gckfpc32.exe 1744 Gckfpc32.exe 776 Gieommdc.exe 776 Gieommdc.exe 2080 Gdjcjf32.exe 2080 Gdjcjf32.exe 2180 Gncgbkki.exe 2180 Gncgbkki.exe 852 Hijhhl32.exe 852 Hijhhl32.exe 1592 Haemloni.exe 1592 Haemloni.exe 1676 Hhaanh32.exe 1676 Hhaanh32.exe 2784 Hajfgnjc.exe 2784 Hajfgnjc.exe 2836 Hgfooe32.exe 2836 Hgfooe32.exe 2556 Hhfkihon.exe 2556 Hhfkihon.exe 2100 Ijidfpci.exe 2100 Ijidfpci.exe 2468 Idohdhbo.exe 2468 Idohdhbo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pgibdjln.exe Onamle32.exe File created C:\Windows\SysWOW64\Dpcnbn32.exe Dcpmijqc.exe File created C:\Windows\SysWOW64\Jneoojeb.exe Jldbgb32.exe File created C:\Windows\SysWOW64\Bhnmcp32.dll Dpcnbn32.exe File opened for modification C:\Windows\SysWOW64\Ofaolcmh.exe Ooggpiek.exe File created C:\Windows\SysWOW64\Nqjmmm32.dll Lchqcd32.exe File opened for modification C:\Windows\SysWOW64\Alofnj32.exe Afbnec32.exe File created C:\Windows\SysWOW64\Eonkgg32.dll Ahhchk32.exe File created C:\Windows\SysWOW64\Qdpohodn.exe Qncfphff.exe File created C:\Windows\SysWOW64\Fmddgg32.exe Fjfhkl32.exe File created C:\Windows\SysWOW64\Cnhgnpbp.dll Lamjph32.exe File created C:\Windows\SysWOW64\Qmpebb32.dll Kjhfjpdd.exe File created C:\Windows\SysWOW64\Cncolfcl.exe Boobki32.exe File opened for modification C:\Windows\SysWOW64\Dqfabdaf.exe Dkjhjm32.exe File created C:\Windows\SysWOW64\Lcncbc32.exe Ljeoimeg.exe File created C:\Windows\SysWOW64\Lakfjp32.dll Liblfl32.exe File created C:\Windows\SysWOW64\Aegqok32.dll Gfgdij32.exe File created C:\Windows\SysWOW64\Kfopdk32.exe Kikokf32.exe File opened for modification C:\Windows\SysWOW64\Npkfff32.exe Nknnnoph.exe File created C:\Windows\SysWOW64\Agflga32.dll Pfqlkfoc.exe File created C:\Windows\SysWOW64\Najgacfg.dll Jbedkhie.exe File created C:\Windows\SysWOW64\Kqmnadlk.exe Knoaeimg.exe File opened for modification C:\Windows\SysWOW64\Ngpcohbm.exe Mkibjgli.exe File created C:\Windows\SysWOW64\Ifhfbgmj.dll Cceapl32.exe File opened for modification C:\Windows\SysWOW64\Jkopndcb.exe Jcckibfg.exe File opened for modification C:\Windows\SysWOW64\Aalofa32.exe Alofnj32.exe File created C:\Windows\SysWOW64\Ncqodedk.dll Ekpkhkji.exe File created C:\Windows\SysWOW64\Dnonkf32.dll Fhmldfdm.exe File created C:\Windows\SysWOW64\Njnokdaq.exe Ngpcohbm.exe File created C:\Windows\SysWOW64\Hkagib32.dll Ockinl32.exe File opened for modification C:\Windows\SysWOW64\Hdbbnd32.exe Hmijajbd.exe File created C:\Windows\SysWOW64\Pjcpccaf.dll Qncfphff.exe File created C:\Windows\SysWOW64\Dqddmd32.exe Dglpdomh.exe File created C:\Windows\SysWOW64\Alofnj32.exe Afbnec32.exe File created C:\Windows\SysWOW64\Odffndaf.dll Engjkeab.exe File created C:\Windows\SysWOW64\Npdbjl32.dll Jopbnn32.exe File opened for modification C:\Windows\SysWOW64\Jbcelp32.exe Jijacjnc.exe File opened for modification C:\Windows\SysWOW64\Kbnhpdke.exe Kiecgo32.exe File created C:\Windows\SysWOW64\Dbnddjom.dll Eqcjaa32.exe File created C:\Windows\SysWOW64\Fblljhbo.exe Fladmn32.exe File created C:\Windows\SysWOW64\Bdedod32.dll Maoalb32.exe File created C:\Windows\SysWOW64\Mdepmh32.exe Lilomj32.exe File created C:\Windows\SysWOW64\Lmdekl32.dll Gnicoh32.exe File created C:\Windows\SysWOW64\Fkfcmj32.dll Ppgcol32.exe File created C:\Windows\SysWOW64\Befnbd32.exe Bkqiek32.exe File created C:\Windows\SysWOW64\Gmaonc32.dll Dhgccbhp.exe File created C:\Windows\SysWOW64\Mpfbjp32.dll Fijnabef.exe File created C:\Windows\SysWOW64\Nknnnoph.exe Nafiej32.exe File opened for modification C:\Windows\SysWOW64\Dbejjfek.exe Dpcnbn32.exe File created C:\Windows\SysWOW64\Hflndjin.exe Gdmbhnjj.exe File opened for modification C:\Windows\SysWOW64\Knoaeimg.exe Kcimhpma.exe File created C:\Windows\SysWOW64\Qgdecm32.dll Lmfgkh32.exe File created C:\Windows\SysWOW64\Fqffgapf.exe Engjkeab.exe File opened for modification C:\Windows\SysWOW64\Hclhjpjc.exe Hpnlndkp.exe File created C:\Windows\SysWOW64\Hechkfkc.exe Hlkcbp32.exe File created C:\Windows\SysWOW64\Gieommdc.exe Gckfpc32.exe File created C:\Windows\SysWOW64\Qeegim32.dll Iejkhlip.exe File created C:\Windows\SysWOW64\Dlijkoid.dll Mkibjgli.exe File created C:\Windows\SysWOW64\Hdpehd32.exe Hmfmkjdf.exe File opened for modification C:\Windows\SysWOW64\Dhdfmbjc.exe Cbjnqh32.exe File created C:\Windows\SysWOW64\Heakefnf.exe Hlhfmqge.exe File created C:\Windows\SysWOW64\Liaeleak.exe Lpiacp32.exe File created C:\Windows\SysWOW64\Bgdkfk32.dll Goiafp32.exe File created C:\Windows\SysWOW64\Alhina32.dll Gieommdc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2760 3988 WerFault.exe 337 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knaeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbbcail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liblfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkenikc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcdbcloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fladmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnenk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flabdecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpniokan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkcbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcncbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meffjjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfpnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqcjaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgdij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gminbfoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffboohnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkfqlpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmklak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdidmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njchfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljcbcngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncolfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjoilfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqddmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppmcmah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfnhnfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojipjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpcnbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijacjnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaflgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nokqidll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmmcjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpmijqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqamla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamifcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpmimbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilgjhena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbakpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcnnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmpebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfopdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkcem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlepioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkqiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmbhnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Engjkeab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngkdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnoegaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malmllfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghekhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqffgapf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaljjdj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okfampdd.dll" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfegp32.dll" Dbejjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noaapcbf.dll" Ffboohnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dehdbhgg.dll" Hljaigmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbmnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfaljjdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkng32.dll" Ilifndlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lilomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnlpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll" Bhmmcjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hajfgnjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plndcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomohejp.dll" Ekghcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqokgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meffjjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iianmlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckenobm.dll" Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inmpklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooggpiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdpohodn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikggmnae.dll" Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlpei32.dll" Hclhjpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdepmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahhchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalmek32.dll" Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhina32.dll" Gieommdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idohdhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfddkmch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghpkbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnejdq32.dll" Ikagogco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgckoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aflhek32.dll" Hehhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekpkhkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njchfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbabqihk.dll" Mlmaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Golgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipddpjfp.dll" Inkcem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eomdoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbipdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmaqgaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcgqbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mifkfhpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hajfgnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmddgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heakefnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abjeejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgmjdaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odffndaf.dll" Engjkeab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiakkcma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfhi32.dll" Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll" Clclhmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fblljhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqoljf32.dll" Ofaolcmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpnlndkp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2808 2692 8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe 30 PID 2692 wrote to memory of 2808 2692 8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe 30 PID 2692 wrote to memory of 2808 2692 8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe 30 PID 2692 wrote to memory of 2808 2692 8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe 30 PID 2808 wrote to memory of 2568 2808 Cgdqpq32.exe 31 PID 2808 wrote to memory of 2568 2808 Cgdqpq32.exe 31 PID 2808 wrote to memory of 2568 2808 Cgdqpq32.exe 31 PID 2808 wrote to memory of 2568 2808 Cgdqpq32.exe 31 PID 2568 wrote to memory of 2772 2568 Dgfmep32.exe 32 PID 2568 wrote to memory of 2772 2568 Dgfmep32.exe 32 PID 2568 wrote to memory of 2772 2568 Dgfmep32.exe 32 PID 2568 wrote to memory of 2772 2568 Dgfmep32.exe 32 PID 2772 wrote to memory of 2548 2772 Djgfgkbo.exe 33 PID 2772 wrote to memory of 2548 2772 Djgfgkbo.exe 33 PID 2772 wrote to memory of 2548 2772 Djgfgkbo.exe 33 PID 2772 wrote to memory of 2548 2772 Djgfgkbo.exe 33 PID 2548 wrote to memory of 2044 2548 Dfngll32.exe 34 PID 2548 wrote to memory of 2044 2548 Dfngll32.exe 34 PID 2548 wrote to memory of 2044 2548 Dfngll32.exe 34 PID 2548 wrote to memory of 2044 2548 Dfngll32.exe 34 PID 2044 wrote to memory of 732 2044 Dfpcblfp.exe 35 PID 2044 wrote to memory of 732 2044 Dfpcblfp.exe 35 PID 2044 wrote to memory of 732 2044 Dfpcblfp.exe 35 PID 2044 wrote to memory of 732 2044 Dfpcblfp.exe 35 PID 732 wrote to memory of 632 732 Dphhka32.exe 36 PID 732 wrote to memory of 632 732 Dphhka32.exe 36 PID 732 wrote to memory of 632 732 Dphhka32.exe 36 PID 732 wrote to memory of 632 732 Dphhka32.exe 36 PID 632 wrote to memory of 2212 632 Enneln32.exe 37 PID 632 wrote to memory of 2212 632 Enneln32.exe 37 PID 632 wrote to memory of 2212 632 Enneln32.exe 37 PID 632 wrote to memory of 2212 632 Enneln32.exe 37 PID 2212 wrote to memory of 2960 2212 Eejjnhgc.exe 38 PID 2212 wrote to memory of 2960 2212 Eejjnhgc.exe 38 PID 2212 wrote to memory of 2960 2212 Eejjnhgc.exe 38 PID 2212 wrote to memory of 2960 2212 Eejjnhgc.exe 38 PID 2960 wrote to memory of 2872 2960 Ejioln32.exe 39 PID 2960 wrote to memory of 2872 2960 Ejioln32.exe 39 PID 2960 wrote to memory of 2872 2960 Ejioln32.exe 39 PID 2960 wrote to memory of 2872 2960 Ejioln32.exe 39 PID 2872 wrote to memory of 1248 2872 Ehmpeb32.exe 40 PID 2872 wrote to memory of 1248 2872 Ehmpeb32.exe 40 PID 2872 wrote to memory of 1248 2872 Ehmpeb32.exe 40 PID 2872 wrote to memory of 1248 2872 Ehmpeb32.exe 40 PID 1248 wrote to memory of 1464 1248 Ephdjeol.exe 41 PID 1248 wrote to memory of 1464 1248 Ephdjeol.exe 41 PID 1248 wrote to memory of 1464 1248 Ephdjeol.exe 41 PID 1248 wrote to memory of 1464 1248 Ephdjeol.exe 41 PID 1464 wrote to memory of 2232 1464 Fiqibj32.exe 42 PID 1464 wrote to memory of 2232 1464 Fiqibj32.exe 42 PID 1464 wrote to memory of 2232 1464 Fiqibj32.exe 42 PID 1464 wrote to memory of 2232 1464 Fiqibj32.exe 42 PID 2232 wrote to memory of 1072 2232 Flabdecn.exe 43 PID 2232 wrote to memory of 1072 2232 Flabdecn.exe 43 PID 2232 wrote to memory of 1072 2232 Flabdecn.exe 43 PID 2232 wrote to memory of 1072 2232 Flabdecn.exe 43 PID 1072 wrote to memory of 3056 1072 Fpokjd32.exe 44 PID 1072 wrote to memory of 3056 1072 Fpokjd32.exe 44 PID 1072 wrote to memory of 3056 1072 Fpokjd32.exe 44 PID 1072 wrote to memory of 3056 1072 Fpokjd32.exe 44 PID 3056 wrote to memory of 1596 3056 Fhjoof32.exe 45 PID 3056 wrote to memory of 1596 3056 Fhjoof32.exe 45 PID 3056 wrote to memory of 1596 3056 Fhjoof32.exe 45 PID 3056 wrote to memory of 1596 3056 Fhjoof32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe"C:\Users\Admin\AppData\Local\Temp\8bfa9882125e919850c58d55d67b9522de59fbd2685ae982823fa0885437a2fdN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Gibbgmfe.exeC:\Windows\system32\Gibbgmfe.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Gieommdc.exeC:\Windows\system32\Gieommdc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Gncgbkki.exeC:\Windows\system32\Gncgbkki.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe28⤵
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe34⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe36⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe40⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Jijacjnc.exeC:\Windows\system32\Jijacjnc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe42⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe43⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe45⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe47⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe59⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ooggpiek.exeC:\Windows\system32\Ooggpiek.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe63⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe64⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe65⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe67⤵
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe68⤵PID:276
-
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1260 -
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe70⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe72⤵
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Plndcmmj.exeC:\Windows\system32\Plndcmmj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Pfchqf32.exeC:\Windows\system32\Pfchqf32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe75⤵PID:1996
-
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe76⤵
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe77⤵PID:2944
-
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Aaflgb32.exeC:\Windows\system32\Aaflgb32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Abjeejep.exeC:\Windows\system32\Abjeejep.exe82⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe83⤵PID:2420
-
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe85⤵PID:592
-
C:\Windows\SysWOW64\Bogljj32.exeC:\Windows\system32\Bogljj32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe87⤵PID:1660
-
C:\Windows\SysWOW64\Bojipjcj.exeC:\Windows\system32\Bojipjcj.exe88⤵
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe89⤵PID:856
-
C:\Windows\SysWOW64\Bkqiek32.exeC:\Windows\system32\Bkqiek32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe91⤵PID:2896
-
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe93⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe95⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:336 -
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:528 -
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe98⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe99⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe100⤵PID:2436
-
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe101⤵PID:2488
-
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe102⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe103⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe104⤵PID:2724
-
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe105⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe106⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe109⤵PID:2920
-
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe110⤵PID:1120
-
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe111⤵PID:2312
-
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe112⤵PID:1356
-
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Epeajo32.exeC:\Windows\system32\Epeajo32.exe114⤵PID:2648
-
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe115⤵PID:1780
-
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe116⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe117⤵PID:1384
-
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe118⤵PID:1516
-
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe119⤵PID:1816
-
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe120⤵PID:2864
-
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe121⤵
- Drops file in System32 directory
PID:2072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-