Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/11/2024, 14:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe
-
Size
109KB
-
MD5
2c9ca56f33bdabf59077115381177fa0
-
SHA1
f5e1e07ce9386bf02e277a7334367be7343e5c36
-
SHA256
f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53
-
SHA512
4e72383c2fbab8fbd6185050a4e2a06c3763fdf1fd8d2c51ef67d5c286e5422f7645c8397f581df7cb8c73e8e1babf50571e27d3c600b90395366796f0e5d3ba
-
SSDEEP
3072:anubHmuad1O/+J9MLCqwzBu1DjHLMVDqqkSpR:Eo8dQ/+J90wtu1DjrFqhz
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhdnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmcebkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mobaef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knohpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacefpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifgklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbakc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naegmabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaoplho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbdipa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhfjcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meljbqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebcmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajldkhjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmkne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohengmcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdjno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmoob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojndpqpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkbpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkbjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onipqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amglgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekehomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elieipej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onipqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elaeeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbqjqehd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekefkig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johoic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpqjfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgocid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Admgglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkhaooec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohhea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbbakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcggef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdlfngcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfhgggim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmlkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almihjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mejmmqpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naegmabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adblnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjoif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alofnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiokholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhbbcail.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipefmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnbpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciepkajj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2784 Elaeeb32.exe 2816 Eejjnhgc.exe 2740 Ehhfjcff.exe 2572 Ejioln32.exe 3032 Ehmpeb32.exe 2216 Emjhmipi.exe 2500 Floeof32.exe 2008 Flabdecn.exe 2860 Fejfmk32.exe 2884 Figocipe.exe 1896 Fodgkp32.exe 1548 Fhmldfdm.exe 2400 Gkmefaan.exe 1768 Gagmbkik.exe 560 Gibbgmfe.exe 660 Gkbnap32.exe 1592 Gcmcebkc.exe 860 Gcppkbia.exe 1504 Hhmhcigh.exe 1900 Hofqpc32.exe 2972 Hoimecmb.exe 1184 Hdhbci32.exe 1760 Hgfooe32.exe 340 Hdjoii32.exe 2472 Igkhjdde.exe 1668 Ifpelq32.exe 2104 Imjmhkpj.exe 2720 Iokfjf32.exe 1864 Ifengpdh.exe 1872 Ifgklp32.exe 2876 Iifghk32.exe 1712 Jijacjnc.exe 2536 Jjlmkb32.exe 2240 Jkkjeeke.exe 2032 Jcfoihhp.exe 1740 Jmocbnop.exe 740 Kfggkc32.exe 744 Kbnhpdke.exe 1748 Kbpefc32.exe 2968 Kijmbnpo.exe 1492 Kbbakc32.exe 1260 Kpfbegei.exe 2116 Kecjmodq.exe 2960 Lehdhn32.exe 1716 Lhfpdi32.exe 2976 Lmcilp32.exe 812 Ldmaijdc.exe 684 Lijiaabk.exe 2288 Lpdankjg.exe 868 Lbbnjgik.exe 2836 Lmhbgpia.exe 2724 Lpfnckhe.exe 2772 Miocmq32.exe 3040 Mcggef32.exe 1420 Mlolnllf.exe 2948 Mcidkf32.exe 2136 Mhflcm32.exe 2088 Mejmmqpd.exe 2660 Mhhiiloh.exe 2244 Mobaef32.exe 2064 Meljbqna.exe 268 Mkibjgli.exe 948 Npfjbn32.exe 1888 Nhmbdl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2668 f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe 2668 f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe 2784 Elaeeb32.exe 2784 Elaeeb32.exe 2816 Eejjnhgc.exe 2816 Eejjnhgc.exe 2740 Ehhfjcff.exe 2740 Ehhfjcff.exe 2572 Ejioln32.exe 2572 Ejioln32.exe 3032 Ehmpeb32.exe 3032 Ehmpeb32.exe 2216 Emjhmipi.exe 2216 Emjhmipi.exe 2500 Floeof32.exe 2500 Floeof32.exe 2008 Flabdecn.exe 2008 Flabdecn.exe 2860 Fejfmk32.exe 2860 Fejfmk32.exe 2884 Figocipe.exe 2884 Figocipe.exe 1896 Fodgkp32.exe 1896 Fodgkp32.exe 1548 Fhmldfdm.exe 1548 Fhmldfdm.exe 2400 Gkmefaan.exe 2400 Gkmefaan.exe 1768 Gagmbkik.exe 1768 Gagmbkik.exe 560 Gibbgmfe.exe 560 Gibbgmfe.exe 660 Gkbnap32.exe 660 Gkbnap32.exe 1592 Gcmcebkc.exe 1592 Gcmcebkc.exe 860 Gcppkbia.exe 860 Gcppkbia.exe 1504 Hhmhcigh.exe 1504 Hhmhcigh.exe 1900 Hofqpc32.exe 1900 Hofqpc32.exe 2972 Hoimecmb.exe 2972 Hoimecmb.exe 1184 Hdhbci32.exe 1184 Hdhbci32.exe 1760 Hgfooe32.exe 1760 Hgfooe32.exe 340 Hdjoii32.exe 340 Hdjoii32.exe 2472 Igkhjdde.exe 2472 Igkhjdde.exe 1668 Ifpelq32.exe 1668 Ifpelq32.exe 2104 Imjmhkpj.exe 2104 Imjmhkpj.exe 2720 Iokfjf32.exe 2720 Iokfjf32.exe 1864 Ifengpdh.exe 1864 Ifengpdh.exe 1872 Ifgklp32.exe 1872 Ifgklp32.exe 2876 Iifghk32.exe 2876 Iifghk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gmkjgfmf.exe Gfabkl32.exe File opened for modification C:\Windows\SysWOW64\Hclhjpjc.exe Hnppaill.exe File created C:\Windows\SysWOW64\Hhjjcdeh.dll Iaaekl32.exe File created C:\Windows\SysWOW64\Ngbpehpj.exe Naegmabc.exe File opened for modification C:\Windows\SysWOW64\Bahelebm.exe Blkmdodf.exe File opened for modification C:\Windows\SysWOW64\Djmiejji.exe Dhklna32.exe File created C:\Windows\SysWOW64\Hnppaill.exe Hcjldp32.exe File created C:\Windows\SysWOW64\Fhmldfdm.exe Fodgkp32.exe File created C:\Windows\SysWOW64\Hgfooe32.exe Hdhbci32.exe File created C:\Windows\SysWOW64\Cinefnpo.dll Gdnibdmf.exe File created C:\Windows\SysWOW64\Amefhjna.dll Plpqim32.exe File opened for modification C:\Windows\SysWOW64\Bldpiifb.exe Admgglep.exe File opened for modification C:\Windows\SysWOW64\Aldfcpjn.exe Aejnfe32.exe File created C:\Windows\SysWOW64\Mpcgbhig.exe Mmdkfmjc.exe File opened for modification C:\Windows\SysWOW64\Mhflcm32.exe Mcidkf32.exe File opened for modification C:\Windows\SysWOW64\Pncjad32.exe Oekehomj.exe File created C:\Windows\SysWOW64\Goigjpaa.dll Pnnmeh32.exe File opened for modification C:\Windows\SysWOW64\Aegkfpah.exe Anmbje32.exe File created C:\Windows\SysWOW64\Fodgkp32.exe Figocipe.exe File created C:\Windows\SysWOW64\Lcpnpp32.dll Mlolnllf.exe File created C:\Windows\SysWOW64\Clilmbhd.exe Cglcek32.exe File created C:\Windows\SysWOW64\Epdcmhdd.dll Lcedne32.exe File created C:\Windows\SysWOW64\Clhecl32.exe Ccpqjfnh.exe File opened for modification C:\Windows\SysWOW64\Coindgbi.exe Cdcjgnbc.exe File opened for modification C:\Windows\SysWOW64\Figocipe.exe Fejfmk32.exe File created C:\Windows\SysWOW64\Gfdkng32.dll Ilifndlo.exe File created C:\Windows\SysWOW64\Kbmafngi.exe Kpoejbhe.exe File created C:\Windows\SysWOW64\Alofnj32.exe Afbnec32.exe File created C:\Windows\SysWOW64\Beadgdli.exe Bogljj32.exe File opened for modification C:\Windows\SysWOW64\Ilifndlo.exe Icabeo32.exe File created C:\Windows\SysWOW64\Mgkbjb32.exe Mdlfngcc.exe File created C:\Windows\SysWOW64\Abkkpd32.exe Alaccj32.exe File created C:\Windows\SysWOW64\Bdcnhk32.exe Baealp32.exe File created C:\Windows\SysWOW64\Blkmdodf.exe Beadgdli.exe File created C:\Windows\SysWOW64\Laidgi32.exe Ljplkonl.exe File opened for modification C:\Windows\SysWOW64\Mohhea32.exe Lhoohgdg.exe File created C:\Windows\SysWOW64\Pdnbmp32.dll Hipkfkgh.exe File opened for modification C:\Windows\SysWOW64\Emjhmipi.exe Ehmpeb32.exe File opened for modification C:\Windows\SysWOW64\Bbqkeioh.exe Bhkghqpb.exe File opened for modification C:\Windows\SysWOW64\Ghghnc32.exe Geilah32.exe File created C:\Windows\SysWOW64\Jijacjnc.exe Iifghk32.exe File created C:\Windows\SysWOW64\Lnfbic32.dll Qfikod32.exe File created C:\Windows\SysWOW64\Igkhjdde.exe Hdjoii32.exe File created C:\Windows\SysWOW64\Bhkghqpb.exe Abnopj32.exe File created C:\Windows\SysWOW64\Nphpng32.exe Ninhamne.exe File opened for modification C:\Windows\SysWOW64\Floeof32.exe Emjhmipi.exe File created C:\Windows\SysWOW64\Plpqim32.exe Pfchqf32.exe File opened for modification C:\Windows\SysWOW64\Jnbifl32.exe Jkcmjpma.exe File created C:\Windows\SysWOW64\Icaipj32.dll Bhkghqpb.exe File created C:\Windows\SysWOW64\Bopffl32.dll Bdfahaaa.exe File created C:\Windows\SysWOW64\Pfmpgd32.dll Nchipb32.exe File opened for modification C:\Windows\SysWOW64\Binikb32.exe Bfpmog32.exe File created C:\Windows\SysWOW64\Gafglb32.dll Fodgkp32.exe File created C:\Windows\SysWOW64\Mhnkcm32.dll Bikcbc32.exe File opened for modification C:\Windows\SysWOW64\Nikkkn32.exe Mgmoob32.exe File created C:\Windows\SysWOW64\Nhmbdl32.exe Npfjbn32.exe File created C:\Windows\SysWOW64\Lbogqphi.dll Jfojpn32.exe File opened for modification C:\Windows\SysWOW64\Mhalngad.exe Mohhea32.exe File created C:\Windows\SysWOW64\Kjknge32.dll Ojdjqp32.exe File created C:\Windows\SysWOW64\Nobndj32.exe Nhhehpbc.exe File opened for modification C:\Windows\SysWOW64\Dhklna32.exe Dqddmd32.exe File opened for modification C:\Windows\SysWOW64\Ojdjqp32.exe Obnbpb32.exe File created C:\Windows\SysWOW64\Nnodgbed.exe Nlohmonb.exe File created C:\Windows\SysWOW64\Fefcmehe.exe Fbhfajia.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqjqehd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpddmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojeomee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcnnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplcia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopknhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clhecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabngjla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijiaabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlolnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfoeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghghnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hememgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbdhepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpicbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmgfgham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoimecmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecjmodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehdhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahimb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgnoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfddkmch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opccallb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhoohgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmkne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejioln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehicoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadfah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlacfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkalcdao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkefoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejfmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhiiloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifnhaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikcbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbnap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejmmqpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldfcpjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilgjhena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcgbhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caokmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpanne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhdnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iifghk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijacjnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naegmabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qncfphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfahaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfabkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpqim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qanolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldpiifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjhmipi.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Figocipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnokee32.dll" Ppipdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhglop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonkgg32.dll" Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphmpc32.dll" Lehdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjmmm32.dll" Lchqcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abkkpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmhbgpia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnbmp32.dll" Hipkfkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naegmabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdkakc.dll" Clnehado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eclcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neibanod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiinlj.dll" Pfkkeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll" Ebcmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphjan32.dll" Lpdankjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknida32.dll" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgckoofa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmelpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmcpemo.dll" Npfjbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahpddmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqeipj32.dll" Jinfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfggj32.dll" Ciepkajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfnod32.dll" Mobaef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hadfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifengpdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajamfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apnfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpoejbhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcidkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onldqejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odljflhj.dll" Nnodgbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojdjqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coladm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljplkonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nndgeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjkec32.dll" Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bldpiifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gibbgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnigle.dll" Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmccgf32.dll" Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkkbcl32.dll" Ipqicdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkopndcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkmefaan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocpfkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djafaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnphfdp.dll" Faijggao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjkbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apkicpej.dll" Liibgkoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjeji32.dll" Ogmkne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdcjgnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maiqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnbekph.dll" Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oekehomj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2784 2668 f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe 30 PID 2668 wrote to memory of 2784 2668 f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe 30 PID 2668 wrote to memory of 2784 2668 f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe 30 PID 2668 wrote to memory of 2784 2668 f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe 30 PID 2784 wrote to memory of 2816 2784 Elaeeb32.exe 31 PID 2784 wrote to memory of 2816 2784 Elaeeb32.exe 31 PID 2784 wrote to memory of 2816 2784 Elaeeb32.exe 31 PID 2784 wrote to memory of 2816 2784 Elaeeb32.exe 31 PID 2816 wrote to memory of 2740 2816 Eejjnhgc.exe 32 PID 2816 wrote to memory of 2740 2816 Eejjnhgc.exe 32 PID 2816 wrote to memory of 2740 2816 Eejjnhgc.exe 32 PID 2816 wrote to memory of 2740 2816 Eejjnhgc.exe 32 PID 2740 wrote to memory of 2572 2740 Ehhfjcff.exe 33 PID 2740 wrote to memory of 2572 2740 Ehhfjcff.exe 33 PID 2740 wrote to memory of 2572 2740 Ehhfjcff.exe 33 PID 2740 wrote to memory of 2572 2740 Ehhfjcff.exe 33 PID 2572 wrote to memory of 3032 2572 Ejioln32.exe 34 PID 2572 wrote to memory of 3032 2572 Ejioln32.exe 34 PID 2572 wrote to memory of 3032 2572 Ejioln32.exe 34 PID 2572 wrote to memory of 3032 2572 Ejioln32.exe 34 PID 3032 wrote to memory of 2216 3032 Ehmpeb32.exe 35 PID 3032 wrote to memory of 2216 3032 Ehmpeb32.exe 35 PID 3032 wrote to memory of 2216 3032 Ehmpeb32.exe 35 PID 3032 wrote to memory of 2216 3032 Ehmpeb32.exe 35 PID 2216 wrote to memory of 2500 2216 Emjhmipi.exe 36 PID 2216 wrote to memory of 2500 2216 Emjhmipi.exe 36 PID 2216 wrote to memory of 2500 2216 Emjhmipi.exe 36 PID 2216 wrote to memory of 2500 2216 Emjhmipi.exe 36 PID 2500 wrote to memory of 2008 2500 Floeof32.exe 37 PID 2500 wrote to memory of 2008 2500 Floeof32.exe 37 PID 2500 wrote to memory of 2008 2500 Floeof32.exe 37 PID 2500 wrote to memory of 2008 2500 Floeof32.exe 37 PID 2008 wrote to memory of 2860 2008 Flabdecn.exe 38 PID 2008 wrote to memory of 2860 2008 Flabdecn.exe 38 PID 2008 wrote to memory of 2860 2008 Flabdecn.exe 38 PID 2008 wrote to memory of 2860 2008 Flabdecn.exe 38 PID 2860 wrote to memory of 2884 2860 Fejfmk32.exe 39 PID 2860 wrote to memory of 2884 2860 Fejfmk32.exe 39 PID 2860 wrote to memory of 2884 2860 Fejfmk32.exe 39 PID 2860 wrote to memory of 2884 2860 Fejfmk32.exe 39 PID 2884 wrote to memory of 1896 2884 Figocipe.exe 40 PID 2884 wrote to memory of 1896 2884 Figocipe.exe 40 PID 2884 wrote to memory of 1896 2884 Figocipe.exe 40 PID 2884 wrote to memory of 1896 2884 Figocipe.exe 40 PID 1896 wrote to memory of 1548 1896 Fodgkp32.exe 41 PID 1896 wrote to memory of 1548 1896 Fodgkp32.exe 41 PID 1896 wrote to memory of 1548 1896 Fodgkp32.exe 41 PID 1896 wrote to memory of 1548 1896 Fodgkp32.exe 41 PID 1548 wrote to memory of 2400 1548 Fhmldfdm.exe 42 PID 1548 wrote to memory of 2400 1548 Fhmldfdm.exe 42 PID 1548 wrote to memory of 2400 1548 Fhmldfdm.exe 42 PID 1548 wrote to memory of 2400 1548 Fhmldfdm.exe 42 PID 2400 wrote to memory of 1768 2400 Gkmefaan.exe 43 PID 2400 wrote to memory of 1768 2400 Gkmefaan.exe 43 PID 2400 wrote to memory of 1768 2400 Gkmefaan.exe 43 PID 2400 wrote to memory of 1768 2400 Gkmefaan.exe 43 PID 1768 wrote to memory of 560 1768 Gagmbkik.exe 44 PID 1768 wrote to memory of 560 1768 Gagmbkik.exe 44 PID 1768 wrote to memory of 560 1768 Gagmbkik.exe 44 PID 1768 wrote to memory of 560 1768 Gagmbkik.exe 44 PID 560 wrote to memory of 660 560 Gibbgmfe.exe 45 PID 560 wrote to memory of 660 560 Gibbgmfe.exe 45 PID 560 wrote to memory of 660 560 Gibbgmfe.exe 45 PID 560 wrote to memory of 660 560 Gibbgmfe.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe"C:\Users\Admin\AppData\Local\Temp\f29e9fd71c2402ca7bf0e68a9a72f9667a3c79a139290c938fe73499585a9d53N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Ehhfjcff.exeC:\Windows\system32\Ehhfjcff.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Gibbgmfe.exeC:\Windows\system32\Gibbgmfe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:660 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Imjmhkpj.exeC:\Windows\system32\Imjmhkpj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Iokfjf32.exeC:\Windows\system32\Iokfjf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Jijacjnc.exeC:\Windows\system32\Jijacjnc.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe34⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe35⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Jcfoihhp.exeC:\Windows\system32\Jcfoihhp.exe36⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe37⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe38⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe39⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe40⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe41⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Kpfbegei.exeC:\Windows\system32\Kpfbegei.exe43⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe46⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe47⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ldmaijdc.exeC:\Windows\system32\Ldmaijdc.exe48⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe51⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe53⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe58⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Meljbqna.exeC:\Windows\system32\Meljbqna.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Npfjbn32.exeC:\Windows\system32\Npfjbn32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe65⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Naegmabc.exeC:\Windows\system32\Naegmabc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe67⤵PID:2524
-
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe68⤵
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe69⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe70⤵PID:2248
-
C:\Windows\SysWOW64\Nhhehpbc.exeC:\Windows\system32\Nhhehpbc.exe71⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe72⤵PID:2888
-
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Omfnnnhj.exeC:\Windows\system32\Omfnnnhj.exe74⤵PID:2952
-
C:\Windows\SysWOW64\Ocpfkh32.exeC:\Windows\system32\Ocpfkh32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe79⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe80⤵PID:2932
-
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe81⤵PID:2432
-
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe82⤵
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe83⤵PID:1060
-
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe85⤵PID:2300
-
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe86⤵
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe87⤵PID:876
-
C:\Windows\SysWOW64\Pcbookpp.exeC:\Windows\system32\Pcbookpp.exe88⤵PID:2924
-
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe89⤵PID:2624
-
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe90⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Pfchqf32.exeC:\Windows\system32\Pfchqf32.exe91⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:672 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe93⤵
- Drops file in System32 directory
PID:480 -
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe94⤵PID:2348
-
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe95⤵PID:1948
-
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe97⤵PID:2304
-
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe98⤵
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Windows\SysWOW64\Qemomb32.exeC:\Windows\system32\Qemomb32.exe99⤵PID:1724
-
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe100⤵PID:1544
-
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Aahimb32.exeC:\Windows\system32\Aahimb32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe107⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe108⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe109⤵
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe110⤵
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Bhkghqpb.exeC:\Windows\system32\Bhkghqpb.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Bbqkeioh.exeC:\Windows\system32\Bbqkeioh.exe112⤵PID:376
-
C:\Windows\SysWOW64\Bikcbc32.exeC:\Windows\system32\Bikcbc32.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Bogljj32.exeC:\Windows\system32\Bogljj32.exe114⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe115⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Blkmdodf.exeC:\Windows\system32\Blkmdodf.exe116⤵
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe117⤵PID:1916
-
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Blniinac.exeC:\Windows\system32\Blniinac.exe119⤵PID:1156
-
C:\Windows\SysWOW64\Bhdjno32.exeC:\Windows\system32\Bhdjno32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe121⤵PID:1980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-