Analysis
-
max time kernel
51s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 15:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe
-
Size
98KB
-
MD5
a9f44665a7714ddbf133f0ce1ec63e10
-
SHA1
d7ac3ac9b17042d6a152ec0c5a9314ea482a58a7
-
SHA256
b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324e
-
SHA512
e06e2fc0dfb0eb9a1935de8d263590853dc22d89fe8629effabb1f6688e8a8d6ab33f4b087b7e67b1a20af69fda11076e62dd35c77f26240857d1a8aca87f53c
-
SSDEEP
3072:pnXiNIaeyJflT2ZcQzEzeFKPD375lHzpa1P:NXiN9lTvKEzeYr75lHzpaF
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idjjih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfnmhnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpajmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opghmjfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opmnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghkbepop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljlhme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nldgdpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahfkah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dglmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqdfmihh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Babpgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekqqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Genkhidc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlcbafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acfpilmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpojcpcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eopbooqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbekmpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckeekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cijmjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liddljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlibhhme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbpmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqhegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kehidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laacmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noffadai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefjlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelbqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oodhca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmndbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkebig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halkahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmipmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkhhpeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boggkicf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bclbhkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnahl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgmnhojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlgjie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckeno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnlcoage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqnbffkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlekj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbcmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jodfilko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpnekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkjadh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Madbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpnhhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbnajcig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pockoeeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpgpfdoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhoeqide.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmcjldbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpijngn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hglobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olcoaf32.exe -
Executes dropped EXE 64 IoCs
pid Process 1160 Bigpdjpm.exe 2672 Bpahad32.exe 2828 Bhoikfbb.exe 2972 Bagncl32.exe 2744 Cpogjh32.exe 2648 Cfnmhnhm.exe 1732 Cfpinnfj.exe 3060 Dcdjgbed.exe 2140 Dlokegib.exe 616 Ddjpjj32.exe 2668 Djiegp32.exe 2908 Ejkampao.exe 908 Ecfcle32.exe 1716 Echpaecj.exe 1820 Elfakg32.exe 2136 Fenedlec.exe 1664 Fnifbaja.exe 696 Fcfojhhh.exe 1052 Fhdhqg32.exe 2348 Ffiebc32.exe 832 Gmcmomjc.exe 1800 Glhjpjok.exe 1108 Gmhfjm32.exe 1724 Glmckikf.exe 1496 Gbglgcbc.exe 2500 Hlamfh32.exe 2708 Hhkjpi32.exe 1696 Hcdkagga.exe 2684 Hcghffen.exe 2704 Iomhkgkb.exe 2636 Jbgdcapi.exe 3052 Jmaedolh.exe 2384 Jflfbdqe.exe 2064 Jqakompl.exe 2644 Jofhqiec.exe 2432 Kmjhjndm.exe 2756 Kkpekjie.exe 2932 Kehidp32.exe 684 Kgibeklf.exe 2520 Kfnpgg32.exe 2144 Ljlhme32.exe 2400 Lpiqel32.exe 1120 Lfbibfmi.exe 3016 Llpajmkq.exe 1908 Lbijgg32.exe 1268 Llbnpm32.exe 2404 Lejbhbpn.exe 2012 Lldkem32.exe 2332 Laacmc32.exe 836 Mkihfi32.exe 3064 Meolcb32.exe 1596 Mkldli32.exe 1824 Meaiia32.exe 2596 Mknaahhn.exe 2632 Mkqnghfk.exe 2104 Mclbkjcf.exe 2524 Nldgdpjf.exe 1236 Ngikaijm.exe 1864 Nlfdjphd.exe 1520 Nijdcdgn.exe 3004 Neaehelb.exe 2352 Nlkmeo32.exe 108 Necandjo.exe 1612 Nkpjfkhf.exe -
Loads dropped DLL 64 IoCs
pid Process 2960 b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe 2960 b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe 1160 Bigpdjpm.exe 1160 Bigpdjpm.exe 2672 Bpahad32.exe 2672 Bpahad32.exe 2828 Bhoikfbb.exe 2828 Bhoikfbb.exe 2972 Bagncl32.exe 2972 Bagncl32.exe 2744 Cpogjh32.exe 2744 Cpogjh32.exe 2648 Cfnmhnhm.exe 2648 Cfnmhnhm.exe 1732 Cfpinnfj.exe 1732 Cfpinnfj.exe 3060 Dcdjgbed.exe 3060 Dcdjgbed.exe 2140 Dlokegib.exe 2140 Dlokegib.exe 616 Ddjpjj32.exe 616 Ddjpjj32.exe 2668 Djiegp32.exe 2668 Djiegp32.exe 2908 Ejkampao.exe 2908 Ejkampao.exe 908 Ecfcle32.exe 908 Ecfcle32.exe 1716 Echpaecj.exe 1716 Echpaecj.exe 1820 Elfakg32.exe 1820 Elfakg32.exe 2136 Fenedlec.exe 2136 Fenedlec.exe 1664 Fnifbaja.exe 1664 Fnifbaja.exe 696 Fcfojhhh.exe 696 Fcfojhhh.exe 1052 Fhdhqg32.exe 1052 Fhdhqg32.exe 2348 Ffiebc32.exe 2348 Ffiebc32.exe 832 Gmcmomjc.exe 832 Gmcmomjc.exe 1800 Glhjpjok.exe 1800 Glhjpjok.exe 1108 Gmhfjm32.exe 1108 Gmhfjm32.exe 1724 Glmckikf.exe 1724 Glmckikf.exe 1496 Gbglgcbc.exe 1496 Gbglgcbc.exe 2372 Hdmajkdl.exe 2372 Hdmajkdl.exe 2708 Hhkjpi32.exe 2708 Hhkjpi32.exe 1696 Hcdkagga.exe 1696 Hcdkagga.exe 2684 Hcghffen.exe 2684 Hcghffen.exe 2704 Iomhkgkb.exe 2704 Iomhkgkb.exe 2636 Jbgdcapi.exe 2636 Jbgdcapi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pkebig32.exe Pcjmdd32.exe File created C:\Windows\SysWOW64\Pdpcgl32.exe Pockoeeg.exe File created C:\Windows\SysWOW64\Adggon32.dll Cefkkk32.exe File created C:\Windows\SysWOW64\Lmnlnnim.dll Jbgdcapi.exe File created C:\Windows\SysWOW64\Aeijmg32.dll Onhihepp.exe File created C:\Windows\SysWOW64\Anapcg32.dll Ofcnmh32.exe File opened for modification C:\Windows\SysWOW64\Dfmbmkgm.exe Docjpa32.exe File opened for modification C:\Windows\SysWOW64\Hmbbcjic.exe Hmpemkkf.exe File created C:\Windows\SysWOW64\Eepjboco.dll Hdmajkdl.exe File opened for modification C:\Windows\SysWOW64\Llagegfb.exe Ljakkd32.exe File created C:\Windows\SysWOW64\Bihgikml.dll Madbll32.exe File created C:\Windows\SysWOW64\Ngebbepl.dll Dfnncb32.exe File created C:\Windows\SysWOW64\Jndgfqlh.exe Jbmgapgc.exe File opened for modification C:\Windows\SysWOW64\Ehhghdgc.exe Ebnokjpf.exe File created C:\Windows\SysWOW64\Flpbbk32.dll Ecidbfbb.exe File opened for modification C:\Windows\SysWOW64\Gjeedcjh.exe Gdimlllq.exe File created C:\Windows\SysWOW64\Iomhkgkb.exe Hcghffen.exe File created C:\Windows\SysWOW64\Debmplbf.dll Ghqqpd32.exe File created C:\Windows\SysWOW64\Ldnjml32.dll Llagegfb.exe File created C:\Windows\SysWOW64\Odhhdk32.exe Ngdgkf32.exe File opened for modification C:\Windows\SysWOW64\Enjmlgoj.exe Engpfgql.exe File created C:\Windows\SysWOW64\Hljnbo32.exe Hfmfjh32.exe File created C:\Windows\SysWOW64\Nioplnhf.dll Kpgpfdoj.exe File created C:\Windows\SysWOW64\Pdecniol.dll Mmlilfkj.exe File created C:\Windows\SysWOW64\Jnpioe32.dll Fcehpbdm.exe File opened for modification C:\Windows\SysWOW64\Ngdgkf32.exe Nmlcbafa.exe File opened for modification C:\Windows\SysWOW64\Ceclmc32.exe Bholco32.exe File created C:\Windows\SysWOW64\Pcjmdd32.exe Piaiko32.exe File created C:\Windows\SysWOW64\Qdmcqp32.dll Gfippego.exe File opened for modification C:\Windows\SysWOW64\Imomkp32.exe Iehejc32.exe File opened for modification C:\Windows\SysWOW64\Bagncl32.exe Bhoikfbb.exe File created C:\Windows\SysWOW64\Boknmnja.dll Gndedhdj.exe File created C:\Windows\SysWOW64\Oqibjq32.exe Ofcnmh32.exe File created C:\Windows\SysWOW64\Mnbpgb32.exe Lmbcmo32.exe File created C:\Windows\SysWOW64\Bilhdgoo.dll Boggkicf.exe File created C:\Windows\SysWOW64\Iehejc32.exe Ipkmal32.exe File created C:\Windows\SysWOW64\Imomkp32.exe Iehejc32.exe File created C:\Windows\SysWOW64\Hhnpih32.exe Hmdohj32.exe File created C:\Windows\SysWOW64\Mkcdgd32.dll Iedmhlqf.exe File created C:\Windows\SysWOW64\Bmogkkkd.exe Bokfaflj.exe File created C:\Windows\SysWOW64\Cecnflpd.exe Baeepm32.exe File created C:\Windows\SysWOW64\Ahhqda32.dll Gjjoob32.exe File created C:\Windows\SysWOW64\Mmlilfkj.exe Mbgdonkd.exe File created C:\Windows\SysWOW64\Gcgjiifh.dll Dbgknc32.exe File created C:\Windows\SysWOW64\Cpogjh32.exe Bagncl32.exe File created C:\Windows\SysWOW64\Kgjhdgmm.dll Echpaecj.exe File created C:\Windows\SysWOW64\Lejbhbpn.exe Llbnpm32.exe File opened for modification C:\Windows\SysWOW64\Anbaqfep.exe Aieihpgi.exe File opened for modification C:\Windows\SysWOW64\Agkfil32.exe Anbaqfep.exe File opened for modification C:\Windows\SysWOW64\Dclikp32.exe Dpnmoe32.exe File created C:\Windows\SysWOW64\Pihfin32.dll Hpincd32.exe File created C:\Windows\SysWOW64\Djjeji32.dll Iacmakkb.exe File opened for modification C:\Windows\SysWOW64\Dbjonicb.exe Dibjec32.exe File created C:\Windows\SysWOW64\Pfgfna32.dll Nlfdjphd.exe File opened for modification C:\Windows\SysWOW64\Poplqm32.exe Pfhghgie.exe File created C:\Windows\SysWOW64\Biiajp32.dll Fpnekc32.exe File created C:\Windows\SysWOW64\Jgbfehfd.dll Igmppcpm.exe File opened for modification C:\Windows\SysWOW64\Jndgfqlh.exe Jbmgapgc.exe File created C:\Windows\SysWOW64\Adoili32.exe Ahhhgh32.exe File created C:\Windows\SysWOW64\Kikkdlge.dll Fgbpmh32.exe File created C:\Windows\SysWOW64\Gfaodclg.exe Gmhkkn32.exe File opened for modification C:\Windows\SysWOW64\Ahhhgh32.exe Aopcnbfj.exe File created C:\Windows\SysWOW64\Dcjdnp32.dll Gfaodclg.exe File opened for modification C:\Windows\SysWOW64\Fenedlec.exe Elfakg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1140 2060 WerFault.exe 532 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlcbafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbpph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoedch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpdhiaoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmpckbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkihfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfegakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleaebna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpnekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkgnmqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkldli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meaiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcahgjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpkgggnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omaepoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmbhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkibk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqlhbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnifbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnajcig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhckm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdohj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecibjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomghchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkjgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnpgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmipmlan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddfbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odiagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlqao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcjfdqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmpmcaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaoadb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbibfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edghighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljlhme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhmnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchcmnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpahad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acafnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iehcajjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgpfdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbagjfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdkagga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmppcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neihmpon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclbhkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqgnmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmabaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqpgblqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejbhbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conmkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglkeaqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifqbjpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkbepop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poplqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caomgjnk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnbhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgemh32.dll" Kgienc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpgmhkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibghnjnm.dll" Dibjec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmlekj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glmckikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enecegpg.dll" Dpggnfap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehhghdgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgbpmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jodmdboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaonfncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcaankpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpahad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocbnqfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdpqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johdlh32.dll" Jgihopao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhdhqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocbnqfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilhdgoo.dll" Boggkicf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgjpijjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joomnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Indkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmckcja.dll" Pqodho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpifln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdoagge.dll" Kgghidfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghmbckj.dll" Odknmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmkmao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfdcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajladp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmcmomjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjimepm.dll" Mknaahhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgdjipfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cihqdoaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igmppcpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iehcajjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbkiab32.dll" Lofono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnjml32.dll" Llagegfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inkgdjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcmcmcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedaqkja.dll" Cajmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejambd32.dll" Mpbfddef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oglfodai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfpdim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhijfln.dll" Ohmllf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmieb32.dll" Cemfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dclikp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeecj32.dll" Dhiacg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkpa32.dll" Bokfaflj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfgikgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boggkicf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Conmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hklkhk32.dll" Inkgdjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jllggbde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbglgcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afhcgjkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmlpkn32.dll" Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgaikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgaejeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmlcbafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmabaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdmaocd.dll" Hdpqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfpbe32.dll" Ffiebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlamfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkldli32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 1160 2960 b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe 29 PID 2960 wrote to memory of 1160 2960 b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe 29 PID 2960 wrote to memory of 1160 2960 b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe 29 PID 2960 wrote to memory of 1160 2960 b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe 29 PID 1160 wrote to memory of 2672 1160 Bigpdjpm.exe 30 PID 1160 wrote to memory of 2672 1160 Bigpdjpm.exe 30 PID 1160 wrote to memory of 2672 1160 Bigpdjpm.exe 30 PID 1160 wrote to memory of 2672 1160 Bigpdjpm.exe 30 PID 2672 wrote to memory of 2828 2672 Bpahad32.exe 31 PID 2672 wrote to memory of 2828 2672 Bpahad32.exe 31 PID 2672 wrote to memory of 2828 2672 Bpahad32.exe 31 PID 2672 wrote to memory of 2828 2672 Bpahad32.exe 31 PID 2828 wrote to memory of 2972 2828 Bhoikfbb.exe 32 PID 2828 wrote to memory of 2972 2828 Bhoikfbb.exe 32 PID 2828 wrote to memory of 2972 2828 Bhoikfbb.exe 32 PID 2828 wrote to memory of 2972 2828 Bhoikfbb.exe 32 PID 2972 wrote to memory of 2744 2972 Bagncl32.exe 33 PID 2972 wrote to memory of 2744 2972 Bagncl32.exe 33 PID 2972 wrote to memory of 2744 2972 Bagncl32.exe 33 PID 2972 wrote to memory of 2744 2972 Bagncl32.exe 33 PID 2744 wrote to memory of 2648 2744 Cpogjh32.exe 34 PID 2744 wrote to memory of 2648 2744 Cpogjh32.exe 34 PID 2744 wrote to memory of 2648 2744 Cpogjh32.exe 34 PID 2744 wrote to memory of 2648 2744 Cpogjh32.exe 34 PID 2648 wrote to memory of 1732 2648 Cfnmhnhm.exe 35 PID 2648 wrote to memory of 1732 2648 Cfnmhnhm.exe 35 PID 2648 wrote to memory of 1732 2648 Cfnmhnhm.exe 35 PID 2648 wrote to memory of 1732 2648 Cfnmhnhm.exe 35 PID 1732 wrote to memory of 3060 1732 Cfpinnfj.exe 36 PID 1732 wrote to memory of 3060 1732 Cfpinnfj.exe 36 PID 1732 wrote to memory of 3060 1732 Cfpinnfj.exe 36 PID 1732 wrote to memory of 3060 1732 Cfpinnfj.exe 36 PID 3060 wrote to memory of 2140 3060 Dcdjgbed.exe 37 PID 3060 wrote to memory of 2140 3060 Dcdjgbed.exe 37 PID 3060 wrote to memory of 2140 3060 Dcdjgbed.exe 37 PID 3060 wrote to memory of 2140 3060 Dcdjgbed.exe 37 PID 2140 wrote to memory of 616 2140 Dlokegib.exe 38 PID 2140 wrote to memory of 616 2140 Dlokegib.exe 38 PID 2140 wrote to memory of 616 2140 Dlokegib.exe 38 PID 2140 wrote to memory of 616 2140 Dlokegib.exe 38 PID 616 wrote to memory of 2668 616 Ddjpjj32.exe 39 PID 616 wrote to memory of 2668 616 Ddjpjj32.exe 39 PID 616 wrote to memory of 2668 616 Ddjpjj32.exe 39 PID 616 wrote to memory of 2668 616 Ddjpjj32.exe 39 PID 2668 wrote to memory of 2908 2668 Djiegp32.exe 40 PID 2668 wrote to memory of 2908 2668 Djiegp32.exe 40 PID 2668 wrote to memory of 2908 2668 Djiegp32.exe 40 PID 2668 wrote to memory of 2908 2668 Djiegp32.exe 40 PID 2908 wrote to memory of 908 2908 Ejkampao.exe 41 PID 2908 wrote to memory of 908 2908 Ejkampao.exe 41 PID 2908 wrote to memory of 908 2908 Ejkampao.exe 41 PID 2908 wrote to memory of 908 2908 Ejkampao.exe 41 PID 908 wrote to memory of 1716 908 Ecfcle32.exe 42 PID 908 wrote to memory of 1716 908 Ecfcle32.exe 42 PID 908 wrote to memory of 1716 908 Ecfcle32.exe 42 PID 908 wrote to memory of 1716 908 Ecfcle32.exe 42 PID 1716 wrote to memory of 1820 1716 Echpaecj.exe 43 PID 1716 wrote to memory of 1820 1716 Echpaecj.exe 43 PID 1716 wrote to memory of 1820 1716 Echpaecj.exe 43 PID 1716 wrote to memory of 1820 1716 Echpaecj.exe 43 PID 1820 wrote to memory of 2136 1820 Elfakg32.exe 44 PID 1820 wrote to memory of 2136 1820 Elfakg32.exe 44 PID 1820 wrote to memory of 2136 1820 Elfakg32.exe 44 PID 1820 wrote to memory of 2136 1820 Elfakg32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe"C:\Users\Admin\AppData\Local\Temp\b69ae129d3e4486126c144248dbf0040c1c5a7683579539f4821a1fe6368324eN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Bigpdjpm.exeC:\Windows\system32\Bigpdjpm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Bhoikfbb.exeC:\Windows\system32\Bhoikfbb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Cpogjh32.exeC:\Windows\system32\Cpogjh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Cfnmhnhm.exeC:\Windows\system32\Cfnmhnhm.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Cfpinnfj.exeC:\Windows\system32\Cfpinnfj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Dcdjgbed.exeC:\Windows\system32\Dcdjgbed.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Dlokegib.exeC:\Windows\system32\Dlokegib.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Djiegp32.exeC:\Windows\system32\Djiegp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ejkampao.exeC:\Windows\system32\Ejkampao.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ecfcle32.exeC:\Windows\system32\Ecfcle32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Elfakg32.exeC:\Windows\system32\Elfakg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Fenedlec.exeC:\Windows\system32\Fenedlec.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Fnifbaja.exeC:\Windows\system32\Fnifbaja.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Fcfojhhh.exeC:\Windows\system32\Fcfojhhh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Fhdhqg32.exeC:\Windows\system32\Fhdhqg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Ffiebc32.exeC:\Windows\system32\Ffiebc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Gmcmomjc.exeC:\Windows\system32\Gmcmomjc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Gmhfjm32.exeC:\Windows\system32\Gmhfjm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Gbglgcbc.exeC:\Windows\system32\Gbglgcbc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe28⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Hhkjpi32.exeC:\Windows\system32\Hhkjpi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Hcdkagga.exeC:\Windows\system32\Hcdkagga.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Iomhkgkb.exeC:\Windows\system32\Iomhkgkb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe34⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Jflfbdqe.exeC:\Windows\system32\Jflfbdqe.exe35⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Jqakompl.exeC:\Windows\system32\Jqakompl.exe36⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe37⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Kmjhjndm.exeC:\Windows\system32\Kmjhjndm.exe38⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe39⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Kehidp32.exeC:\Windows\system32\Kehidp32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe41⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Kfnpgg32.exeC:\Windows\system32\Kfnpgg32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Ljlhme32.exeC:\Windows\system32\Ljlhme32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe44⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe47⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Lldkem32.exeC:\Windows\system32\Lldkem32.exe50⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Meolcb32.exeC:\Windows\system32\Meolcb32.exe53⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe57⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe58⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Nldgdpjf.exeC:\Windows\system32\Nldgdpjf.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe60⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe62⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe63⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe64⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe65⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Nkpjfkhf.exeC:\Windows\system32\Nkpjfkhf.exe66⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Nefncd32.exeC:\Windows\system32\Nefncd32.exe67⤵PID:2020
-
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe68⤵PID:1328
-
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe69⤵PID:928
-
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe70⤵PID:1388
-
C:\Windows\SysWOW64\Ojjqbg32.exeC:\Windows\system32\Ojjqbg32.exe71⤵PID:296
-
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe74⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe75⤵PID:2796
-
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe76⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe77⤵PID:2552
-
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe78⤵PID:3044
-
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe79⤵PID:940
-
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe80⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Poplqm32.exeC:\Windows\system32\Poplqm32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe82⤵PID:1260
-
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe83⤵PID:2232
-
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe84⤵PID:2180
-
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe85⤵PID:2548
-
C:\Windows\SysWOW64\Pbcahgjd.exeC:\Windows\system32\Pbcahgjd.exe86⤵
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe87⤵PID:2312
-
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe88⤵
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Windows\SysWOW64\Qfegakmc.exeC:\Windows\system32\Qfegakmc.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe90⤵PID:888
-
C:\Windows\SysWOW64\Afhcgjkq.exeC:\Windows\system32\Afhcgjkq.exe91⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe92⤵PID:2688
-
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe93⤵PID:3068
-
C:\Windows\SysWOW64\Abaaakob.exeC:\Windows\system32\Abaaakob.exe94⤵PID:2396
-
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe95⤵PID:2480
-
C:\Windows\SysWOW64\Angafl32.exeC:\Windows\system32\Angafl32.exe96⤵PID:2904
-
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe97⤵PID:612
-
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe98⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Aahkhgag.exeC:\Windows\system32\Aahkhgag.exe99⤵PID:3024
-
C:\Windows\SysWOW64\Alnoepam.exeC:\Windows\system32\Alnoepam.exe100⤵PID:1768
-
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe101⤵PID:2424
-
C:\Windows\SysWOW64\Cioohh32.exeC:\Windows\system32\Cioohh32.exe102⤵PID:1868
-
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe103⤵PID:2160
-
C:\Windows\SysWOW64\Ccjpfmic.exeC:\Windows\system32\Ccjpfmic.exe104⤵PID:2728
-
C:\Windows\SysWOW64\Chghodgj.exeC:\Windows\system32\Chghodgj.exe105⤵PID:2696
-
C:\Windows\SysWOW64\Ckeekp32.exeC:\Windows\system32\Ckeekp32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Caomgjnk.exeC:\Windows\system32\Caomgjnk.exe107⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Cleaebna.exeC:\Windows\system32\Cleaebna.exe108⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Cnfnlk32.exeC:\Windows\system32\Cnfnlk32.exe109⤵PID:2344
-
C:\Windows\SysWOW64\Cemfnh32.exeC:\Windows\system32\Cemfnh32.exe110⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ckjnfobi.exeC:\Windows\system32\Ckjnfobi.exe111⤵PID:1692
-
C:\Windows\SysWOW64\Dpggnfap.exeC:\Windows\system32\Dpggnfap.exe112⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Djokgk32.exeC:\Windows\system32\Djokgk32.exe113⤵PID:776
-
C:\Windows\SysWOW64\Dpicceon.exeC:\Windows\system32\Dpicceon.exe114⤵PID:2024
-
C:\Windows\SysWOW64\Dgclpp32.exeC:\Windows\system32\Dgclpp32.exe115⤵PID:2208
-
C:\Windows\SysWOW64\Dpkpie32.exeC:\Windows\system32\Dpkpie32.exe116⤵PID:2356
-
C:\Windows\SysWOW64\Dcjleq32.exeC:\Windows\system32\Dcjleq32.exe117⤵PID:1580
-
C:\Windows\SysWOW64\Djddbkck.exeC:\Windows\system32\Djddbkck.exe118⤵PID:764
-
C:\Windows\SysWOW64\Dpnmoe32.exeC:\Windows\system32\Dpnmoe32.exe119⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Dclikp32.exeC:\Windows\system32\Dclikp32.exe120⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Dhiacg32.exeC:\Windows\system32\Dhiacg32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-