Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-10-2024 20:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe
-
Size
96KB
-
MD5
a7b45009a2b0cad0c025e77ff048236a
-
SHA1
c732562d170c3cdfc9b30f99a452e618eeeb1861
-
SHA256
314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae
-
SHA512
2de68d89ea5988e8760ecd6362897ffd6febe95590df2c3f4b5746997b8f8232c049efbb4ffa9fafe5cfaf8b39e1176de821537dc5da94349d775f496b5200e1
-
SSDEEP
1536:IRhHlwkeWHpumNU/8MVm8kAReXT+Zi1U8NBXwLL+T93TFFfUN1Avhw6JCMd:ImkeWHpLUDA8kAReD+c1rQLSJ3TFFfUQ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhldiljp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllednao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckaodmhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbmaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cphncpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckckim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbpplglj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfjab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpbnlbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpgccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ondcacad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhgkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dninfgol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdenl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlejhmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckfhom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncaokgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagafeai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpplglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpenogee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkeeqckl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhehnlqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdelik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfkblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcffonnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmdenl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlbncmih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeanp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onojfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbhepfbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbkbff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnfjab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abogpiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blghhahp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhedlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqlcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiponlic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmmad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojkcfdgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgjnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abogpiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aofhejdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnbgfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diekle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnafi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpocioad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libhbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlejhmge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pndoqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpqgcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdjcmcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmfnbohm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgeckoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mklhpfho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghbpfin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmqldee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbijkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clqknppe.exe -
Executes dropped EXE 64 IoCs
pid Process 1716 Jmdenl32.exe 1752 Kpbajggh.exe 2028 Kepjbneo.exe 2840 Kpenogee.exe 2172 Kfofla32.exe 2960 Kpgkef32.exe 2588 Kojkqcjm.exe 3060 Kiponlic.exe 2280 Kjaled32.exe 2364 Kbhdfa32.exe 2944 Kefpbm32.exe 2580 Kkchkd32.exe 684 Kamahn32.exe 3044 Khgidhlh.exe 900 Lkeeqckl.exe 108 Lapnmn32.exe 1768 Ldnjii32.exe 3012 Lglfed32.exe 1952 Lmfnbohm.exe 2168 Ldpfoipj.exe 1288 Lkjolc32.exe 3036 Lmikhn32.exe 2360 Lgaoqdmk.exe 628 Lmkhmn32.exe 2912 Llnhikkb.exe 2324 Libhbo32.exe 1336 Lhehnlqf.exe 2444 Llpdnj32.exe 2208 Meiigppp.exe 2848 Mhgeckoc.exe 2888 Moanpe32.exe 2728 Mekfmp32.exe 1976 Mhibik32.exe 1480 Mnfjab32.exe 1988 Membbo32.exe 2024 Mdpbnlbe.exe 2044 Mgoojgai.exe 2948 Mpgccm32.exe 2816 Mgalpg32.exe 1140 Mklhpfho.exe 916 Mafpmp32.exe 1044 Mdelik32.exe 2304 Mgcheg32.exe 1504 Nqlmnldd.exe 308 Ncjijhch.exe 1364 Nfhefc32.exe 776 Nlbncmih.exe 328 Nqnicl32.exe 3028 Nghbpfin.exe 1600 Nfkblc32.exe 1296 Nhinhn32.exe 2220 Nlejhmge.exe 2844 Nocfdhfi.exe 2716 Nbacqdem.exe 2952 Njikba32.exe 2644 Nmggnm32.exe 2504 Ncaokgmp.exe 840 Nfpkgblc.exe 1696 Nmiccl32.exe 2100 Nkldoijk.exe 2964 Nnkpkdio.exe 1992 Oddhho32.exe 2576 Okoqdi32.exe 1880 Onmmad32.exe -
Loads dropped DLL 64 IoCs
pid Process 2972 314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe 2972 314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe 1716 Jmdenl32.exe 1716 Jmdenl32.exe 1752 Kpbajggh.exe 1752 Kpbajggh.exe 2028 Kepjbneo.exe 2028 Kepjbneo.exe 2840 Kpenogee.exe 2840 Kpenogee.exe 2172 Kfofla32.exe 2172 Kfofla32.exe 2960 Kpgkef32.exe 2960 Kpgkef32.exe 2588 Kojkqcjm.exe 2588 Kojkqcjm.exe 3060 Kiponlic.exe 3060 Kiponlic.exe 2280 Kjaled32.exe 2280 Kjaled32.exe 2364 Kbhdfa32.exe 2364 Kbhdfa32.exe 2944 Kefpbm32.exe 2944 Kefpbm32.exe 2580 Kkchkd32.exe 2580 Kkchkd32.exe 684 Kamahn32.exe 684 Kamahn32.exe 3044 Khgidhlh.exe 3044 Khgidhlh.exe 900 Lkeeqckl.exe 900 Lkeeqckl.exe 108 Lapnmn32.exe 108 Lapnmn32.exe 1768 Ldnjii32.exe 1768 Ldnjii32.exe 3012 Lglfed32.exe 3012 Lglfed32.exe 1952 Lmfnbohm.exe 1952 Lmfnbohm.exe 2168 Ldpfoipj.exe 2168 Ldpfoipj.exe 1288 Lkjolc32.exe 1288 Lkjolc32.exe 3036 Lmikhn32.exe 3036 Lmikhn32.exe 2360 Lgaoqdmk.exe 2360 Lgaoqdmk.exe 628 Lmkhmn32.exe 628 Lmkhmn32.exe 2912 Llnhikkb.exe 2912 Llnhikkb.exe 2324 Libhbo32.exe 2324 Libhbo32.exe 1336 Lhehnlqf.exe 1336 Lhehnlqf.exe 2444 Llpdnj32.exe 2444 Llpdnj32.exe 2208 Meiigppp.exe 2208 Meiigppp.exe 2848 Mhgeckoc.exe 2848 Mhgeckoc.exe 2888 Moanpe32.exe 2888 Moanpe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jaglqfnl.dll Chglca32.exe File opened for modification C:\Windows\SysWOW64\Djnafi32.exe Dgoejm32.exe File created C:\Windows\SysWOW64\Pbhepfbq.exe Pceeei32.exe File opened for modification C:\Windows\SysWOW64\Pbhepfbq.exe Pceeei32.exe File created C:\Windows\SysWOW64\Apakdmpp.exe Aleoco32.exe File created C:\Windows\SysWOW64\Bnbkgech.exe Bkdokjdd.exe File created C:\Windows\SysWOW64\Ihkiqn32.dll Bnbkgech.exe File created C:\Windows\SysWOW64\Ghilpbma.dll Onaflccf.exe File created C:\Windows\SysWOW64\Fpeeia32.dll Aaiamamk.exe File opened for modification C:\Windows\SysWOW64\Bkabejfg.exe Bhcfiogc.exe File created C:\Windows\SysWOW64\Aladkaic.dll Dqemmcqb.exe File opened for modification C:\Windows\SysWOW64\Aigcgc32.exe Afhgkg32.exe File created C:\Windows\SysWOW64\Bghcjk32.exe Bnpoaeek.exe File created C:\Windows\SysWOW64\Aofhejdh.exe Alglin32.exe File created C:\Windows\SysWOW64\Cljemaem.exe Cfpmqg32.exe File created C:\Windows\SysWOW64\Nlejhmge.exe Nhinhn32.exe File opened for modification C:\Windows\SysWOW64\Obiiacpe.exe Onmmad32.exe File created C:\Windows\SysWOW64\Mhhjhefb.dll Plnmcl32.exe File created C:\Windows\SysWOW64\Cfgcec32.dll Pibmmp32.exe File created C:\Windows\SysWOW64\Oablmg32.dll Qmilachg.exe File created C:\Windows\SysWOW64\Dbpplglj.exe Coadpkmf.exe File created C:\Windows\SysWOW64\Kpenogee.exe Kepjbneo.exe File created C:\Windows\SysWOW64\Khgidhlh.exe Kamahn32.exe File created C:\Windows\SysWOW64\Eladkpap.dll Ldpfoipj.exe File created C:\Windows\SysWOW64\Cbgdbfke.dll Adjkol32.exe File created C:\Windows\SysWOW64\Madhgj32.dll Aleoco32.exe File created C:\Windows\SysWOW64\Lkjolc32.exe Ldpfoipj.exe File created C:\Windows\SysWOW64\Plldojmm.dll Lmikhn32.exe File opened for modification C:\Windows\SysWOW64\Oqpbhobj.exe Onaflccf.exe File opened for modification C:\Windows\SysWOW64\Cphncpld.exe Chqfbbka.exe File opened for modification C:\Windows\SysWOW64\Nqlmnldd.exe Mgcheg32.exe File opened for modification C:\Windows\SysWOW64\Oclbok32.exe Oeibcnmf.exe File created C:\Windows\SysWOW64\Pgndfeek.dll Ondcacad.exe File created C:\Windows\SysWOW64\Gckadb32.dll Peinba32.exe File created C:\Windows\SysWOW64\Aleoco32.exe Aigcgc32.exe File created C:\Windows\SysWOW64\Cgjlonld.exe Chglca32.exe File opened for modification C:\Windows\SysWOW64\Mklhpfho.exe Mgalpg32.exe File created C:\Windows\SysWOW64\Ocoodjan.exe Oqpbhobj.exe File opened for modification C:\Windows\SysWOW64\Aibjlcli.exe Afdmphme.exe File created C:\Windows\SysWOW64\Cpeanp32.exe Cljemaem.exe File opened for modification C:\Windows\SysWOW64\Chglca32.exe Cfipgf32.exe File created C:\Windows\SysWOW64\Niobdpib.dll Aepqac32.exe File opened for modification C:\Windows\SysWOW64\Cpeanp32.exe Cljemaem.exe File opened for modification C:\Windows\SysWOW64\Kefpbm32.exe Kbhdfa32.exe File opened for modification C:\Windows\SysWOW64\Ojdnfemp.exe Ogeajjnl.exe File created C:\Windows\SysWOW64\Eghkce32.dll Ogeajjnl.exe File created C:\Windows\SysWOW64\Pahelkpb.dll Pabkmb32.exe File created C:\Windows\SysWOW64\Adeadmna.exe Qpjecn32.exe File created C:\Windows\SysWOW64\Lglioqmk.dll Pndoqf32.exe File opened for modification C:\Windows\SysWOW64\Akafff32.exe Abjnei32.exe File created C:\Windows\SysWOW64\Adjkol32.exe Ampbbbbo.exe File created C:\Windows\SysWOW64\Lcompj32.dll Bcodol32.exe File opened for modification C:\Windows\SysWOW64\Kiponlic.exe Kojkqcjm.exe File opened for modification C:\Windows\SysWOW64\Pmnino32.exe Pibmmp32.exe File created C:\Windows\SysWOW64\Cjpble32.exe Cbijkh32.exe File opened for modification C:\Windows\SysWOW64\Clqknppe.exe Cdjcmcoc.exe File opened for modification C:\Windows\SysWOW64\Mgalpg32.exe Mpgccm32.exe File opened for modification C:\Windows\SysWOW64\Okcjphdc.exe Oclbok32.exe File created C:\Windows\SysWOW64\Pplejj32.exe Pmnino32.exe File created C:\Windows\SysWOW64\Jmnbjpib.dll Adhnillo.exe File created C:\Windows\SysWOW64\Gcebjedc.dll Cfbifgln.exe File opened for modification C:\Windows\SysWOW64\Cccmjkmj.exe Cpeanp32.exe File opened for modification C:\Windows\SysWOW64\Lkjolc32.exe Ldpfoipj.exe File opened for modification C:\Windows\SysWOW64\Llnhikkb.exe Lmkhmn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3844 3820 WerFault.exe 227 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgeckoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgalpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgcheg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampbbbbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clqknppe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgdoemdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiponlic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mekfmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjijhch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofhejdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpqgcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkflpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeeqckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpkgblc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onaflccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibjlcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aigcgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhjhhacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djnafi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncaokgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peinba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adeadmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckaodmhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djbkahcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diekle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhehnlqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdnfemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apakdmpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllednao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokapipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcciiope.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djpnkhep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbacqdem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pceeei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhepfbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgjnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabkmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpplglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqcqgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghbpfin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlejhmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnabkgfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekkga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepqac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdokjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckckim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpdnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiigppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiipmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alglin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqico32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgjhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfofla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgidhlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmnino32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppoboj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldnjii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocfdhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhoqolhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccfjpkkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhedlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdenl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnhikkb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clqknppe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cclgqlei.dll" Ckfhom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omdokj32.dll" Kbhdfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbhdfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpfoipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejmem32.dll" Onmmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghkce32.dll" Ogeajjnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plnmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljomhjp.dll" Diekle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adjkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnnblfgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpbajggh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mafpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbkodfgc.dll" Odgennoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojdnfemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjkpegic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpeeia32.dll" Aaiamamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Domgcocg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfofla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhqico32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bllednao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjcec32.dll" Cfpmqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchngm32.dll" Chqfbbka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chglca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adjkol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aepqac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkikjdeb.dll" Bpqgcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkmfmdk.dll" Dqjghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpqgcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbijkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhddjigo.dll" Kpenogee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgaoqdmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmiccl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhldiljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akafff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madhgj32.dll" Aleoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjhbk32.dll" Dqlcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpgkef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiponlic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kefpbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bghcjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kefpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aofhejdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oabonopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmnino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adoafo32.dll" Afdmphme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkflpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmaah32.dll" Dbpplglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dninfgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pibmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cljemaem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chqfbbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqfcljn.dll" Kefpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmfikn32.dll" Opepik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbhepfbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phgjnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbkgqgpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgalpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plnmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdcdnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cljemaem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cccmjkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingike32.dll" Jmdenl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lglfed32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 1716 2972 314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe 29 PID 2972 wrote to memory of 1716 2972 314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe 29 PID 2972 wrote to memory of 1716 2972 314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe 29 PID 2972 wrote to memory of 1716 2972 314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe 29 PID 1716 wrote to memory of 1752 1716 Jmdenl32.exe 30 PID 1716 wrote to memory of 1752 1716 Jmdenl32.exe 30 PID 1716 wrote to memory of 1752 1716 Jmdenl32.exe 30 PID 1716 wrote to memory of 1752 1716 Jmdenl32.exe 30 PID 1752 wrote to memory of 2028 1752 Kpbajggh.exe 31 PID 1752 wrote to memory of 2028 1752 Kpbajggh.exe 31 PID 1752 wrote to memory of 2028 1752 Kpbajggh.exe 31 PID 1752 wrote to memory of 2028 1752 Kpbajggh.exe 31 PID 2028 wrote to memory of 2840 2028 Kepjbneo.exe 32 PID 2028 wrote to memory of 2840 2028 Kepjbneo.exe 32 PID 2028 wrote to memory of 2840 2028 Kepjbneo.exe 32 PID 2028 wrote to memory of 2840 2028 Kepjbneo.exe 32 PID 2840 wrote to memory of 2172 2840 Kpenogee.exe 33 PID 2840 wrote to memory of 2172 2840 Kpenogee.exe 33 PID 2840 wrote to memory of 2172 2840 Kpenogee.exe 33 PID 2840 wrote to memory of 2172 2840 Kpenogee.exe 33 PID 2172 wrote to memory of 2960 2172 Kfofla32.exe 34 PID 2172 wrote to memory of 2960 2172 Kfofla32.exe 34 PID 2172 wrote to memory of 2960 2172 Kfofla32.exe 34 PID 2172 wrote to memory of 2960 2172 Kfofla32.exe 34 PID 2960 wrote to memory of 2588 2960 Kpgkef32.exe 35 PID 2960 wrote to memory of 2588 2960 Kpgkef32.exe 35 PID 2960 wrote to memory of 2588 2960 Kpgkef32.exe 35 PID 2960 wrote to memory of 2588 2960 Kpgkef32.exe 35 PID 2588 wrote to memory of 3060 2588 Kojkqcjm.exe 36 PID 2588 wrote to memory of 3060 2588 Kojkqcjm.exe 36 PID 2588 wrote to memory of 3060 2588 Kojkqcjm.exe 36 PID 2588 wrote to memory of 3060 2588 Kojkqcjm.exe 36 PID 3060 wrote to memory of 2280 3060 Kiponlic.exe 37 PID 3060 wrote to memory of 2280 3060 Kiponlic.exe 37 PID 3060 wrote to memory of 2280 3060 Kiponlic.exe 37 PID 3060 wrote to memory of 2280 3060 Kiponlic.exe 37 PID 2280 wrote to memory of 2364 2280 Kjaled32.exe 38 PID 2280 wrote to memory of 2364 2280 Kjaled32.exe 38 PID 2280 wrote to memory of 2364 2280 Kjaled32.exe 38 PID 2280 wrote to memory of 2364 2280 Kjaled32.exe 38 PID 2364 wrote to memory of 2944 2364 Kbhdfa32.exe 39 PID 2364 wrote to memory of 2944 2364 Kbhdfa32.exe 39 PID 2364 wrote to memory of 2944 2364 Kbhdfa32.exe 39 PID 2364 wrote to memory of 2944 2364 Kbhdfa32.exe 39 PID 2944 wrote to memory of 2580 2944 Kefpbm32.exe 40 PID 2944 wrote to memory of 2580 2944 Kefpbm32.exe 40 PID 2944 wrote to memory of 2580 2944 Kefpbm32.exe 40 PID 2944 wrote to memory of 2580 2944 Kefpbm32.exe 40 PID 2580 wrote to memory of 684 2580 Kkchkd32.exe 41 PID 2580 wrote to memory of 684 2580 Kkchkd32.exe 41 PID 2580 wrote to memory of 684 2580 Kkchkd32.exe 41 PID 2580 wrote to memory of 684 2580 Kkchkd32.exe 41 PID 684 wrote to memory of 3044 684 Kamahn32.exe 42 PID 684 wrote to memory of 3044 684 Kamahn32.exe 42 PID 684 wrote to memory of 3044 684 Kamahn32.exe 42 PID 684 wrote to memory of 3044 684 Kamahn32.exe 42 PID 3044 wrote to memory of 900 3044 Khgidhlh.exe 43 PID 3044 wrote to memory of 900 3044 Khgidhlh.exe 43 PID 3044 wrote to memory of 900 3044 Khgidhlh.exe 43 PID 3044 wrote to memory of 900 3044 Khgidhlh.exe 43 PID 900 wrote to memory of 108 900 Lkeeqckl.exe 44 PID 900 wrote to memory of 108 900 Lkeeqckl.exe 44 PID 900 wrote to memory of 108 900 Lkeeqckl.exe 44 PID 900 wrote to memory of 108 900 Lkeeqckl.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe"C:\Users\Admin\AppData\Local\Temp\314f8bdb51dbf27859d3480ecdcc05fc17fa580a138552d70ac141ccdd2762ae.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Jmdenl32.exeC:\Windows\system32\Jmdenl32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Kpbajggh.exeC:\Windows\system32\Kpbajggh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Kepjbneo.exeC:\Windows\system32\Kepjbneo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Kpenogee.exeC:\Windows\system32\Kpenogee.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kfofla32.exeC:\Windows\system32\Kfofla32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Kpgkef32.exeC:\Windows\system32\Kpgkef32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Kojkqcjm.exeC:\Windows\system32\Kojkqcjm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Kiponlic.exeC:\Windows\system32\Kiponlic.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Kjaled32.exeC:\Windows\system32\Kjaled32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Kbhdfa32.exeC:\Windows\system32\Kbhdfa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Kefpbm32.exeC:\Windows\system32\Kefpbm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Kkchkd32.exeC:\Windows\system32\Kkchkd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Kamahn32.exeC:\Windows\system32\Kamahn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Khgidhlh.exeC:\Windows\system32\Khgidhlh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Lkeeqckl.exeC:\Windows\system32\Lkeeqckl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Lapnmn32.exeC:\Windows\system32\Lapnmn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Ldnjii32.exeC:\Windows\system32\Ldnjii32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Lglfed32.exeC:\Windows\system32\Lglfed32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Lmfnbohm.exeC:\Windows\system32\Lmfnbohm.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Ldpfoipj.exeC:\Windows\system32\Ldpfoipj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Lkjolc32.exeC:\Windows\system32\Lkjolc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Lmikhn32.exeC:\Windows\system32\Lmikhn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Lgaoqdmk.exeC:\Windows\system32\Lgaoqdmk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Lmkhmn32.exeC:\Windows\system32\Lmkhmn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Llnhikkb.exeC:\Windows\system32\Llnhikkb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Libhbo32.exeC:\Windows\system32\Libhbo32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Lhehnlqf.exeC:\Windows\system32\Lhehnlqf.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\Llpdnj32.exeC:\Windows\system32\Llpdnj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Meiigppp.exeC:\Windows\system32\Meiigppp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Mhgeckoc.exeC:\Windows\system32\Mhgeckoc.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Moanpe32.exeC:\Windows\system32\Moanpe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Mekfmp32.exeC:\Windows\system32\Mekfmp32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Mhibik32.exeC:\Windows\system32\Mhibik32.exe34⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Mnfjab32.exeC:\Windows\system32\Mnfjab32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Membbo32.exeC:\Windows\system32\Membbo32.exe36⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Mdpbnlbe.exeC:\Windows\system32\Mdpbnlbe.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Mgoojgai.exeC:\Windows\system32\Mgoojgai.exe38⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Mpgccm32.exeC:\Windows\system32\Mpgccm32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Mgalpg32.exeC:\Windows\system32\Mgalpg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Mklhpfho.exeC:\Windows\system32\Mklhpfho.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Mafpmp32.exeC:\Windows\system32\Mafpmp32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Mdelik32.exeC:\Windows\system32\Mdelik32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Mgcheg32.exeC:\Windows\system32\Mgcheg32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Nqlmnldd.exeC:\Windows\system32\Nqlmnldd.exe45⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ncjijhch.exeC:\Windows\system32\Ncjijhch.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:308 -
C:\Windows\SysWOW64\Nfhefc32.exeC:\Windows\system32\Nfhefc32.exe47⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Nlbncmih.exeC:\Windows\system32\Nlbncmih.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Nqnicl32.exeC:\Windows\system32\Nqnicl32.exe49⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Nghbpfin.exeC:\Windows\system32\Nghbpfin.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Nfkblc32.exeC:\Windows\system32\Nfkblc32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Nhinhn32.exeC:\Windows\system32\Nhinhn32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Nlejhmge.exeC:\Windows\system32\Nlejhmge.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Nocfdhfi.exeC:\Windows\system32\Nocfdhfi.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Nbacqdem.exeC:\Windows\system32\Nbacqdem.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Njikba32.exeC:\Windows\system32\Njikba32.exe56⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Nmggnm32.exeC:\Windows\system32\Nmggnm32.exe57⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ncaokgmp.exeC:\Windows\system32\Ncaokgmp.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Nfpkgblc.exeC:\Windows\system32\Nfpkgblc.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Nmiccl32.exeC:\Windows\system32\Nmiccl32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Nkldoijk.exeC:\Windows\system32\Nkldoijk.exe61⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Nnkpkdio.exeC:\Windows\system32\Nnkpkdio.exe62⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Oddhho32.exeC:\Windows\system32\Oddhho32.exe63⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Okoqdi32.exeC:\Windows\system32\Okoqdi32.exe64⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Onmmad32.exeC:\Windows\system32\Onmmad32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Obiiacpe.exeC:\Windows\system32\Obiiacpe.exe66⤵PID:576
-
C:\Windows\SysWOW64\Odgennoi.exeC:\Windows\system32\Odgennoi.exe67⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Ogeajjnl.exeC:\Windows\system32\Ogeajjnl.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Ojdnfemp.exeC:\Windows\system32\Ojdnfemp.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Onojfd32.exeC:\Windows\system32\Onojfd32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Oeibcnmf.exeC:\Windows\system32\Oeibcnmf.exe71⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Oclbok32.exeC:\Windows\system32\Oclbok32.exe72⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Okcjphdc.exeC:\Windows\system32\Okcjphdc.exe73⤵PID:2856
-
C:\Windows\SysWOW64\Onaflccf.exeC:\Windows\system32\Onaflccf.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Oqpbhobj.exeC:\Windows\system32\Oqpbhobj.exe75⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Ocoodjan.exeC:\Windows\system32\Ocoodjan.exe76⤵PID:1760
-
C:\Windows\SysWOW64\Ondcacad.exeC:\Windows\system32\Ondcacad.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Oabonopg.exeC:\Windows\system32\Oabonopg.exe78⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Opepik32.exeC:\Windows\system32\Opepik32.exe79⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Ojkcfdgh.exeC:\Windows\system32\Ojkcfdgh.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Oindba32.exeC:\Windows\system32\Oindba32.exe81⤵PID:1740
-
C:\Windows\SysWOW64\Pphlokep.exeC:\Windows\system32\Pphlokep.exe82⤵PID:908
-
C:\Windows\SysWOW64\Pbfhkfdc.exeC:\Windows\system32\Pbfhkfdc.exe83⤵PID:2372
-
C:\Windows\SysWOW64\Pjmqldee.exeC:\Windows\system32\Pjmqldee.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Plnmcl32.exeC:\Windows\system32\Plnmcl32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Pceeei32.exeC:\Windows\system32\Pceeei32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Pbhepfbq.exeC:\Windows\system32\Pbhepfbq.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Pibmmp32.exeC:\Windows\system32\Pibmmp32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Pmnino32.exeC:\Windows\system32\Pmnino32.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Pplejj32.exeC:\Windows\system32\Pplejj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Pbkbff32.exeC:\Windows\system32\Pbkbff32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Peinba32.exeC:\Windows\system32\Peinba32.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Phgjnm32.exeC:\Windows\system32\Phgjnm32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Ppoboj32.exeC:\Windows\system32\Ppoboj32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Pnabkgfb.exeC:\Windows\system32\Pnabkgfb.exe95⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Papogbef.exeC:\Windows\system32\Papogbef.exe96⤵PID:3004
-
C:\Windows\SysWOW64\Pekkga32.exeC:\Windows\system32\Pekkga32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Phjgdm32.exeC:\Windows\system32\Phjgdm32.exe98⤵PID:2244
-
C:\Windows\SysWOW64\Pjhcphkf.exeC:\Windows\system32\Pjhcphkf.exe99⤵PID:2980
-
C:\Windows\SysWOW64\Pndoqf32.exeC:\Windows\system32\Pndoqf32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Pabkmb32.exeC:\Windows\system32\Pabkmb32.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Qhldiljp.exeC:\Windows\system32\Qhldiljp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Qjkpegic.exeC:\Windows\system32\Qjkpegic.exe103⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Qmilachg.exeC:\Windows\system32\Qmilachg.exe104⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Qadhba32.exeC:\Windows\system32\Qadhba32.exe105⤵PID:2240
-
C:\Windows\SysWOW64\Qdcdnm32.exeC:\Windows\system32\Qdcdnm32.exe106⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Qhoqolhm.exeC:\Windows\system32\Qhoqolhm.exe107⤵
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Windows\SysWOW64\Qohilfpj.exeC:\Windows\system32\Qohilfpj.exe108⤵PID:2332
-
C:\Windows\SysWOW64\Qmkigb32.exeC:\Windows\system32\Qmkigb32.exe109⤵PID:2252
-
C:\Windows\SysWOW64\Qpjecn32.exeC:\Windows\system32\Qpjecn32.exe110⤵
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Adeadmna.exeC:\Windows\system32\Adeadmna.exe111⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Afdmphme.exeC:\Windows\system32\Afdmphme.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Aibjlcli.exeC:\Windows\system32\Aibjlcli.exe113⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Aaiamamk.exeC:\Windows\system32\Aaiamamk.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Adhnillo.exeC:\Windows\system32\Adhnillo.exe115⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Abjnei32.exeC:\Windows\system32\Abjnei32.exe116⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Akafff32.exeC:\Windows\system32\Akafff32.exe117⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Ampbbbbo.exeC:\Windows\system32\Ampbbbbo.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Adjkol32.exeC:\Windows\system32\Adjkol32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Afhgkg32.exeC:\Windows\system32\Afhgkg32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Aigcgc32.exeC:\Windows\system32\Aigcgc32.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-