Analysis
-
max time kernel
45s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 18:51
Static task
static1
Behavioral task
behavioral1
Sample
a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe
Resource
win10v2004-20241007-en
General
-
Target
a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe
-
Size
91KB
-
MD5
f219b9e1a43772f070c211c73f54cd30
-
SHA1
5e6f18741d730c7b0c3b49dfafa7f0fab929b528
-
SHA256
a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6
-
SHA512
9caece243347a0fa2e7c811d9d66cade42d2d3fed239afde922a1c8518834e5099fb6175a1ecbb4daa1f6cf19e95804559b8a49bd6366791dbb075fdc784b2c0
-
SSDEEP
1536:D/me2Pm/qjKshgX0yf/k0RuCPvnOgGlYqMbxAkd73SeVXwYYr/viVMi:D/me2Pm/qWshgESM0dPvO7MbDdtjo/vu
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lhiakf32.exeCfkloq32.exeCnfqccna.exeMihdgkpp.exeGbhbdi32.exeGepafc32.exeJbhcim32.exeGmeeepjp.exeLjghjpfe.exeIfffkncm.exeQaqnkafa.exeIflmjihl.exeHllmcc32.exeOpfbngfb.exeHihlqeib.exeJolghndm.exeLoqmba32.exeBmpkqklh.exeFcmben32.exeNbbbdcgi.exeHpphhp32.exeKhkbbc32.exePaiaplin.exeCagienkb.exeHqnapb32.exeBmibgd32.exeEgahen32.exeLqqpgj32.exeHcdnhoac.exeIefcfe32.exeHbnmienj.exeBgnfdm32.exeEaheeecg.exeBepjha32.exeDegiggjm.exeBbjmpcab.exeKglehp32.exeHjgehgnh.exeIkfbbjdj.exePjfpafmb.exeKfnmpn32.exeEggndi32.exeNhlgmd32.exePljlbf32.exeAfdiondb.exeBoljgg32.exeGpabcbdb.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfqccna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihdgkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbhbdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmeeepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljghjpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaqnkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hllmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opfbngfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jolghndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbbdcgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqnapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmibgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egahen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqqpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnmienj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgnfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Degiggjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglehp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjgehgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfbbjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjfpafmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eggndi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlgmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pljlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpabcbdb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mfjoeeeh.exeMnaggcej.exeMpbdnk32.exeMpbdnk32.exeMmfdhojb.exeMpdqdkie.exeMbcmpfhi.exeMlkail32.exeMfaefd32.exeNpijoj32.exeNoljjglk.exeNianhplq.exeNplfdj32.exeNidkmojn.exeNlbgikia.exeNaopaa32.exeNeklbppb.exeNledoj32.exeNkhdkgnj.exeNmfqgbmm.exeNemhhpmp.exeNkjapglg.exeNoemqe32.exeNadimacd.exeOhnaik32.exeOklnff32.exeOcgbji32.exeOmmfga32.exeOcjophem.exeOgekpg32.exeOnocmadb.exeOghhfg32.exeOifdbb32.exeOaaifdhb.exeOihqgbhd.exePadeldeo.exePeoalc32.exePkljdj32.exePnjfae32.exePafbadcm.exePgckjk32.exePqkobqhd.exePhbgcnig.exePakllc32.exePqnlhpfb.exePclhdl32.exePggdejno.exePjfpafmb.exePmdmmalf.exePdldnomh.exeQgjqjjll.exeQjhmfekp.exeQmgibqjc.exeQqbecp32.exeQcqaok32.exeQglmpi32.exeQfonkfqd.exeQmifhq32.exeQqdbiopj.exeAccnekon.exeAfajafoa.exeAjmfad32.exeAmkbnp32.exeAojojl32.exepid Process 2556 Mfjoeeeh.exe 2108 Mnaggcej.exe 1852 Mpbdnk32.exe 2860 Mpbdnk32.exe 2904 Mmfdhojb.exe 2972 Mpdqdkie.exe 2496 Mbcmpfhi.exe 1876 Mlkail32.exe 648 Mfaefd32.exe 2796 Npijoj32.exe 2688 Noljjglk.exe 1840 Nianhplq.exe 1596 Nplfdj32.exe 1800 Nidkmojn.exe 808 Nlbgikia.exe 1088 Naopaa32.exe 528 Neklbppb.exe 1124 Nledoj32.exe 2580 Nkhdkgnj.exe 1372 Nmfqgbmm.exe 1684 Nemhhpmp.exe 2572 Nkjapglg.exe 2276 Noemqe32.exe 1884 Nadimacd.exe 3048 Ohnaik32.exe 2400 Oklnff32.exe 1736 Ocgbji32.exe 2752 Ommfga32.exe 1864 Ocjophem.exe 2908 Ogekpg32.exe 1288 Onocmadb.exe 2056 Oghhfg32.exe 1788 Oifdbb32.exe 2816 Oaaifdhb.exe 2300 Oihqgbhd.exe 2968 Padeldeo.exe 624 Peoalc32.exe 2000 Pkljdj32.exe 1704 Pnjfae32.exe 1632 Pafbadcm.exe 876 Pgckjk32.exe 352 Pqkobqhd.exe 984 Phbgcnig.exe 1868 Pakllc32.exe 2224 Pqnlhpfb.exe 1948 Pclhdl32.exe 2436 Pggdejno.exe 2192 Pjfpafmb.exe 2384 Pmdmmalf.exe 2284 Pdldnomh.exe 2880 Qgjqjjll.exe 2764 Qjhmfekp.exe 2620 Qmgibqjc.exe 2720 Qqbecp32.exe 1940 Qcqaok32.exe 560 Qglmpi32.exe 2920 Qfonkfqd.exe 1500 Qmifhq32.exe 1828 Qqdbiopj.exe 1932 Accnekon.exe 2172 Afajafoa.exe 2488 Ajmfad32.exe 692 Amkbnp32.exe 2464 Aojojl32.exe -
Loads dropped DLL 64 IoCs
Processes:
a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exeMfjoeeeh.exeMnaggcej.exeMpbdnk32.exeMpbdnk32.exeMmfdhojb.exeMpdqdkie.exeMbcmpfhi.exeMlkail32.exeMfaefd32.exeNpijoj32.exeNoljjglk.exeNianhplq.exeNplfdj32.exeNidkmojn.exeNlbgikia.exeNaopaa32.exeNeklbppb.exeNledoj32.exeNkhdkgnj.exeNmfqgbmm.exeNemhhpmp.exeNkjapglg.exeNoemqe32.exeNadimacd.exeOhnaik32.exeOklnff32.exeOcgbji32.exeOmmfga32.exeOcjophem.exeOgekpg32.exeOnocmadb.exepid Process 2508 a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe 2508 a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe 2556 Mfjoeeeh.exe 2556 Mfjoeeeh.exe 2108 Mnaggcej.exe 2108 Mnaggcej.exe 1852 Mpbdnk32.exe 1852 Mpbdnk32.exe 2860 Mpbdnk32.exe 2860 Mpbdnk32.exe 2904 Mmfdhojb.exe 2904 Mmfdhojb.exe 2972 Mpdqdkie.exe 2972 Mpdqdkie.exe 2496 Mbcmpfhi.exe 2496 Mbcmpfhi.exe 1876 Mlkail32.exe 1876 Mlkail32.exe 648 Mfaefd32.exe 648 Mfaefd32.exe 2796 Npijoj32.exe 2796 Npijoj32.exe 2688 Noljjglk.exe 2688 Noljjglk.exe 1840 Nianhplq.exe 1840 Nianhplq.exe 1596 Nplfdj32.exe 1596 Nplfdj32.exe 1800 Nidkmojn.exe 1800 Nidkmojn.exe 808 Nlbgikia.exe 808 Nlbgikia.exe 1088 Naopaa32.exe 1088 Naopaa32.exe 528 Neklbppb.exe 528 Neklbppb.exe 1124 Nledoj32.exe 1124 Nledoj32.exe 2580 Nkhdkgnj.exe 2580 Nkhdkgnj.exe 1372 Nmfqgbmm.exe 1372 Nmfqgbmm.exe 1684 Nemhhpmp.exe 1684 Nemhhpmp.exe 2572 Nkjapglg.exe 2572 Nkjapglg.exe 2276 Noemqe32.exe 2276 Noemqe32.exe 1884 Nadimacd.exe 1884 Nadimacd.exe 3048 Ohnaik32.exe 3048 Ohnaik32.exe 2400 Oklnff32.exe 2400 Oklnff32.exe 1736 Ocgbji32.exe 1736 Ocgbji32.exe 2752 Ommfga32.exe 2752 Ommfga32.exe 1864 Ocjophem.exe 1864 Ocjophem.exe 2908 Ogekpg32.exe 2908 Ogekpg32.exe 1288 Onocmadb.exe 1288 Onocmadb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Iigpli32.exeAbpjjeim.exeBoljgg32.exeFogibnha.exeFkmqdpce.exeHalbai32.exeLgoboc32.exePplaki32.exeIjphofem.exeNeknki32.exeCileqlmg.exeDmijfmfi.exeCgaaah32.exeDbdehdfc.exeEpbpbnan.exeNbflno32.exePhcilf32.exeDjdgic32.exeAjhiei32.exeJjdofm32.exeAlqnah32.exeAcfmcc32.exeIcafgmbe.exeAoojnc32.exeAapemc32.exeGfhgpg32.exeLqipkhbj.exeFnacpffh.exeMjhjdm32.exeDilapopb.exePepcelel.exeBdcifi32.exeBjbndpmd.exeJdaqmg32.exeMbnljqic.exeOijjka32.exeKhghgchk.exePnjofo32.exeBnldjekl.exeHqfaldbo.exePgbdodnh.exeLbcbjlmb.exeIfdlng32.exeMqklqhpg.exeEdlhqlfi.exeHohkmj32.exeQngopb32.exeAqjdgmgd.exedescription ioc Process File created C:\Windows\SysWOW64\Idfaqoma.dll Iigpli32.exe File opened for modification C:\Windows\SysWOW64\Aflfjc32.exe Abpjjeim.exe File created C:\Windows\SysWOW64\Bgcbhd32.exe Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Fgnadkic.exe Fogibnha.exe File created C:\Windows\SysWOW64\Gjpqpl32.exe Fkmqdpce.exe File created C:\Windows\SysWOW64\Ljajkolc.dll Halbai32.exe File created C:\Windows\SysWOW64\Liobdl32.dll Lgoboc32.exe File opened for modification C:\Windows\SysWOW64\Phcilf32.exe Pplaki32.exe File opened for modification C:\Windows\SysWOW64\Imodkadq.exe Ijphofem.exe File created C:\Windows\SysWOW64\Nhjjgd32.exe Neknki32.exe File opened for modification C:\Windows\SysWOW64\Bgcbhd32.exe Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe Cileqlmg.exe File created C:\Windows\SysWOW64\Ciokijfd.exe File created C:\Windows\SysWOW64\Eimllb32.dll Dmijfmfi.exe File created C:\Windows\SysWOW64\Mneohj32.exe File created C:\Windows\SysWOW64\Inppon32.dll File created C:\Windows\SysWOW64\Oeopijom.dll Cgaaah32.exe File created C:\Windows\SysWOW64\Aoaqogml.dll Dbdehdfc.exe File opened for modification C:\Windows\SysWOW64\Japciodd.exe File created C:\Windows\SysWOW64\Eoepnk32.exe Epbpbnan.exe File created C:\Windows\SysWOW64\Nfahomfd.exe Nbflno32.exe File opened for modification C:\Windows\SysWOW64\Pkaehb32.exe Phcilf32.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Cgnnab32.exe File opened for modification C:\Windows\SysWOW64\Hjfnnajl.exe File created C:\Windows\SysWOW64\Eohcninh.dll Ajhiei32.exe File created C:\Windows\SysWOW64\Dfcaiilc.dll Jjdofm32.exe File opened for modification C:\Windows\SysWOW64\Aoojnc32.exe Alqnah32.exe File created C:\Windows\SysWOW64\Incleo32.dll Acfmcc32.exe File created C:\Windows\SysWOW64\Ifpcchai.exe Icafgmbe.exe File opened for modification C:\Windows\SysWOW64\Iegeonpc.exe File created C:\Windows\SysWOW64\Anbkipok.exe Aoojnc32.exe File opened for modification C:\Windows\SysWOW64\Ejaphpnp.exe File created C:\Windows\SysWOW64\Anafme32.dll File created C:\Windows\SysWOW64\Hlekjpbi.dll File opened for modification C:\Windows\SysWOW64\Agjmim32.exe Aapemc32.exe File created C:\Windows\SysWOW64\Gifclb32.exe Gfhgpg32.exe File opened for modification C:\Windows\SysWOW64\Lhpglecl.exe Lqipkhbj.exe File created C:\Windows\SysWOW64\Jqgaapqd.dll File opened for modification C:\Windows\SysWOW64\Fpoolael.exe Fnacpffh.exe File created C:\Windows\SysWOW64\Ikgeel32.dll Mjhjdm32.exe File created C:\Windows\SysWOW64\Gejgei32.dll Dilapopb.exe File created C:\Windows\SysWOW64\Pdbdqh32.exe Pepcelel.exe File opened for modification C:\Windows\SysWOW64\Bceibfgj.exe Bdcifi32.exe File created C:\Windows\SysWOW64\Pijjilik.dll Bjbndpmd.exe File opened for modification C:\Windows\SysWOW64\Ohbikbkb.exe File created C:\Windows\SysWOW64\Jlhhndno.exe Jdaqmg32.exe File created C:\Windows\SysWOW64\Dhfjmfen.dll Mbnljqic.exe File created C:\Windows\SysWOW64\Nfllknkp.dll Oijjka32.exe File opened for modification C:\Windows\SysWOW64\Kkeecogo.exe Khghgchk.exe File opened for modification C:\Windows\SysWOW64\Pphkbj32.exe Pnjofo32.exe File created C:\Windows\SysWOW64\Bchqdi32.dll Bnldjekl.exe File created C:\Windows\SysWOW64\Hcdnhoac.exe Hqfaldbo.exe File created C:\Windows\SysWOW64\Hbiooq32.dll File created C:\Windows\SysWOW64\Mhmdim32.dll Pgbdodnh.exe File opened for modification C:\Windows\SysWOW64\Ldbofgme.exe Lbcbjlmb.exe File created C:\Windows\SysWOW64\Ijphofem.exe Ifdlng32.exe File created C:\Windows\SysWOW64\Qjdaldla.dll Mqklqhpg.exe File created C:\Windows\SysWOW64\Elcpbigl.exe Edlhqlfi.exe File created C:\Windows\SysWOW64\Aijpfppe.dll File created C:\Windows\SysWOW64\Hbggif32.exe Hohkmj32.exe File created C:\Windows\SysWOW64\Diodocki.dll File created C:\Windows\SysWOW64\Ocmbnbgf.dll Qngopb32.exe File created C:\Windows\SysWOW64\Mfmhch32.dll Aqjdgmgd.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 3368 3108 1479 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Peoalc32.exeCfhiplmp.exeJlckbh32.exeDobgihgp.exeEhjqgjmp.exeGjgiidkl.exeDdnfop32.exeFjhcegll.exeKhkbbc32.exeCfkloq32.exeJnnnalph.exeMfmndn32.exeBqlfaj32.exeCpkmcldj.exeGkbcbn32.exeJmhnkfpa.exeNbhhdnlh.exeAciqcifh.exeIdadnd32.exeCpdgbm32.exeIfdlng32.exeOeckfndj.exeOhagbj32.exeOhhmcinf.exeHmkeke32.exeKlhemhpk.exeMacilmnk.exeHpphhp32.exeAfgmodel.exeHneeilgj.exeNadimacd.exeAbkhkgbb.exeHlafnbal.exeOkgjodmi.exeIfpcchai.exeJdhgnf32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peoalc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhiplmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlckbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobgihgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgiidkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkloq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnnalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqlfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkmcldj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhnkfpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbhhdnlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aciqcifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idadnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdlng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeckfndj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohagbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhmcinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhemhpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macilmnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpphhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmodel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hneeilgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadimacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkhkgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlafnbal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgjodmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpcchai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhgnf32.exe -
Modifies registry class 64 IoCs
Processes:
Iipiljgf.exeQhmcmk32.exeAbegfa32.exeAflfjc32.exeBejfao32.exeHloiib32.exeJniefm32.exeBecpap32.exeKekiphge.exeAoojnc32.exeLdoimh32.exeAfgmodel.exeCmfkfa32.exeNnafnopi.exeBfhmqhkd.exeJgaiobjn.exeAhebaiac.exeCnimiblo.exeAkkoig32.exeHjlioj32.exeAgjmim32.exeFgcejm32.exeLnbdko32.exeIoohokoo.exeAllefimb.exeFgldnkkf.exeInjndk32.exeEhjqgjmp.exeLfpeeqig.exeAhbekjcf.exeBgnfdm32.exeOonldcih.exeBgibnj32.exeFhdjgoha.exeCileqlmg.exeGkephn32.exeHmdhad32.exeGodaakic.exeHbnmienj.exeAqjdgmgd.exeDhiomn32.exeCcjoli32.exeGhofam32.exeCiifbchf.exeGkbcbn32.exePhcilf32.exeGeeemeif.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdnpmb32.dll" Iipiljgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bajpcflf.dll" Aflfjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jniefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoamb32.dll" Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfejbj.dll" Kekiphge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afgmodel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmfkfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nncgkioi.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfhmqhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjhkqcb.dll" Jgaiobjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akkoig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedkmfka.dll" Agjmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgcejm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnbdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll" Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellqil32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccadd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll" Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iampng32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcmae32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgnfdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oonldcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgogp32.dll" Fhdjgoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafqbm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcijqc32.dll" Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmdhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcofmo32.dll" Hbnmienj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bokblhqh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmhch32.dll" Aqjdgmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioloda32.dll" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghofam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciifbchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkbcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjejkao.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiggco32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geeemeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdapnj32.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exeMfjoeeeh.exeMnaggcej.exeMpbdnk32.exeMpbdnk32.exeMmfdhojb.exeMpdqdkie.exeMbcmpfhi.exeMlkail32.exeMfaefd32.exeNpijoj32.exeNoljjglk.exeNianhplq.exeNplfdj32.exeNidkmojn.exeNlbgikia.exedescription pid Process procid_target PID 2508 wrote to memory of 2556 2508 a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe 30 PID 2508 wrote to memory of 2556 2508 a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe 30 PID 2508 wrote to memory of 2556 2508 a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe 30 PID 2508 wrote to memory of 2556 2508 a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe 30 PID 2556 wrote to memory of 2108 2556 Mfjoeeeh.exe 31 PID 2556 wrote to memory of 2108 2556 Mfjoeeeh.exe 31 PID 2556 wrote to memory of 2108 2556 Mfjoeeeh.exe 31 PID 2556 wrote to memory of 2108 2556 Mfjoeeeh.exe 31 PID 2108 wrote to memory of 1852 2108 Mnaggcej.exe 32 PID 2108 wrote to memory of 1852 2108 Mnaggcej.exe 32 PID 2108 wrote to memory of 1852 2108 Mnaggcej.exe 32 PID 2108 wrote to memory of 1852 2108 Mnaggcej.exe 32 PID 1852 wrote to memory of 2860 1852 Mpbdnk32.exe 33 PID 1852 wrote to memory of 2860 1852 Mpbdnk32.exe 33 PID 1852 wrote to memory of 2860 1852 Mpbdnk32.exe 33 PID 1852 wrote to memory of 2860 1852 Mpbdnk32.exe 33 PID 2860 wrote to memory of 2904 2860 Mpbdnk32.exe 34 PID 2860 wrote to memory of 2904 2860 Mpbdnk32.exe 34 PID 2860 wrote to memory of 2904 2860 Mpbdnk32.exe 34 PID 2860 wrote to memory of 2904 2860 Mpbdnk32.exe 34 PID 2904 wrote to memory of 2972 2904 Mmfdhojb.exe 35 PID 2904 wrote to memory of 2972 2904 Mmfdhojb.exe 35 PID 2904 wrote to memory of 2972 2904 Mmfdhojb.exe 35 PID 2904 wrote to memory of 2972 2904 Mmfdhojb.exe 35 PID 2972 wrote to memory of 2496 2972 Mpdqdkie.exe 36 PID 2972 wrote to memory of 2496 2972 Mpdqdkie.exe 36 PID 2972 wrote to memory of 2496 2972 Mpdqdkie.exe 36 PID 2972 wrote to memory of 2496 2972 Mpdqdkie.exe 36 PID 2496 wrote to memory of 1876 2496 Mbcmpfhi.exe 37 PID 2496 wrote to memory of 1876 2496 Mbcmpfhi.exe 37 PID 2496 wrote to memory of 1876 2496 Mbcmpfhi.exe 37 PID 2496 wrote to memory of 1876 2496 Mbcmpfhi.exe 37 PID 1876 wrote to memory of 648 1876 Mlkail32.exe 38 PID 1876 wrote to memory of 648 1876 Mlkail32.exe 38 PID 1876 wrote to memory of 648 1876 Mlkail32.exe 38 PID 1876 wrote to memory of 648 1876 Mlkail32.exe 38 PID 648 wrote to memory of 2796 648 Mfaefd32.exe 39 PID 648 wrote to memory of 2796 648 Mfaefd32.exe 39 PID 648 wrote to memory of 2796 648 Mfaefd32.exe 39 PID 648 wrote to memory of 2796 648 Mfaefd32.exe 39 PID 2796 wrote to memory of 2688 2796 Npijoj32.exe 40 PID 2796 wrote to memory of 2688 2796 Npijoj32.exe 40 PID 2796 wrote to memory of 2688 2796 Npijoj32.exe 40 PID 2796 wrote to memory of 2688 2796 Npijoj32.exe 40 PID 2688 wrote to memory of 1840 2688 Noljjglk.exe 41 PID 2688 wrote to memory of 1840 2688 Noljjglk.exe 41 PID 2688 wrote to memory of 1840 2688 Noljjglk.exe 41 PID 2688 wrote to memory of 1840 2688 Noljjglk.exe 41 PID 1840 wrote to memory of 1596 1840 Nianhplq.exe 42 PID 1840 wrote to memory of 1596 1840 Nianhplq.exe 42 PID 1840 wrote to memory of 1596 1840 Nianhplq.exe 42 PID 1840 wrote to memory of 1596 1840 Nianhplq.exe 42 PID 1596 wrote to memory of 1800 1596 Nplfdj32.exe 43 PID 1596 wrote to memory of 1800 1596 Nplfdj32.exe 43 PID 1596 wrote to memory of 1800 1596 Nplfdj32.exe 43 PID 1596 wrote to memory of 1800 1596 Nplfdj32.exe 43 PID 1800 wrote to memory of 808 1800 Nidkmojn.exe 44 PID 1800 wrote to memory of 808 1800 Nidkmojn.exe 44 PID 1800 wrote to memory of 808 1800 Nidkmojn.exe 44 PID 1800 wrote to memory of 808 1800 Nidkmojn.exe 44 PID 808 wrote to memory of 1088 808 Nlbgikia.exe 45 PID 808 wrote to memory of 1088 808 Nlbgikia.exe 45 PID 808 wrote to memory of 1088 808 Nlbgikia.exe 45 PID 808 wrote to memory of 1088 808 Nlbgikia.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe"C:\Users\Admin\AppData\Local\Temp\a120139626b28d4df35d2ba5fea129e91ab28a2e45d668c2deb10b24039231e6N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:528 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe33⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe34⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe35⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe36⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe37⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe39⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe40⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe41⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe42⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe43⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe44⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe45⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe46⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe47⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe48⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe50⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe51⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe52⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe53⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe56⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe57⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe58⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe59⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe60⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe61⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe62⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe63⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe64⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe65⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe66⤵PID:1592
-
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe67⤵PID:1320
-
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe68⤵PID:1824
-
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe69⤵PID:2924
-
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe70⤵PID:2644
-
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe71⤵
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe72⤵PID:2936
-
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe73⤵PID:756
-
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe74⤵PID:1304
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe75⤵PID:2836
-
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe76⤵PID:2024
-
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe77⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe78⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe79⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe80⤵PID:1776
-
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe81⤵PID:772
-
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe82⤵PID:2316
-
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe83⤵PID:1748
-
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe84⤵PID:2100
-
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe85⤵PID:2616
-
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe89⤵PID:268
-
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe90⤵PID:1416
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe91⤵PID:1476
-
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe92⤵PID:2576
-
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe93⤵PID:672
-
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe94⤵PID:2136
-
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe95⤵PID:2744
-
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe96⤵PID:1832
-
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe97⤵PID:2612
-
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe98⤵PID:2676
-
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe99⤵PID:1628
-
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe100⤵PID:1080
-
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe101⤵PID:332
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe102⤵
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe103⤵PID:1672
-
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe104⤵PID:2148
-
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe105⤵PID:1660
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe106⤵PID:580
-
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe107⤵PID:896
-
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe108⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe109⤵PID:2812
-
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe110⤵PID:2944
-
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe111⤵PID:2792
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe112⤵PID:1744
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe113⤵PID:572
-
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe114⤵PID:1404
-
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe115⤵PID:1348
-
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe116⤵PID:1952
-
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe117⤵PID:1768
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe118⤵PID:2864
-
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe119⤵PID:2784
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe120⤵
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe121⤵PID:2800
-
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe122⤵PID:1432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-