Analysis
-
max time kernel
87s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 02:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe
-
Size
96KB
-
MD5
7f504aa2fe13eb346a1aac470fe294d0
-
SHA1
e2f3fa2065dbf1d2d85b5b0f46248c204ee27d43
-
SHA256
52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbc
-
SHA512
d2b1f2cf230eb6294fad57e57ca07b7025353a23ff89f909a54c5e1f908c041cab3959b37956d598e57a13adef609edf10a67ac9dbcef972f8f0f0fa2995feba
-
SSDEEP
1536:Oxg+Lqv0barLH+H6+bnHB6Q3uFEWZeUVglGbEczD2CNduV9jojTIvjrH:OW+06arbqjADnNd69jc0vf
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkielpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klecfkff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbpbmkan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oefjdgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbmfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlifadkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fccglehn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hegpjaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcachc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cepipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghofam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdogedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icafgmbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnjicjbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeqga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fimoiopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdcpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmmneg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbofmcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggapbcne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeaelok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Modlbmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fleifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfhdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inmmbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qldhkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikldqile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgoime32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plmbkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgingm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jipaip32.exe -
Executes dropped EXE 64 IoCs
pid Process 2904 Phnpagdp.exe 1956 Pmkhjncg.exe 2640 Pdeqfhjd.exe 2660 Pkoicb32.exe 2336 Pmmeon32.exe 2644 Pkaehb32.exe 2608 Paknelgk.exe 1512 Pghfnc32.exe 1868 Pkcbnanl.exe 1972 Qdlggg32.exe 1712 Qgjccb32.exe 484 Qiioon32.exe 1908 Qdncmgbj.exe 2764 Qcachc32.exe 2152 Qnghel32.exe 1516 Agolnbok.exe 920 Aebmjo32.exe 1604 Aaimopli.exe 1304 Afdiondb.exe 344 Alnalh32.exe 1804 Achjibcl.exe 2380 Adifpk32.exe 2472 Ahebaiac.exe 2420 Aoojnc32.exe 324 Anbkipok.exe 2240 Adlcfjgh.exe 2648 Aoagccfn.exe 2536 Bhjlli32.exe 3040 Bnfddp32.exe 3044 Bccmmf32.exe 908 Bgoime32.exe 1092 Bdcifi32.exe 1760 Bgaebe32.exe 1912 Bchfhfeh.exe 1716 Bgcbhd32.exe 1772 Bqlfaj32.exe 2872 Bfioia32.exe 2120 Bfioia32.exe 2148 Bigkel32.exe 2412 Cbppnbhm.exe 1136 Cenljmgq.exe 872 Cmedlk32.exe 2720 Cnfqccna.exe 1524 Cbblda32.exe 1736 Cepipm32.exe 2224 Cileqlmg.exe 1280 Cnimiblo.exe 2952 Cagienkb.exe 1704 Cebeem32.exe 2740 Cinafkkd.exe 596 Cjonncab.exe 2996 Cbffoabe.exe 1944 Ceebklai.exe 2260 Cgcnghpl.exe 1380 Clojhf32.exe 2268 Cnmfdb32.exe 640 Cmpgpond.exe 408 Cegoqlof.exe 840 Ccjoli32.exe 468 Cfhkhd32.exe 1652 Djdgic32.exe 888 Dnpciaef.exe 3036 Danpemej.exe 2288 Dcllbhdn.exe -
Loads dropped DLL 64 IoCs
pid Process 1128 52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe 1128 52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe 2904 Phnpagdp.exe 2904 Phnpagdp.exe 1956 Pmkhjncg.exe 1956 Pmkhjncg.exe 2640 Pdeqfhjd.exe 2640 Pdeqfhjd.exe 2660 Pkoicb32.exe 2660 Pkoicb32.exe 2336 Pmmeon32.exe 2336 Pmmeon32.exe 2644 Pkaehb32.exe 2644 Pkaehb32.exe 2608 Paknelgk.exe 2608 Paknelgk.exe 1512 Pghfnc32.exe 1512 Pghfnc32.exe 1868 Pkcbnanl.exe 1868 Pkcbnanl.exe 1972 Qdlggg32.exe 1972 Qdlggg32.exe 1712 Qgjccb32.exe 1712 Qgjccb32.exe 484 Qiioon32.exe 484 Qiioon32.exe 1908 Qdncmgbj.exe 1908 Qdncmgbj.exe 2764 Qcachc32.exe 2764 Qcachc32.exe 2152 Qnghel32.exe 2152 Qnghel32.exe 1516 Agolnbok.exe 1516 Agolnbok.exe 920 Aebmjo32.exe 920 Aebmjo32.exe 1604 Aaimopli.exe 1604 Aaimopli.exe 1304 Afdiondb.exe 1304 Afdiondb.exe 344 Alnalh32.exe 344 Alnalh32.exe 1804 Achjibcl.exe 1804 Achjibcl.exe 2380 Adifpk32.exe 2380 Adifpk32.exe 2472 Ahebaiac.exe 2472 Ahebaiac.exe 2420 Aoojnc32.exe 2420 Aoojnc32.exe 324 Anbkipok.exe 324 Anbkipok.exe 2240 Adlcfjgh.exe 2240 Adlcfjgh.exe 2648 Aoagccfn.exe 2648 Aoagccfn.exe 2536 Bhjlli32.exe 2536 Bhjlli32.exe 3040 Bnfddp32.exe 3040 Bnfddp32.exe 3044 Bccmmf32.exe 3044 Bccmmf32.exe 908 Bgoime32.exe 908 Bgoime32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Ggdcbi32.exe Gpjkeoha.exe File opened for modification C:\Windows\SysWOW64\Plbkfdba.exe Picojhcm.exe File created C:\Windows\SysWOW64\Dohindnd.dll Cjogcm32.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Ckpckece.exe Cmmcpi32.exe File opened for modification C:\Windows\SysWOW64\Kpieengb.exe Kmkihbho.exe File opened for modification C:\Windows\SysWOW64\Hkdemk32.exe Hieiqo32.exe File created C:\Windows\SysWOW64\Mfnqeb32.dll Ieofkp32.exe File created C:\Windows\SysWOW64\Legaoehg.exe Lonibk32.exe File created C:\Windows\SysWOW64\Ikedjg32.dll Fglfgd32.exe File opened for modification C:\Windows\SysWOW64\Gqcnln32.exe Gmhbkohm.exe File created C:\Windows\SysWOW64\Dmqejl32.dll Ilcalnii.exe File opened for modification C:\Windows\SysWOW64\Lnjldf32.exe Lfbdci32.exe File created C:\Windows\SysWOW64\Mphiqbon.exe Lnjldf32.exe File created C:\Windows\SysWOW64\Injqmdki.exe Ikldqile.exe File opened for modification C:\Windows\SysWOW64\Ohbikbkb.exe Oecmogln.exe File opened for modification C:\Windows\SysWOW64\Fcqjfeja.exe Fpbnjjkm.exe File created C:\Windows\SysWOW64\Qdncmgbj.exe Qiioon32.exe File created C:\Windows\SysWOW64\Adlcfjgh.exe Anbkipok.exe File created C:\Windows\SysWOW64\Cebeem32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Mokilo32.exe Mphiqbon.exe File opened for modification C:\Windows\SysWOW64\Bnlgbnbp.exe Bknjfb32.exe File created C:\Windows\SysWOW64\Bchfhfeh.exe Bgaebe32.exe File created C:\Windows\SysWOW64\Jmaebf32.dll Jlkglm32.exe File opened for modification C:\Windows\SysWOW64\Ggapbcne.exe Gcedad32.exe File opened for modification C:\Windows\SysWOW64\Pmkhjncg.exe Phnpagdp.exe File opened for modification C:\Windows\SysWOW64\Dbiocd32.exe Dpjbgh32.exe File created C:\Windows\SysWOW64\Ecfnmh32.exe Edcnakpa.exe File opened for modification C:\Windows\SysWOW64\Hjohmbpd.exe Hgqlafap.exe File created C:\Windows\SysWOW64\Hjaeba32.exe Hddmjk32.exe File opened for modification C:\Windows\SysWOW64\Lplbjm32.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Gcedad32.exe Gpggei32.exe File created C:\Windows\SysWOW64\Bibjaofg.dll Phnpagdp.exe File created C:\Windows\SysWOW64\Dfefmpeo.dll Bchfhfeh.exe File created C:\Windows\SysWOW64\Chnlno32.dll Gjbpne32.exe File opened for modification C:\Windows\SysWOW64\Acnlgajg.exe Aobpfb32.exe File created C:\Windows\SysWOW64\Ginaep32.dll Bjjaikoa.exe File created C:\Windows\SysWOW64\Coicfd32.exe Cqfbjhgf.exe File opened for modification C:\Windows\SysWOW64\Emoldlmc.exe Ejaphpnp.exe File opened for modification C:\Windows\SysWOW64\Jllqplnp.exe Jimdcqom.exe File opened for modification C:\Windows\SysWOW64\Jhenjmbb.exe Jibnop32.exe File created C:\Windows\SysWOW64\Kcjeje32.dll Kdphjm32.exe File created C:\Windows\SysWOW64\Ikfbbjdj.exe Hgkfal32.exe File opened for modification C:\Windows\SysWOW64\Mnglnj32.exe Modlbmmn.exe File created C:\Windows\SysWOW64\Dbkngi32.dll Obgnhkkh.exe File opened for modification C:\Windows\SysWOW64\Hqkmplen.exe Hmpaom32.exe File opened for modification C:\Windows\SysWOW64\Foolgh32.exe Flapkmlj.exe File created C:\Windows\SysWOW64\Gaihob32.exe Gjbpne32.exe File created C:\Windows\SysWOW64\Pdlkggmp.dll Legaoehg.exe File created C:\Windows\SysWOW64\Abkeba32.dll Alddjg32.exe File opened for modification C:\Windows\SysWOW64\Indnnfdn.exe Ikfbbjdj.exe File created C:\Windows\SysWOW64\Gahjmjal.dll Ichmgl32.exe File created C:\Windows\SysWOW64\Ffdmihcc.dll Inhdgdmk.exe File created C:\Windows\SysWOW64\Dmgmpnhl.exe Dilapopb.exe File created C:\Windows\SysWOW64\Edcnakpa.exe Emifeqid.exe File opened for modification C:\Windows\SysWOW64\Nmflee32.exe Nijpdfhm.exe File created C:\Windows\SysWOW64\Fdiqpigl.exe Fakdcnhh.exe File created C:\Windows\SysWOW64\Feggob32.exe Fgdgcfmb.exe File opened for modification C:\Windows\SysWOW64\Flclam32.exe Fiepea32.exe File created C:\Windows\SysWOW64\Hadcipbi.exe Gqdgom32.exe File created C:\Windows\SysWOW64\Onlahm32.exe Olmela32.exe File created C:\Windows\SysWOW64\Onepbd32.dll Dcghkf32.exe File created C:\Windows\SysWOW64\Ffakjm32.dll Klecfkff.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6680 6600 WerFault.exe 646 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhdgdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfibhjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfigck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhahkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbnjjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khnapkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqlfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adlcfjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjkdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqkiind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeiheo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblbnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjifjdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfjjdjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alddjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcnakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldheebad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokilo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aognbnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbkpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajmjcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeqga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkihbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdmjamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeekmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icafgmbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaapcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieponofk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deenjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhflleb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbphh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kechdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaqig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcajhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemldifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmplen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imlhebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiflohqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkjkflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figmjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjbgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmflee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glchpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjddaagq.dll" Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Danpemej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oajndh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll" Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmepkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heliepmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgkfal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjkkbjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmofdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faiboc32.dll" Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohindnd.dll" Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjedmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdmgc32.dll" Giaidnkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dljmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfeflj32.dll" Ifgicg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndfnecgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgqlafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmdgipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpelaf32.dll" Edcnakpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilcalnii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhahanie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgocmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjhgbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mopbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkigdmm.dll" Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemgfj32.dll" Aeoijidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joqgkdem.dll" Gkgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkgoff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbolo32.dll" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmhjdiap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gncnmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikldqile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Foolgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfoeb32.dll" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndlmhi32.dll" Iieepbje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkoicb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhckfkbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emifeqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Figmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgidcjn.dll" Olkifaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmppehkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocndipc.dll" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipalg32.dll" Mlafkb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1128 wrote to memory of 2904 1128 52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe 31 PID 1128 wrote to memory of 2904 1128 52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe 31 PID 1128 wrote to memory of 2904 1128 52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe 31 PID 1128 wrote to memory of 2904 1128 52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe 31 PID 2904 wrote to memory of 1956 2904 Phnpagdp.exe 32 PID 2904 wrote to memory of 1956 2904 Phnpagdp.exe 32 PID 2904 wrote to memory of 1956 2904 Phnpagdp.exe 32 PID 2904 wrote to memory of 1956 2904 Phnpagdp.exe 32 PID 1956 wrote to memory of 2640 1956 Pmkhjncg.exe 33 PID 1956 wrote to memory of 2640 1956 Pmkhjncg.exe 33 PID 1956 wrote to memory of 2640 1956 Pmkhjncg.exe 33 PID 1956 wrote to memory of 2640 1956 Pmkhjncg.exe 33 PID 2640 wrote to memory of 2660 2640 Pdeqfhjd.exe 34 PID 2640 wrote to memory of 2660 2640 Pdeqfhjd.exe 34 PID 2640 wrote to memory of 2660 2640 Pdeqfhjd.exe 34 PID 2640 wrote to memory of 2660 2640 Pdeqfhjd.exe 34 PID 2660 wrote to memory of 2336 2660 Pkoicb32.exe 35 PID 2660 wrote to memory of 2336 2660 Pkoicb32.exe 35 PID 2660 wrote to memory of 2336 2660 Pkoicb32.exe 35 PID 2660 wrote to memory of 2336 2660 Pkoicb32.exe 35 PID 2336 wrote to memory of 2644 2336 Pmmeon32.exe 36 PID 2336 wrote to memory of 2644 2336 Pmmeon32.exe 36 PID 2336 wrote to memory of 2644 2336 Pmmeon32.exe 36 PID 2336 wrote to memory of 2644 2336 Pmmeon32.exe 36 PID 2644 wrote to memory of 2608 2644 Pkaehb32.exe 37 PID 2644 wrote to memory of 2608 2644 Pkaehb32.exe 37 PID 2644 wrote to memory of 2608 2644 Pkaehb32.exe 37 PID 2644 wrote to memory of 2608 2644 Pkaehb32.exe 37 PID 2608 wrote to memory of 1512 2608 Paknelgk.exe 38 PID 2608 wrote to memory of 1512 2608 Paknelgk.exe 38 PID 2608 wrote to memory of 1512 2608 Paknelgk.exe 38 PID 2608 wrote to memory of 1512 2608 Paknelgk.exe 38 PID 1512 wrote to memory of 1868 1512 Pghfnc32.exe 39 PID 1512 wrote to memory of 1868 1512 Pghfnc32.exe 39 PID 1512 wrote to memory of 1868 1512 Pghfnc32.exe 39 PID 1512 wrote to memory of 1868 1512 Pghfnc32.exe 39 PID 1868 wrote to memory of 1972 1868 Pkcbnanl.exe 40 PID 1868 wrote to memory of 1972 1868 Pkcbnanl.exe 40 PID 1868 wrote to memory of 1972 1868 Pkcbnanl.exe 40 PID 1868 wrote to memory of 1972 1868 Pkcbnanl.exe 40 PID 1972 wrote to memory of 1712 1972 Qdlggg32.exe 41 PID 1972 wrote to memory of 1712 1972 Qdlggg32.exe 41 PID 1972 wrote to memory of 1712 1972 Qdlggg32.exe 41 PID 1972 wrote to memory of 1712 1972 Qdlggg32.exe 41 PID 1712 wrote to memory of 484 1712 Qgjccb32.exe 42 PID 1712 wrote to memory of 484 1712 Qgjccb32.exe 42 PID 1712 wrote to memory of 484 1712 Qgjccb32.exe 42 PID 1712 wrote to memory of 484 1712 Qgjccb32.exe 42 PID 484 wrote to memory of 1908 484 Qiioon32.exe 43 PID 484 wrote to memory of 1908 484 Qiioon32.exe 43 PID 484 wrote to memory of 1908 484 Qiioon32.exe 43 PID 484 wrote to memory of 1908 484 Qiioon32.exe 43 PID 1908 wrote to memory of 2764 1908 Qdncmgbj.exe 44 PID 1908 wrote to memory of 2764 1908 Qdncmgbj.exe 44 PID 1908 wrote to memory of 2764 1908 Qdncmgbj.exe 44 PID 1908 wrote to memory of 2764 1908 Qdncmgbj.exe 44 PID 2764 wrote to memory of 2152 2764 Qcachc32.exe 45 PID 2764 wrote to memory of 2152 2764 Qcachc32.exe 45 PID 2764 wrote to memory of 2152 2764 Qcachc32.exe 45 PID 2764 wrote to memory of 2152 2764 Qcachc32.exe 45 PID 2152 wrote to memory of 1516 2152 Qnghel32.exe 46 PID 2152 wrote to memory of 1516 2152 Qnghel32.exe 46 PID 2152 wrote to memory of 1516 2152 Qnghel32.exe 46 PID 2152 wrote to memory of 1516 2152 Qnghel32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe"C:\Users\Admin\AppData\Local\Temp\52816c588e9405f0b315dcc7034fa341ba2303104ff62eeafb802de70c1ddcbcN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Pmkhjncg.exeC:\Windows\system32\Pmkhjncg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:344 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe33⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe36⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe38⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe39⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe40⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe41⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe42⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe44⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe48⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe51⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe52⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe53⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe56⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:640 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe59⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ccjoli32.exeC:\Windows\system32\Ccjoli32.exe60⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe63⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe65⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe66⤵PID:2828
-
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe67⤵PID:2728
-
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe68⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe69⤵PID:1480
-
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe70⤵PID:1940
-
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe71⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe72⤵PID:1200
-
C:\Windows\SysWOW64\Dljmlj32.exeC:\Windows\system32\Dljmlj32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe74⤵PID:2184
-
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe75⤵PID:2200
-
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe76⤵PID:1936
-
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe77⤵PID:448
-
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe78⤵PID:580
-
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe79⤵PID:2388
-
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe80⤵PID:1644
-
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe81⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe82⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe84⤵PID:3016
-
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe85⤵PID:1672
-
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe86⤵PID:2340
-
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe87⤵PID:756
-
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe88⤵PID:2856
-
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe89⤵
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe90⤵PID:956
-
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe91⤵PID:2484
-
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe92⤵PID:1788
-
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe93⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe94⤵PID:2800
-
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe95⤵PID:2588
-
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe97⤵PID:1564
-
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe99⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe100⤵PID:788
-
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe103⤵PID:2176
-
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe104⤵PID:2924
-
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe105⤵PID:2504
-
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe106⤵PID:2692
-
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe107⤵PID:1688
-
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe108⤵PID:2632
-
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe109⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe110⤵PID:1812
-
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe111⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe112⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe113⤵PID:2768
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe115⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe116⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe117⤵PID:1728
-
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe118⤵PID:2192
-
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe121⤵PID:1316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-