Analysis
-
max time kernel
33s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 14:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe
-
Size
159KB
-
MD5
cdc165423328a252e4c1f06441cd5920
-
SHA1
185cd69f698dcb5debf5ba29cea8e1aec30c7371
-
SHA256
96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8
-
SHA512
8cabc757cdd66e8aed14d9a0536a93d9f44869763f475bee1b93266429c6beba5fb901b8b3fb37d951b0efe4e16914c92cc8956bb39a0c90fa36495ae7d97c39
-
SSDEEP
3072:1Cxe25Qt12h2Bbwf1nFzwSAJB8FgBY5nd/M9dA:w85t1fa1n6xJmPM9dA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogfnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfocjhdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnnijocj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oedgkjob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efngjalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkpdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hedqke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hamnee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alponiga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acmimdon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbaidejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mganhpgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dceodhjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcqnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpbohooj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iamjdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnckj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deloen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdplcfoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgachdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqfogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddchlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkmqhdfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahnppmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmopoeei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goplem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekemci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neeafmqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djndoaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkaglal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joncmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknfif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nekddlgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egfnceik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbdakh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipocfobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkoacm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqljld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinhpnlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcdfbjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feboahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amkbmlci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmkkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfibeoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dceodhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naanof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkkohc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgdbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkclnea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjffphpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nenajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjgjcipm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omacgjhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aehcfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqcqgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pimmgkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnbecp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbkkkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oakhpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poaanb32.exe -
Executes dropped EXE 64 IoCs
pid Process 1744 Aillbbdn.exe 3060 Bbdakh32.exe 2700 Bkoepj32.exe 2368 Bkdokjdd.exe 1704 Cfpmqg32.exe 2600 Cjnege32.exe 2412 Comkdl32.exe 2840 Ckckim32.exe 816 Dqcqgc32.exe 1740 Ddqinb32.exe 3048 Djnafi32.exe 2912 Dgdoemdi.exe 976 Eighbdhe.exe 280 Eijegdfb.exe 1068 Egoaiqjj.exe 2260 Enkgkj32.exe 2948 Ffihelkm.exe 1672 Fmemgfqg.exe 1756 Filnlg32.exe 2440 Feboahlo.exe 1724 Ffbkkkcb.exe 2400 Ghfdhc32.exe 2052 Goplem32.exe 2560 Glcmna32.exe 1308 Gpebhd32.exe 1992 Gingqjgd.exe 1372 Hgddpn32.exe 1616 Hpmhhcjk.exe 2796 Hhjjbe32.exe 2824 Ikbidp32.exe 2624 Jjibkl32.exe 2728 Jjloak32.exe 2928 Jbgdenjj.exe 1004 Jicigg32.exe 2192 Kcofnejq.exe 2416 Kacggiij.exe 1328 Kgplicod.exe 2692 Kmldajml.exe 2388 Khbiob32.exe 2476 Kiebljpm.exe 1712 Lfibeoog.exe 1320 Lijkgj32.exe 2268 Lhaenf32.exe 752 Lajifken.exe 2316 Mkbnpaln.exe 1716 Mdkbhf32.exe 1220 Mdmonf32.exe 2972 Mdplcfoi.exe 2524 Mgnhpanm.exe 2212 Mpfmhg32.exe 876 Mpiinfbk.exe 1324 Neeafmqb.exe 2684 Nonfoc32.exe 2596 Nlaghg32.exe 2896 Naooqndd.exe 2620 Nkgcic32.exe 1304 Npdlbj32.exe 2056 Nqfigjgi.exe 2792 Nklmdcfo.exe 2480 Oqhemjef.exe 2628 Onlffncp.exe 2688 Ogejocjq.exe 2424 Omacgjhh.exe 2384 Ojecaoga.exe -
Loads dropped DLL 64 IoCs
pid Process 2436 96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe 2436 96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe 1744 Aillbbdn.exe 1744 Aillbbdn.exe 3060 Bbdakh32.exe 3060 Bbdakh32.exe 2700 Bkoepj32.exe 2700 Bkoepj32.exe 2368 Bkdokjdd.exe 2368 Bkdokjdd.exe 1704 Cfpmqg32.exe 1704 Cfpmqg32.exe 2600 Cjnege32.exe 2600 Cjnege32.exe 2412 Comkdl32.exe 2412 Comkdl32.exe 2840 Ckckim32.exe 2840 Ckckim32.exe 816 Dqcqgc32.exe 816 Dqcqgc32.exe 1740 Ddqinb32.exe 1740 Ddqinb32.exe 3048 Djnafi32.exe 3048 Djnafi32.exe 2912 Dgdoemdi.exe 2912 Dgdoemdi.exe 976 Eighbdhe.exe 976 Eighbdhe.exe 280 Eijegdfb.exe 280 Eijegdfb.exe 1068 Egoaiqjj.exe 1068 Egoaiqjj.exe 2260 Enkgkj32.exe 2260 Enkgkj32.exe 2948 Ffihelkm.exe 2948 Ffihelkm.exe 1672 Fmemgfqg.exe 1672 Fmemgfqg.exe 1756 Filnlg32.exe 1756 Filnlg32.exe 2440 Feboahlo.exe 2440 Feboahlo.exe 1724 Ffbkkkcb.exe 1724 Ffbkkkcb.exe 2400 Ghfdhc32.exe 2400 Ghfdhc32.exe 2052 Goplem32.exe 2052 Goplem32.exe 2560 Glcmna32.exe 2560 Glcmna32.exe 1308 Gpebhd32.exe 1308 Gpebhd32.exe 1992 Gingqjgd.exe 1992 Gingqjgd.exe 1372 Hgddpn32.exe 1372 Hgddpn32.exe 1616 Hpmhhcjk.exe 1616 Hpmhhcjk.exe 2796 Hhjjbe32.exe 2796 Hhjjbe32.exe 2824 Ikbidp32.exe 2824 Ikbidp32.exe 2624 Jjibkl32.exe 2624 Jjibkl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ihdflchi.exe Igcidk32.exe File created C:\Windows\SysWOW64\Fahaakfq.dll Omgefipb.exe File created C:\Windows\SysWOW64\Lkdqao32.exe Konplnaa.exe File created C:\Windows\SysWOW64\Jffomdam.dll Jicigg32.exe File created C:\Windows\SysWOW64\Hjgqkmff.dll Oedgkjob.exe File opened for modification C:\Windows\SysWOW64\Qnfnooia.exe Qijffhki.exe File created C:\Windows\SysWOW64\Lfmomnpf.dll Emifaa32.exe File created C:\Windows\SysWOW64\Agjlbabp.dll Lkdqao32.exe File created C:\Windows\SysWOW64\Glabajgk.exe Gfejic32.exe File created C:\Windows\SysWOW64\Alainbjj.dll Jbjccf32.exe File opened for modification C:\Windows\SysWOW64\Oqqeah32.exe Oghphbcn.exe File created C:\Windows\SysWOW64\Kjqgdgcj.exe Kmmgjb32.exe File opened for modification C:\Windows\SysWOW64\Qfnmjb32.exe Qpdenh32.exe File created C:\Windows\SysWOW64\Qcabfocm.dll Jclcno32.exe File opened for modification C:\Windows\SysWOW64\Fbobog32.exe Fpqfcl32.exe File created C:\Windows\SysWOW64\Hamnee32.exe Hdinla32.exe File created C:\Windows\SysWOW64\Jlhappfj.exe Idmllnho.exe File opened for modification C:\Windows\SysWOW64\Lkgmfneb.exe Lckhbl32.exe File opened for modification C:\Windows\SysWOW64\Hedqke32.exe Ghppaq32.exe File opened for modification C:\Windows\SysWOW64\Hahnppmh.exe Haeajp32.exe File created C:\Windows\SysWOW64\Gjiebc32.dll Eqfogp32.exe File opened for modification C:\Windows\SysWOW64\Ilbobaoo.exe Iamjdi32.exe File created C:\Windows\SysWOW64\Oijlfp32.dll Ncjkcqjl.exe File created C:\Windows\SysWOW64\Pgipif32.exe Pmcllm32.exe File opened for modification C:\Windows\SysWOW64\Qpgachdo.exe Qfnmjb32.exe File opened for modification C:\Windows\SysWOW64\Djmkkb32.exe Dogfnj32.exe File created C:\Windows\SysWOW64\Jclcno32.exe Jmbkaeak.exe File created C:\Windows\SysWOW64\Nhckja32.dll Omacgjhh.exe File opened for modification C:\Windows\SysWOW64\Jnfhoi32.exe Ifkckg32.exe File created C:\Windows\SysWOW64\Fhpdbmgg.exe Fbckjfip.exe File created C:\Windows\SysWOW64\Poaanb32.exe Pnbecp32.exe File created C:\Windows\SysWOW64\Hacqdd32.exe Helpocnd.exe File created C:\Windows\SysWOW64\Fmmlkdeo.exe Fhpdbmgg.exe File created C:\Windows\SysWOW64\Aopilk32.dll Lhaenf32.exe File created C:\Windows\SysWOW64\Cojgdf32.exe Caffkapi.exe File created C:\Windows\SysWOW64\Ngogfkjp.dll Ogejocjq.exe File created C:\Windows\SysWOW64\Dmbhkk32.dll Fmmlkdeo.exe File opened for modification C:\Windows\SysWOW64\Namedgnk.exe Nbghck32.exe File created C:\Windows\SysWOW64\Ilnolcjj.dll Eijegdfb.exe File created C:\Windows\SysWOW64\Hpmhhcjk.exe Hgddpn32.exe File opened for modification C:\Windows\SysWOW64\Fmmlkdeo.exe Fhpdbmgg.exe File opened for modification C:\Windows\SysWOW64\Nenajk32.exe Nekddlgm.exe File created C:\Windows\SysWOW64\Dmblbpnf.dll Ckdnbend.exe File created C:\Windows\SysWOW64\Gnpfag32.dll Jbgdenjj.exe File created C:\Windows\SysWOW64\Jhaiahgc.dll Mdmonf32.exe File created C:\Windows\SysWOW64\Iolgaa32.dll Mganhpgj.exe File created C:\Windows\SysWOW64\Leefan32.dll Jfqeie32.exe File opened for modification C:\Windows\SysWOW64\Mdmonf32.exe Mdkbhf32.exe File created C:\Windows\SysWOW64\Bdlkga32.dll Ilbobaoo.exe File opened for modification C:\Windows\SysWOW64\Dfobed32.exe Dpbjmm32.exe File created C:\Windows\SysWOW64\Ndmjkmgd.dll Jqljld32.exe File opened for modification C:\Windows\SysWOW64\Cjnege32.exe Cfpmqg32.exe File opened for modification C:\Windows\SysWOW64\Hmakkqqi.exe Hbkgmh32.exe File created C:\Windows\SysWOW64\Jjloak32.exe Jjibkl32.exe File created C:\Windows\SysWOW64\Kliiek32.dll Nekddlgm.exe File opened for modification C:\Windows\SysWOW64\Efngjalp.exe Ehjgpm32.exe File opened for modification C:\Windows\SysWOW64\Hbkgmh32.exe Hfdfhgko.exe File opened for modification C:\Windows\SysWOW64\Gikcqd32.exe Gpbohooj.exe File opened for modification C:\Windows\SysWOW64\Jbfmkg32.exe Jqgqadpl.exe File opened for modification C:\Windows\SysWOW64\Jmbkaeak.exe Jjdoeibg.exe File created C:\Windows\SysWOW64\Mfgdhkki.exe Lmopoeei.exe File created C:\Windows\SysWOW64\Feboahlo.exe Filnlg32.exe File created C:\Windows\SysWOW64\Binbbk32.dll Mdkbhf32.exe File created C:\Windows\SysWOW64\Bbdakh32.exe Aillbbdn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3940 3892 WerFault.exe 307 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alhnag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiebljpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcqnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nekddlgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmjca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djndoaof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdbamnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miocjebb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhapcgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkpdhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acmimdon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helpocnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgdbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjedghh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdoeibg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikcqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqljld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mganhpgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkkohc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgmfneb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojgdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepkabjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egnknj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbngdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnppmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkegljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdinla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidqab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfmkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Konplnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpdblpnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oedgkjob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgdane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmkkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfocjhdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedqke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdfbjkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfibeoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckgchbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmmca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkaglal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjffphpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jclcno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fekafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndokfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbkaeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odekqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccflhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfejic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimmgkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqgqadpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjgpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfnmjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpgachdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alblchen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlcjlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgdoemdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gingqjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Habgqehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakhpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebehob32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgkegljn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llkfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecmlp32.dll" Lijkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pimmgkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djmkkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjeob32.dll" Nenajk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmmgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dogfnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncjkcqjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmejobjl.dll" Iamjdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nekddlgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lijkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmggnjen.dll" Piqcpicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cciincqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmpck32.dll" Ifkckg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odekqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odekqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bopmdaca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naooqndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgdane32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cklnog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqileo32.dll" Fpqfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccknke32.dll" Holedjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djndoaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obcekq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghmmakhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckldi32.dll" Naanof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckdnbend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfocjhdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omgefipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oighjmil.dll" Afflnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbjledoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nenajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibbbpnn.dll" Cciincqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpdblpnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkpicin.dll" Effdef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdplcfoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbonob32.dll" Hmakkqqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcdfbjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchkmf32.dll" Mgnhpanm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipckaobp.dll" Qkkohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbdeojc.dll" Nkgcic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffbkkkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jicigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmipk32.dll" Lajifken.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comgod32.dll" Pmcllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Comkdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enobcpbq.dll" Enkgkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalha32.dll" Kacggiij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkjbhlpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpfag32.dll" Jbgdenjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoabgggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caffkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icmgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edfhdh32.dll" Hhjjbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqhemjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agfdmphh.dll" Afnbop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jicigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emifaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhgfbpdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbfmkg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2436 wrote to memory of 1744 2436 96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe 29 PID 2436 wrote to memory of 1744 2436 96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe 29 PID 2436 wrote to memory of 1744 2436 96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe 29 PID 2436 wrote to memory of 1744 2436 96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe 29 PID 1744 wrote to memory of 3060 1744 Aillbbdn.exe 30 PID 1744 wrote to memory of 3060 1744 Aillbbdn.exe 30 PID 1744 wrote to memory of 3060 1744 Aillbbdn.exe 30 PID 1744 wrote to memory of 3060 1744 Aillbbdn.exe 30 PID 3060 wrote to memory of 2700 3060 Bbdakh32.exe 31 PID 3060 wrote to memory of 2700 3060 Bbdakh32.exe 31 PID 3060 wrote to memory of 2700 3060 Bbdakh32.exe 31 PID 3060 wrote to memory of 2700 3060 Bbdakh32.exe 31 PID 2700 wrote to memory of 2368 2700 Bkoepj32.exe 32 PID 2700 wrote to memory of 2368 2700 Bkoepj32.exe 32 PID 2700 wrote to memory of 2368 2700 Bkoepj32.exe 32 PID 2700 wrote to memory of 2368 2700 Bkoepj32.exe 32 PID 2368 wrote to memory of 1704 2368 Bkdokjdd.exe 33 PID 2368 wrote to memory of 1704 2368 Bkdokjdd.exe 33 PID 2368 wrote to memory of 1704 2368 Bkdokjdd.exe 33 PID 2368 wrote to memory of 1704 2368 Bkdokjdd.exe 33 PID 1704 wrote to memory of 2600 1704 Cfpmqg32.exe 34 PID 1704 wrote to memory of 2600 1704 Cfpmqg32.exe 34 PID 1704 wrote to memory of 2600 1704 Cfpmqg32.exe 34 PID 1704 wrote to memory of 2600 1704 Cfpmqg32.exe 34 PID 2600 wrote to memory of 2412 2600 Cjnege32.exe 35 PID 2600 wrote to memory of 2412 2600 Cjnege32.exe 35 PID 2600 wrote to memory of 2412 2600 Cjnege32.exe 35 PID 2600 wrote to memory of 2412 2600 Cjnege32.exe 35 PID 2412 wrote to memory of 2840 2412 Comkdl32.exe 36 PID 2412 wrote to memory of 2840 2412 Comkdl32.exe 36 PID 2412 wrote to memory of 2840 2412 Comkdl32.exe 36 PID 2412 wrote to memory of 2840 2412 Comkdl32.exe 36 PID 2840 wrote to memory of 816 2840 Ckckim32.exe 37 PID 2840 wrote to memory of 816 2840 Ckckim32.exe 37 PID 2840 wrote to memory of 816 2840 Ckckim32.exe 37 PID 2840 wrote to memory of 816 2840 Ckckim32.exe 37 PID 816 wrote to memory of 1740 816 Dqcqgc32.exe 38 PID 816 wrote to memory of 1740 816 Dqcqgc32.exe 38 PID 816 wrote to memory of 1740 816 Dqcqgc32.exe 38 PID 816 wrote to memory of 1740 816 Dqcqgc32.exe 38 PID 1740 wrote to memory of 3048 1740 Ddqinb32.exe 39 PID 1740 wrote to memory of 3048 1740 Ddqinb32.exe 39 PID 1740 wrote to memory of 3048 1740 Ddqinb32.exe 39 PID 1740 wrote to memory of 3048 1740 Ddqinb32.exe 39 PID 3048 wrote to memory of 2912 3048 Djnafi32.exe 40 PID 3048 wrote to memory of 2912 3048 Djnafi32.exe 40 PID 3048 wrote to memory of 2912 3048 Djnafi32.exe 40 PID 3048 wrote to memory of 2912 3048 Djnafi32.exe 40 PID 2912 wrote to memory of 976 2912 Dgdoemdi.exe 41 PID 2912 wrote to memory of 976 2912 Dgdoemdi.exe 41 PID 2912 wrote to memory of 976 2912 Dgdoemdi.exe 41 PID 2912 wrote to memory of 976 2912 Dgdoemdi.exe 41 PID 976 wrote to memory of 280 976 Eighbdhe.exe 42 PID 976 wrote to memory of 280 976 Eighbdhe.exe 42 PID 976 wrote to memory of 280 976 Eighbdhe.exe 42 PID 976 wrote to memory of 280 976 Eighbdhe.exe 42 PID 280 wrote to memory of 1068 280 Eijegdfb.exe 43 PID 280 wrote to memory of 1068 280 Eijegdfb.exe 43 PID 280 wrote to memory of 1068 280 Eijegdfb.exe 43 PID 280 wrote to memory of 1068 280 Eijegdfb.exe 43 PID 1068 wrote to memory of 2260 1068 Egoaiqjj.exe 44 PID 1068 wrote to memory of 2260 1068 Egoaiqjj.exe 44 PID 1068 wrote to memory of 2260 1068 Egoaiqjj.exe 44 PID 1068 wrote to memory of 2260 1068 Egoaiqjj.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe"C:\Users\Admin\AppData\Local\Temp\96f312e0a8dc5823f50b6c779c46f6cc8d578702b92cc9db258531dbe0b4b5d8N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Aillbbdn.exeC:\Windows\system32\Aillbbdn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Bbdakh32.exeC:\Windows\system32\Bbdakh32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Bkoepj32.exeC:\Windows\system32\Bkoepj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Bkdokjdd.exeC:\Windows\system32\Bkdokjdd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Cfpmqg32.exeC:\Windows\system32\Cfpmqg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Cjnege32.exeC:\Windows\system32\Cjnege32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Comkdl32.exeC:\Windows\system32\Comkdl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Ckckim32.exeC:\Windows\system32\Ckckim32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Dqcqgc32.exeC:\Windows\system32\Dqcqgc32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Ddqinb32.exeC:\Windows\system32\Ddqinb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Djnafi32.exeC:\Windows\system32\Djnafi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Dgdoemdi.exeC:\Windows\system32\Dgdoemdi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Eighbdhe.exeC:\Windows\system32\Eighbdhe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Eijegdfb.exeC:\Windows\system32\Eijegdfb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Egoaiqjj.exeC:\Windows\system32\Egoaiqjj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Enkgkj32.exeC:\Windows\system32\Enkgkj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Ffihelkm.exeC:\Windows\system32\Ffihelkm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Fmemgfqg.exeC:\Windows\system32\Fmemgfqg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Filnlg32.exeC:\Windows\system32\Filnlg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Feboahlo.exeC:\Windows\system32\Feboahlo.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Ffbkkkcb.exeC:\Windows\system32\Ffbkkkcb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Ghfdhc32.exeC:\Windows\system32\Ghfdhc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Goplem32.exeC:\Windows\system32\Goplem32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Glcmna32.exeC:\Windows\system32\Glcmna32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Gpebhd32.exeC:\Windows\system32\Gpebhd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Gingqjgd.exeC:\Windows\system32\Gingqjgd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Hgddpn32.exeC:\Windows\system32\Hgddpn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Hpmhhcjk.exeC:\Windows\system32\Hpmhhcjk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Hhjjbe32.exeC:\Windows\system32\Hhjjbe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Ikbidp32.exeC:\Windows\system32\Ikbidp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Jjibkl32.exeC:\Windows\system32\Jjibkl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Jjloak32.exeC:\Windows\system32\Jjloak32.exe33⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Jbgdenjj.exeC:\Windows\system32\Jbgdenjj.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Jicigg32.exeC:\Windows\system32\Jicigg32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Kcofnejq.exeC:\Windows\system32\Kcofnejq.exe36⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Kacggiij.exeC:\Windows\system32\Kacggiij.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Kgplicod.exeC:\Windows\system32\Kgplicod.exe38⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Kmldajml.exeC:\Windows\system32\Kmldajml.exe39⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Khbiob32.exeC:\Windows\system32\Khbiob32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Kiebljpm.exeC:\Windows\system32\Kiebljpm.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Lfibeoog.exeC:\Windows\system32\Lfibeoog.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Lijkgj32.exeC:\Windows\system32\Lijkgj32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Lhaenf32.exeC:\Windows\system32\Lhaenf32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Lajifken.exeC:\Windows\system32\Lajifken.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Mkbnpaln.exeC:\Windows\system32\Mkbnpaln.exe46⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Mdkbhf32.exeC:\Windows\system32\Mdkbhf32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Mdmonf32.exeC:\Windows\system32\Mdmonf32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Mdplcfoi.exeC:\Windows\system32\Mdplcfoi.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Mgnhpanm.exeC:\Windows\system32\Mgnhpanm.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Mpfmhg32.exeC:\Windows\system32\Mpfmhg32.exe51⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Mpiinfbk.exeC:\Windows\system32\Mpiinfbk.exe52⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Neeafmqb.exeC:\Windows\system32\Neeafmqb.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Nonfoc32.exeC:\Windows\system32\Nonfoc32.exe54⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Nlaghg32.exeC:\Windows\system32\Nlaghg32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Naooqndd.exeC:\Windows\system32\Naooqndd.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Nkgcic32.exeC:\Windows\system32\Nkgcic32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Npdlbj32.exeC:\Windows\system32\Npdlbj32.exe58⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Nqfigjgi.exeC:\Windows\system32\Nqfigjgi.exe59⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Nklmdcfo.exeC:\Windows\system32\Nklmdcfo.exe60⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Oqhemjef.exeC:\Windows\system32\Oqhemjef.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Onlffncp.exeC:\Windows\system32\Onlffncp.exe62⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Ogejocjq.exeC:\Windows\system32\Ogejocjq.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Omacgjhh.exeC:\Windows\system32\Omacgjhh.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Ojecaoga.exeC:\Windows\system32\Ojecaoga.exe65⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ocnhjdnb.exeC:\Windows\system32\Ocnhjdnb.exe66⤵PID:928
-
C:\Windows\SysWOW64\Okimnfkm.exeC:\Windows\system32\Okimnfkm.exe67⤵PID:2996
-
C:\Windows\SysWOW64\Obcekq32.exeC:\Windows\system32\Obcekq32.exe68⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Pimmgkjg.exeC:\Windows\system32\Pimmgkjg.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Pnjepahn.exeC:\Windows\system32\Pnjepahn.exe70⤵PID:1548
-
C:\Windows\SysWOW64\Pknfif32.exeC:\Windows\system32\Pknfif32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Pbhnfpoe.exeC:\Windows\system32\Pbhnfpoe.exe72⤵PID:2236
-
C:\Windows\SysWOW64\Pkpboe32.exeC:\Windows\system32\Pkpboe32.exe73⤵PID:1804
-
C:\Windows\SysWOW64\Pckgchbp.exeC:\Windows\system32\Pckgchbp.exe74⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Pmcllm32.exeC:\Windows\system32\Pmcllm32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Pgipif32.exeC:\Windows\system32\Pgipif32.exe76⤵PID:2852
-
C:\Windows\SysWOW64\Qpdenh32.exeC:\Windows\system32\Qpdenh32.exe77⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Qfnmjb32.exeC:\Windows\system32\Qfnmjb32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Qpgachdo.exeC:\Windows\system32\Qpgachdo.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Amkbmlci.exeC:\Windows\system32\Amkbmlci.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Afcfebii.exeC:\Windows\system32\Afcfebii.exe81⤵PID:908
-
C:\Windows\SysWOW64\Alponiga.exeC:\Windows\system32\Alponiga.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Aehcfn32.exeC:\Windows\system32\Aehcfn32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Alblchen.exeC:\Windows\system32\Alblchen.exe84⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Admqhk32.exeC:\Windows\system32\Admqhk32.exe85⤵PID:1448
-
C:\Windows\SysWOW64\Aaaaao32.exeC:\Windows\system32\Aaaaao32.exe86⤵PID:584
-
C:\Windows\SysWOW64\Bdgcniko.exeC:\Windows\system32\Bdgcniko.exe87⤵PID:2736
-
C:\Windows\SysWOW64\Bejlkaoj.exeC:\Windows\system32\Bejlkaoj.exe88⤵PID:612
-
C:\Windows\SysWOW64\Cklnog32.exeC:\Windows\system32\Cklnog32.exe89⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Caffkapi.exeC:\Windows\system32\Caffkapi.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Cojgdf32.exeC:\Windows\system32\Cojgdf32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Cpkclnea.exeC:\Windows\system32\Cpkclnea.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Ckqhigeg.exeC:\Windows\system32\Ckqhigeg.exe93⤵PID:3024
-
C:\Windows\SysWOW64\Cakpfa32.exeC:\Windows\system32\Cakpfa32.exe94⤵PID:1096
-
C:\Windows\SysWOW64\Cgghoh32.exeC:\Windows\system32\Cgghoh32.exe95⤵PID:1816
-
C:\Windows\SysWOW64\Cnaqkb32.exeC:\Windows\system32\Cnaqkb32.exe96⤵PID:2028
-
C:\Windows\SysWOW64\Dgjedghh.exeC:\Windows\system32\Dgjedghh.exe97⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Djhapcgl.exeC:\Windows\system32\Djhapcgl.exe98⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Dpbjmm32.exeC:\Windows\system32\Dpbjmm32.exe99⤵
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Dfobed32.exeC:\Windows\system32\Dfobed32.exe100⤵PID:860
-
C:\Windows\SysWOW64\Dogfnj32.exeC:\Windows\system32\Dogfnj32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Djmkkb32.exeC:\Windows\system32\Djmkkb32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Dceodhjg.exeC:\Windows\system32\Dceodhjg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Ddfllp32.exeC:\Windows\system32\Ddfllp32.exe104⤵PID:2724
-
C:\Windows\SysWOW64\Dkpdhj32.exeC:\Windows\system32\Dkpdhj32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Dbjledoo.exeC:\Windows\system32\Dbjledoo.exe106⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Dkcqnj32.exeC:\Windows\system32\Dkcqnj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Eqpifq32.exeC:\Windows\system32\Eqpifq32.exe108⤵PID:3056
-
C:\Windows\SysWOW64\Ekemci32.exeC:\Windows\system32\Ekemci32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Eglnik32.exeC:\Windows\system32\Eglnik32.exe110⤵PID:3040
-
C:\Windows\SysWOW64\Emifaa32.exeC:\Windows\system32\Emifaa32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Egnknj32.exeC:\Windows\system32\Egnknj32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Eqfogp32.exeC:\Windows\system32\Eqfogp32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Eibdkb32.exeC:\Windows\system32\Eibdkb32.exe114⤵PID:2356
-
C:\Windows\SysWOW64\Effdef32.exeC:\Windows\system32\Effdef32.exe115⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Fidqab32.exeC:\Windows\system32\Fidqab32.exe116⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Fekafc32.exeC:\Windows\system32\Fekafc32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Fpqfcl32.exeC:\Windows\system32\Fpqfcl32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Fbobog32.exeC:\Windows\system32\Fbobog32.exe119⤵PID:2020
-
C:\Windows\SysWOW64\Fiijladb.exeC:\Windows\system32\Fiijladb.exe120⤵PID:1508
-
C:\Windows\SysWOW64\Fepkabjf.exeC:\Windows\system32\Fepkabjf.exe121⤵
- System Location Discovery: System Language Discovery
PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-